Click to open contact form.
Your Global Partners in the Business of Innovation

Kmart Australia Violated Privacy Act with Facial Recognition in Retail Stores

Client Updates / September 28, 2025
Home » News & Insights

Written by: Haim RaviaDotan Hammer

The Australian Information Commissioner (AIC), Carly Kind, found that Kmart Australia Limited interfered with individuals’ privacy by using a Facial Recognition Technology (FRT) system in 28 retail stores between June 2020 and July 2022 to detect and prevent store refund fraud.

The Commissioner substantiated multiple breaches of the Australian Privacy Act 1988:

  1. Kmart collected the sensitive information of all individuals entering the relevant stores without consent. This sensitive information included facial images and generated metadata/biometric information used for automated verification/identification. Kmart attempted to rely on a ‘permitted general situation’ exception, arguing the collection was necessary to take appropriate action against unlawful activity (refund fraud). However, the Commissioner ruled the collection was not necessary because the use of FRT was not proportional. The privacy impact on potentially “tens or even hundreds of thousands of individuals” whose sensitive information was indiscriminately collected outweighed the limited benefits—the amount of fraud prevented was small compared to the estimated value of unlawful activity and Kmart’s massive revenue.
  2. Kmart failed to take reasonable steps to notify individuals about the collection of their sensitive information, the purpose (detecting refund fraud), and the consequences (e.g., being denied a refund). Store signage and privacy policies were found to be inadequate or implemented too late.
  3. Kmart failed to maintain a clearly expressed and up-to-date privacy policy that specified the kinds of personal information collected (metadata and biometric information) and how it was collected via the FRT system.

As remedies, the Australian privacy commissioner declared that Kmart must not repeat or continue the infringing acts. Kmart was ordered to publish an apology and a detailed statement about its FRT use on its website and in stores for at least 30 days. Kmart must also retain all remaining FRT data for 12 months for compliance before destroying it.

Click here to read the Australian Privacy Commissioner’s decision against Kmart Australia Limited.

MEDIA HIGHLIGHTS

California Bills on Privacy and AI-Decision Making Sent for Governor Approval
Client Updates
European Court Says U.S. Data Transfer Framework Remains Valid for Now
Client Updates
Chrome will not be Divested Despite Google’s Loss in U.S. Anti-Trust Lawsuit
Client Updates
Italy Sets European Precedent by Enacting a New AI Law
Europe Updates