Kmart Australia's use of facial recognition breached privacy

Kmart Australia breached the privacy of potentially “hundreds of thousands” of individuals when it used a facial recognition technology system to detect refund fraud over a two-year period.

The Office of the Australian Information Commissioner (OAIC) has ruled [pdf] that Kmart “indiscriminately” collected personal and “sensitive biometric information” of everyone entering one of the 28 stores where the technology was used between June 2020 and July 2022.

The Wesfarmers-owned retailer has now been ordered to apologise and to display the apology “in a prominent position” on its website.

A Wesfarmers spokesperson said Kmart "is disappointed" with the ruling and is "reviewing its options to appeal."

Limited trial

Kmart began what it described as a “pilot program” using a third-party system from June 20 2020, which was live until the OAIC initiated an investigation on July 15, 2022.

According to Kmart, the technology was used to detect and prevent fraudulent activity and to help identify persons of interest, including individuals with a history of theft or refund fraud, some of whom had exhibited violent or threatening behaviour toward staff and customers.

OAIC’s ruling outlined how the system used video feeds from CCTV cameras to capture, in real time, the facial images of all individuals who entered a relevant store and all individuals who presented at the returns service desk.

The software generated five-to-six images from the CCTV footage of every individual at the point of entry to a store and at the returns desk.

The best quality images were used to create a digital representation, which was compared against a historical database of people suspected of engaging in refund fraud. Staff members could refuse refunds when they suspected an issue.

A Wesfarmers spokesperson said that "images were only retained if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud."

"All other images were deleted, and the data was never used for marketing or any other purposes."     

More privacy-preserving options exist

Although the system was effective for a subset of fraud detection, the OAIC argued there were “other less privacy intrusive methods” Kmart could have deployed to combat the problem.

“I do not consider that [Kmart] could have reasonably believed that the benefits of the system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” Commissioner Carly Kind said in a statement.

“The system may have been an effective and convenient tool available to the respondent to detect and prevent refund fraud.

“In my view, this was not of itself sufficient to induce a reasonable belief that collecting the sensitive information of every individual that entered the store ... was necessary."

Without being able to use the facial recognition system, Wesfarmers said that refund-related incidents have since spiked.

"From August 2024 to March 2025 alone, refund-related customer threatening incidents increased by 85 percent," a spokesperson said.

"Customer threatening incidents unrelated to refund requests increased by 28 percent over the same period, demonstrating the heightened risk of the refund task for team members."

The ruling against Kmart comes almost a year after the OAIC found that Bunnings also was in breach of the Privacy Act when it analysed the faces of “hundreds of thousands” of customers across 62 stores in NSW and Victoria between November 2018 and November 2021.

Commissioner Kind noted that while the two decisions “do not impose a ban on the use of facial recognition technology, [the] human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted”.