CFOtech Australia - Technology news for CFOs & financial decision-makers
Australia

Guides

#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
health technologies

Search

Retail store security cameras biometric data surveillance privacy concern
#
Data Protection
#
Surveillance
#
MarTech

Kmart found to have breached privacy with facial recognition use

Tue, 21st Oct 2025
Author image
By Melania Watson, Interview Editor

The Australian privacy commissioner has found that Kmart's deployment of facial recognition technology in its stores breached the country's privacy laws by collecting the biometric information of customers without their informed consent.

An investigation determined that, over a two-year period ending in July 2022, Kmart installed facial recognition systems in 28 stores, capturing the data of tens or potentially hundreds of thousands of individuals entering store entrances and return counters. The stated aim was to address refund fraud. However, the commissioner concluded that such data collection was disproportionate and failed to meet legal requirements for consent and transparency under the Privacy Act.

Commissioner's findings

The privacy commissioner's findings against Kmart mark the second such decision against a retailer in under a year, following a similar outcome for Bunnings in October 2024. Both companies had implemented facial recognition technology, but did not adhere to the necessary privacy obligations.

Emily Booth, Special Counsel at Holding Redlich, outlined the key aspects of the decision, explaining:

"Kmart did not have adequate consent from visitors to collect their personal and sensitive information, including biometric facial images without the required consent, no applicable exception to the collection and use of the information applied under the Privacy Act," she said.
"Kmart failed to take reasonable steps to notify visitors or ensure they were aware of the matters required to be notified under Australian Privacy Principle (APP) 5 including because they did not display notices at all stores throughout the relevant period and the notices they did display were considered insufficient. Kmart's privacy policies did not include information about the types of personal information being collected, how it was collected and held, which is a requirement under APP 1."

Guidance for retailers

The commissioner's decision is seen as setting out clear expectations for retailers considering the use of facial recognition or similar technologies on their premises. According to Booth, companies are now being urged to rigorously assess privacy risks, improve notification methods, and clarify privacy policies and consent mechanisms before adopting such systems.

Booth noted that Kmart's approach was regarded as insufficient in several respects:

  • Kmart displayed a sign at the entrance of some stores stating: 'This store has 24-hour CCTV coverage, which includes facial recognition technology', but the commissioner found this disclosure did not adequately inform individuals about the purpose of the technology or the nature and consequences of the data being collected.
  • The privacy policy did not include all required information about the collection and use of personal information, including how individuals could access or correct the data held about them.
  • Collection notices were not displayed consistently or prominently during the entire operation of the facial recognition system.
  • Kmart did not obtain individuals' consent for the collection of sensitive biometric data.

Booth summarised further guidance from the decision:

"The Commissioner's decision provides valuable guidance for retailers using FRT or other equivalent technologies on their premises, including: assess potential privacy risks - in this case, the large number of individuals affected, the sensitivity of the information, the company's size and resources, the relative novelty of the technology and the practical ability to engage with visitors at entry and the returns counter all weighed in favour of Kmart needing to notify individuals more prominently under APP 5.2," she explained.
"Store entry notices are not sufficient on their own - although Kmart displayed a sign stating: 'This store has 24-hour CCTV coverage, which includes facial recognition technology', at the entrance of some stores, the Commissioner found this alone was not sufficient and the retailer should have also alerted visitors to the following: the purpose of collecting individuals' personal information, which was to detect and prevent fraudulent refunds, the consequences for an individual if all or some of their personal information was not collected, for example if they did not want their information to be collected, they would have to refrain from entering the store, that Kmart's privacy policy contained information about how individuals could access the personal information held about them and request corrections where necessary. Collection notices should be displayed appropriately - notices should be displayed throughout the relevant period, in a prominent and accessible format, and provide clear directions to more detailed information about its use of any FRT system. Obtain consent when collecting sensitive information - this case shows that retailers must ensure individuals provide consent by implementing measures like the above before using technology like FRT to collect biometric information. Be transparent - retailers must clearly disclose the types of personal information they collect and hold, as required by APP 1.4(a). The Commissioner noted that although Kmart updated its privacy policy to specify some of the personal information collected by the FRT system, it did not inform individuals that the collection would generate additional information, such as metadata, which constitutes an individual's biometric information and is therefore sensitive data."

Lawful activity and consent

Kmart had argued that its use of facial recognition was justified as reasonably necessary to prevent and address misconduct of a serious nature, such as refund fraud. The commissioner, however, was not persuaded that such an exemption applied in these circumstances.

Booth explained the commissioner's conclusion:

"The Commissioner accepted the evidence provided by Kmart's former Head of Central Operations, who at the time of adopting the FRT system believed it was necessary to take appropriate action to address refund fraud. However, to be reasonably necessary: the FRT system needed to suitably address the prevention and detection of refund fraud."
"At best, the Commissioner found that it only partially addressed these aims. There needed to be no effective alternatives available that were less privacy-intrusive, or that such alternatives were considered ineffective or not viable in project planning documents or a privacy impact assessment. The use of the FRT system needed to be proportionate, which involves balancing the privacy impacts of collecting sensitive information against the benefits gained from using the FRT system. In Kmart's case, the privacy impacts were considered significant given the system captured and processed the facial images of every individual who entered a relevant store during the relevant period, and the images were sensitive information. The potential harms from the use of FRT were also considered significant, and included the risk of commercial surveillance, discrimination, unlawful and arbitrary arrest and inequality before the law."

Ongoing implications

Retailers assessing technology to combat fraud or improve security practices are now expected to weigh privacy considerations more explicitly, following the commissioner's findings in the Kmart and Bunnings cases. The balance between security objectives and customer privacy, as well as the adequacy of consent and transparency, remain under close scrutiny by regulators.

Booth concluded:

"With growing media attention on retail fraud, the case for FRT may be gaining traction. If Kmart or other retailers seek to reintroduce FRT, these recent decisions provide helpful guidance on how to balance privacy risks while complying with the Privacy Act."
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Optidan Core launches to Solve the Retail Product Data Crisis
Aussie Businesses Must Fight Ransomware Criminals
Non-human identities: The invisible security threat reshaping identity access management
Embedded commercial lending - Australia's next major business advantage
Your Data deserves better

Top stories

Hybrid cloud adoption rises as AI & data sovereignty reshape IT
UK & global employers prioritise different skills for 2025 hires
Employment Hero launches real-time payroll super integration
Capco to deploy OpenAI technology for global finance & energy
Australian SME loan applications rise, led by larger firms