Kmart’s use of facial recognition to tackle refund fraud unlawful, Privacy Commissioner finds

Published: 18 September 2025

Privacy Commissioner Carly Kind has found that Kmart Australia Limited (Kmart) breached Australians' privacy by collecting their personal and sensitive information through a facial recognition technology (FRT) system designed to tackle refund fraud.

Between June 2020 and July 2022, Kmart deployed FRT to capture the faces of every person who entered 28 of its retail stores, and all individuals who presented at a returns counter, in an attempt to identify people committing refund fraud.

In a determination published today, the Privacy Commissioner found that Kmart did not notify shoppers or seek their consent to use FRT to collect their biometric information, which is sensitive personal information and enjoys higher protections under the Privacy Act.

The retailer argued that it was not required to obtain consent because of an exemption in the Privacy Act that applies when organisations reasonably believe that they need to collect personal information to tackle unlawful activity or serious misconduct. The Privacy Commissioner's determination focused on assessing whether Kmart met the conditions for relying on the exemption, and concluded:

• The sensitive biometric information of every individual who entered a store was indiscriminately collected by the FRT system.
• There were other less privacy intrusive methods available to Kmart to address refund fraud.
• Deploying the FRT system to prevent fraud was of limited utility.
• Considering that the FRT system impacted on the privacy of many thousands of individuals not suspected of refund fraud, the collection of biometric information on Kmart customers was a disproportionate interference with privacy.

"Understanding how FRT accords with the protections contained in Privacy Act requires me to balance the interests of individuals in having their privacy protected, on the one hand, and the interests of entities in carrying out their functions or activities, on the other. Relevant to a technology like facial recognition, is also the public interest in protecting privacy," the Privacy Commissioner said.

Relevant factors considered by the Commissioner included the estimated value of fraudulent returns against the respondent's total operations and profits, the limited effectiveness of the FRT system, and the extent of the privacy impacts in collecting the sensitive information of every individual who entered the relevant stores.

"I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals' privacy," the Commissioner stated.

The determination is the second issued by the Office of the Australian Information Commissioner (OAIC) on the use of FRT in retail settings. In October 2024, the Privacy Commissioner found that Bunnings Group Limited had contravened Australians' privacy through their use of FRT in 62 of its retail stores across Australia. That decision is currently under review by the Administrative Review Tribunal.

"These two decisions do not impose a ban on the use of FRT. The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted. Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act," she stated.

The Commissioner's determination is instructive for entities that are considering new technologies such as FRT. Privacy considerations should be a key feature. The OAIC has also published guidance on its website: Facial recognition technology: a guide to assessing the privacy risks

Kmart has been under investigation by the OAIC since July 2022, at which time it ceased operating the FRT system. It has cooperated with the OAIC throughout the investigation.

Although the Privacy Commissioner reached a similar conclusion in the Kmart and Bunnings decisions, the cases differ considerably and focus on different uses of FRT.

The Privacy Act is technology-neutral and does not proscribe the use of any particular technology. When considering the roll-out and use of new technologies such as FRT, the OAIC's guidance encourages entities to consider factors such as proportionality, transparency, the risk of bias and discrimination, and governance for the collection, use and retention of sensitive personal information.

Commissioner Kind has published a blog post with further takeaways for other retailers considering using FRT.