Kmart facial recognition cameras break privacy laws, retailer looking to appeal

Kmart has broken privacy laws by using facial recognition cameras on customers, the Privacy Commissioner has found.

The retail giant used the cameras for two years until mid-2022, capturing the facial data of hundreds of thousands of people.

The cameras were placed at entrances and return counters in 28 stores across the country to detect refund fraud.

A Kmart spokesperson said the company was “reviewing its options” to appeal the finding.

In a six-month period from late 2024, “refund-related customer threatening incidents” rose by 85 per cent, the spokesperson said.

In the decision released on Thursday, Privacy Commissioner Carly Kind said Kmart tried to argue the cameras were legal because of an exemption in the Privacy Act, which applies when organisations reasonably believe that they need to collect personal information to tackle unlawful activity or serious misconduct.

Ms Kind said people’s right to privacy outweighed Kmart’s arguments.

Kmart’s facial recognition technology cameras “indiscriminately” collected sensitive biometric data of every person who entered a store, Ms Kind said.

“There were other less privacy intrusive methods available to Kmart to address refund fraud,” she said.

“Deploying the (facial recognition technology) system to prevent fraud was of limited utility.

“Considering that the FRT system impacted on the privacy of many thousands of individuals not suspected of refund fraud, the collection of biometric information on Kmart customers was a disproportionate interference with privacy.”

Kmart owner Wesfarmers has been approached for comment.

The surveillance scheme began in mid-2020 and ran in 28 stores across the country except in Tasmania and the Northern Territory.

The database would crosscheck facial data with a database of known or suspected refund fraudsters.

Kmart has been ordered not to reinstate the technology and will have to publish a statement on its website within 30 days explaining its use of the technology and the regulator’s finding against it.

The Kmart spokesperson labelled the commissioner’s decision as disappointing and the use of the tech as a “limited trial”.

“Like most other retailers, Kmart is experiencing escalating incidents of theft in stores which are often accompanied by anti-social behaviour or acts of violence against team members and customers,” they said.

The 28 stores involved had “high levels of refund fraud” between June 2020 and July 2022, the spokesperson said.

“We implemented controls to protect the privacy of our customers. Images were only retained if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud,” they said.

“All other images were deleted, and the data was never used for marketing or any other purposes.”

“We ceased the trial when the Privacy Commissioner commenced the investigation.”

Instances of customers threatening staff over refunds rose 85 per cent from August 2024 to March 2025, the Kmart spokesperson said.

Threatening incidents not related to refunds rose 28 per cent over the same, they said, “demonstrating the heightened risk of the refund task for team members”.

“At Kmart we believe that all our team members deserve protections that make their workplaces safe, and that customers should also feel safe where and when they shop,” the spokesperson said.

“Kmart remains committed to finding tools to reduce crime in our stores, so we deliver on team member and customer safety and retain our ability to continue delivering on our low-price credentials for our customers.”

Bunnings challenge

The Privacy Commissioner made an adverse Privacy Act ruling against Bunnings – also owned by Wesfarmers – almost a year ago. Bunnings is challenging that case at the Administrative Review Tribunal.

Ms Kind says her Kmart and Bunnings rulings “do not impose a ban on the use” of facial recognition technology.

“The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted,” she said.

“Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies.

“However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.”