Kmart has been found to have violated privacy laws by using facial recognition technology (FRT) on its customers, according to a recent ruling by the Privacy Commissioner. The investigation revealed that over a two-year period leading up to July 2022, Kmart collected facial data from "tens or hundreds of thousands" of customers at store entrances and return counters. This was part of an effort to combat refund fraud.

Facial recognition technology works by mapping a person's unique facial features and comparing them to a database of known faces. While many retailers and public venues claim that FRT can help identify repeat offenders and prevent crime, the Privacy Commissioner, Carly Kind, concluded that Kmart's implementation of this technology was excessive and lacked proper consent from customers.

"The sensitive information of every customer who entered a relevant store was indiscriminately collected by the FRT system," Commissioner Kind stated. Kmart's pilot program began in mid-2020 and expanded to 28 stores across all Australian states and territories, except for the Northern Territory and Tasmania. The program aimed to crosscheck customer facial data against a database of individuals suspected of refund fraud.

In its defense, Kmart argued that it was not required to obtain consent due to an exemption in the Privacy Act, which allows organizations to collect personal information to address unlawful activities. However, Commissioner Kind rejected this argument, asserting that Kmart could have employed more effective and proportionate security measures instead of relying on FRT, which she deemed only "partially suitable" for fraud prevention.

"The number of fraudulent incidents detected and the value of fraud prevented was small," she noted, adding that the impact on Kmart's annual revenue of $9.2 billion in the 2020 financial year was minimal. Commissioner Kind emphasized that the potential harms associated with FRT, such as commercial surveillance, discrimination, and the risk of unlawful or arbitrary arrest, were significant.

As a result of the findings, Kmart has been ordered to cease the use of FRT and must publish a statement on its website within 30 days detailing its use of the technology and the regulator's conclusions.

It is important to note that FRT is not banned in Australian stores. This ruling marks the second instance in less than a year where the Privacy Commissioner has found an Australian retailer in violation of privacy laws regarding FRT. In October 2024, Bunnings was also found to have breached the Privacy Act by using FRT in 62 stores, although the circumstances of Kmart's case were described as different.

Commissioner Kind clarified that these decisions do not prohibit the use of FRT altogether. "Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might consider when deploying new technologies," she said. However, she emphasized that these reasons do not exempt businesses from complying with the Privacy Act.

Kmart ceased its use of FRT when the investigation commenced in July 2022 and has cooperated with the inquiry. The parent company of Kmart, Wesfarmers, has been approached for comment.