Australian retailer Kmart has recently come under fire for deploying Facial Recognition Technology (FRT) in 28 of its stores. This practice led to the degradation of many black sanctuaries during June-July 2020. With respect to Kmart, the Privacy Commissioner Carly Kind has concluded that Kmart’s actions were a violation of privacy law. The private retailer then deployed facial recognition technology to record the faces of everyone entering the stores. That included the people standing in line at the returns counter, all in the name of combating return fraud.
Kmart chose to adopt this technology in part because they were experiencing a sudden uptick in refund-related situations where customers were making threats. From August 2024 through March 2025, these incidents increased by a staggering 85 percent. The retailer claimed that these incidents created a “heightened risk of the refund task for team members.” To address this issue, Kmart recently implemented a small-scale trial of facial recognition technology (FRT). Their aim is to target people they believe are committing fraud when returning items.
Unfortunately for Kmart, no matter how well-intentioned its model may be, its defense relied on an exemption in the Privacy Act. In its defense, the retailer argued that it wasn’t required to obtain consent before using FRT. It claimed that gathering sensitive personal information was vital to stop illegal acts before they occurred. The Privacy Commissioner found this position unacceptable.
As Carly Kind explained in a webinar last year, businesses’ concerns should be taken seriously, especially the safety of their customers and employees. These concerns do not excuse them from having to comply with privacy laws. “Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies,” she said. “These reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.”
Kmart’s troubled use of FRT should be a huge red flag for any domestic privacy advocates. Kind’s complaint highlighted how the system captured sensitive biometric information of everyone that walked into its stores—with no regard for privacy. “I do not consider that the respondent could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” she stated.
In an email, a Kmart spokesperson said the company was disappointed with the ruling. They noted that the corporation is currently considering its options to appeal. “To tackle a growing problem of refund fraud in our stores, we conducted a limited trial of FRT, commencing in one store and extending to another 27 stores with high levels of refund fraud,” they explained. They emphasized that measures were taken to protect customer privacy, stating, “Images were only retained if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud.”
This ruling draws attention to the Privacy Commissioner’s second finding on FRT and privacy violations, which are indeed a cause for concern. This time, it takes aim at the country’s largest retailer. In October 2024, Bunnings was similarly found to have breached privacy laws through its use of FRT in 62 stores.
The claims have not been entirely dismissed on the merits, eliminating FRT from police use altogether. They raise important questions about how we can continue to promote positive, innovative uses of technology in retail while safeguarding people’s privacy.
