Retail giant Kmart broke privacy laws by using facial recognition technology (FRT) on its customers, the privacy commissioner has found.
Over the two years until July 2022, Kmart captured the facial data of "tens or hundreds of thousands" of customers at store entrances and return counters, in an attempt to tackle refund fraud.
Facial recognition technology maps a person's unique facial features and compares them against a database of other faces.
Major retailers and public venues say the technology can be helpful in detecting repeat offenders and preventing crime.
But after a three-year investigation, privacy commissioner Carly Kind found Kmart's use of FRT was disproportionate, and the company did not gain consent to use it on shoppers.
"The sensitive information of every customer who entered a relevant store was indiscriminately collected by the FRT system," Ms Kind said.
How Kmart used FRT on customers
Kmart's "pilot program" began in mid-2020 and expanded across 28 stores in all Australian states and territories except for the Northern Territory and Tasmania.
It would crosscheck facial data of customers against a database of people who had committed refund fraud or were suspected of it.
In its response to the regulator earlier this year, Kmart argued it was not required to obtain consent because of an exemption in the Privacy Act that applied when organisations reasonably believed they needed to collect personal information to tackle unlawful activity.
Ms Kind rejected that argument, finding Kmart could have taken more effective and proportionate security steps rather than FRT, which she described as "partially suitable" to prevent fraud at best.
"The number of fraudulent incidents detected … and the value of fraud prevented … was small. [It was] also minimal with respect to [Kmart's] annual revenue, which was $9.2 billion in the 2020 financial year."
Measured against the impact on customers, Ms Kind said Kmart's decision to indiscriminately collect biometric information was "disproportionate".
"The potential harms generally arising from the use of FRT are significant, and include the risk of commercial surveillance, discrimination, [and] unlawful [or] arbitrary arrest," she added.
As part of the finding, Kmart has been ordered not to repeat the practice in the future, and will have to publish a statement on its website within 30 days explaining its use of FRT and the regulator's finding against it.
FRT is not banned in Australian stores
It is the second time in just under a year the privacy commissioner has made a similar finding against an Australian retailer.
In October 2024, the privacy commissioner found that Bunnings also breached the Privacy Act with its use of FRT in 62 stores, although she said Kmart's use of the technology was very different.
The regulator's decision on Bunnings is currently under review by the Administrative Review Tribunal.
"These two decisions do not impose a ban on the use of FRT," Ms Kind said.
"Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies.
"However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act," she said.
The privacy commissioner said Kmart stopped its use of FRT when the investigation began in July 2022, and had cooperated throughout the process.
The ABC has approached Kmart's parent company, Wesfarmers, for comment.
Written by: Ange Lavoipierre, ABC News.
Seniors Discount Club
Latest Articles
-
-
That bargain ALDI TV is back—but here's what you really need to know before you queue up
- Started by Gian T
- Replies: 1
-
Mobile outage disrupts a town's beloved Wildflower Festival—and nobody saw this coming
- Started by Maan
- Replies: 1
-
-
Storage mistake leaving towels stiff? Expert shares tips on how to fix it
- Started by Gian T
- Replies: 0
.png){kind=icon}
.
