Kmart’s Use of Facial Recognition Deemed Unlawful by Privacy Commissioner Published: 18 September 2025 Source: Office of the Australian Information Commissioner (OAIC) --- Summary The Privacy Commissioner Carly Kind found Kmart Australia Limited (Kmart) breached privacy laws by using facial recognition technology (FRT) without proper consent to tackle refund fraud in its stores. Key Findings Unconsented Data Collection: From June 2020 to July 2022, Kmart used FRT in 28 stores to capture facial biometric data from all customers entering stores and those at return counters without notifying them or seeking consent. Biometric Data is Sensitive: Facial biometric data is classified as sensitive personal information under the Privacy Act, requiring higher protection and explicit consent for collection. Kmart’s Defense: Kmart claimed exemption from consent requirements, invoking a Privacy Act provision allowing personal information collection without consent if done reasonably to address unlawful activities or serious misconduct. Commissioner’s Conclusion: The scheme indiscriminately captured sensitive biometric information of all store visitors, affecting many non-suspects. Less privacy-intrusive alternatives were available. The FRT system had limited effectiveness in preventing fraud. The collection was a disproportionate interference with individual privacy. Balance of Interests: The Commissioner balanced privacy rights against business interests and public safety, concluding Kmart's belief in the necessity of the FRT system was not reasonable. Broader Context This is the second OAIC ruling against FRT use in Australian retail, following a similar 2024 finding against Bunnings Group Limited, which is under review. The decisions do not ban FRT outright but emphasize that privacy compliance remains mandatory despite legitimate business goals like fraud prevention. OAIC guidance urges organizations considering FRT to account for: Proportionality of measures Transparency with customers Risks of bias and discrimination Strong governance around sensitive data Additional Information Kmart ceased the FRT system in July 2022 and cooperated fully during the OAIC investigation. Privacy Commissioner Carly Kind has published a blog with further insights for retailers. OAIC offers a guide on assessing privacy risks of facial recognition technology: Facial recognition technology: a guide to assessing the privacy risks The determination can be viewed on AustLii: OAIC Decision on Kmart --- Main Takeaways for Businesses Use of facial recognition must comply with the Privacy Act, especially obtaining consent for biometric data collection. Reliance on exemptions is narrow and requires strong justification and reasonableness. Transparency and privacy impact assessments should guide technology deployments. Protect individuals’ rights and balance them carefully against intended business benefits. --- Office of the Australian Information Commissioner (OAIC) Contact and follow OAIC on social media for updates and guidance.