Kmart's use of facial recognition to tackle refund fraud unlawful (www.oaic.gov.au)

Australia’s Privacy Commissioner has determined that Kmart unlawfully collected customers’ biometric data by running facial recognition technology (FRT) in 28 stores and at returns counters from June 2020 to July 2022 without notifying or obtaining consent. The Office of the Australian Information Commissioner (OAIC) found the system indiscriminately captured the faces of every person who entered those stores, had limited effectiveness at preventing refund fraud, and that less privacy-intrusive options were available — making the mass collection of sensitive biometric information a disproportionate interference with privacy under the Privacy Act. Kmart ceased the program in July 2022 and cooperated with the investigation. For the AI/ML community and retailers, the ruling is a clear precedent: deploying FRT triggers strict privacy obligations and cannot rely on a narrow “unlawful activity” exemption unless proportionality, necessity and effectiveness are demonstrable. Key takeaways include the need for privacy impact assessments (DPIAs), transparency and consent frameworks, data minimization and retention limits, bias and accuracy testing, and robust governance for sensitive biometric data. This decision — the second similar OAIC finding after Bunnings — does not ban FRT but signals regulators will closely scrutinize utility versus privacy harms and expects organizations to document alternatives, risk mitigation and legal justification before rolling out biometric systems.