The Conversation
Today the Office of the Australian Information Commissioner found retail giant Kmart breached Australians’ privacy.
The company had collected personal and sensitive information through a facial recognition technology system designed to tackle refund fraud – where people try to obtain refunds to which they are not entitled, for example by returning stolen goods.
Between June 2020 and July 2022, Kmart used the system to capture the faces of every person who entered 28 of its retail stores, as well as people who presented at a returns counter.
Kmart’s response
In a statement to the ABC, a Kmart spokeperson said the company was disappointed with the decision and considering an appeal.
Like most other retailers, Kmart is experiencing escalating incidents of theft in stores which are often accompanied by anti-social behaviour or acts of violence against team members and customers.
The spokesperson also said images were only retained
if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud. All other images were deleted, and the data was never used for marketing or any other purposes.
A disproportionate application of facial recognition tech
Kmart argued the fact they were attempting to prevent refund fraud meant the consent of the people whose faces they captured was not required.
However, Privacy Commissioner Carly Kind concluded that the use of facial recognition technology to prevent fraud is out of proportion, for several reasons.
First, there are other, less privacy-intrusive methods available to Kmart to address refund fraud. (For example, it could instruct staff to check documents more thoroughly.)
Second, the system was not very useful in preventing fraud. The amount of fraud detected was insignificant, and disproportionate when weighed against the serious privacy risks posed by the collection and management of facial information.
Third, every individual (customer) who entered the store was included in the facial recognition database, regardless of their intent and without their consent.
For these reasons, and as the system affected the privacy of many thousands of individuals not suspected of refund fraud, the collection of biometric information was a disproportionate interference with privacy.
A lack of transparency
Under the Privacy Act, the collection and use of personal information must be both proportionate and transparent. Like the proportionality requirement, the transparency requirement was not satisfied in this case. Customers were neither made aware of the process nor asked for their consent for their facial information to be collected.
Consent is one of the cornerstones in information collection. The Privacy Act provides a limited definition of consent that includes two types of consent: express and implied. Given its unique and sensitive nature, facial information should only be collected under conditions of express consent.
Express consent is when an individual, fully informed, voluntarily and explicitly, agrees to the collection of their information. The agreement may be given in writing, verbally, or through a clear affirmative action.
Simply walking into a store where you usually buy groceries and goods cannot be considered as giving consent.
Appeals to safety
As surveillance technologies expand, the collection of facial information is becoming increasingly normalised in daily life. It is often promoted through carefully crafted nudges such as claims that it is “for safety” or “to prevent fraud”.
My research for my PhD (not yet published, though some preliminary results are available here) has found these nudges change our perception of the ever-increasing presence of facial recognition technology in our lives.
We come to consider security cameras with embedded facial recognition technology to be a norm, rather than interference with our lives. And the justification of “safety” makes it sound reasonable.
The limits of facial recognition
However, the determination against Kmart shows these justifications are weak against thorough tests of reasonability and proportionality.
Facial recognition technology does little to protect against real risks. Only a human security guard can stop an aggressive customer, for example. And as the commissioner note in the Kmart case, the technology may not actually prevent much fraud.
This raises an important consideration for anyone planning to use facial recognition technology for security.
Facial information is unique and valuable. The use of facial recognition technology should be carefully crafted and adjusted.
Less privacy-intrusive measures must be considered first. This will ensure the protection of the privacy rights of individuals – and a balanced approach for society as a whole.
This article is republished from The Conversation, a nonprofit, independent news organization bringing you facts and trustworthy analysis to help you make sense of our complex world. It was written by: Margarita Vladimirova, Deakin University
Read more:
- The ‘anxiety economy’ is booming. But should companies be profiting from our fears?
- Details on how Australia’s social media ban for under-16s will work are finally becoming clear
- How to avoid seeing disturbing content on social media and protect your peace of mind
Margarita Vladimirova worked at the OAIC from February to June 2025.
What's on Netflix
Slate Politics