Privacy Chief Slams Kmart Australia on Facial Recognition Tech
Kmart Australia violated customers' privacy by indiscriminately collecting their personal and sensitive data with facial recognition technology (FRT) in an operation designed to tackle refund fraud, Privacy Commissioner Carly Kind announced Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Between June 2020 and July 2022, the company used FRT to capture the faces of everyone who entered 28 of its retail stores and individuals who visited a returns counter, in an attempt to identify those committing refund fraud, Kind said. The company, however, failed to notify shoppers or seek their consent to use FRT to collect their biometric information, which enjoys higher protections under the Australian Privacy Act.
Kmart stopped using FRT in July 2022 and cooperated with the Office of the Australian Information Commissioner (OAIC) during an investigation that began at that time, Kind said.
Kmart contended it wasn't required to obtain consent because of an exemption in the Privacy Act that applies when organizations reasonably believe they need to collect personal information to tackle illegal activity or serious misconduct, Kind noted. Her investigation focused on whether Kmart met the conditions for relying on that exemption.
It found that sensitive biometric information of every person who entered a store was indiscriminately gathered. Moreover, the commissioner said, there were less intrusive ways to address refund fraud, and using FRT was of limited utility.
"Considering that the FRT system impacted on the privacy of many thousands of individuals not suspected of refund fraud, the collection of biometric information on Kmart customers was a disproportionate interference with privacy," the commissioner said.
Kind considered several factors in determining the violation. These included: the estimated value of fraudulent returns against Kmart's total operations and profits; the limited effectiveness of the system; and the extent to which collecting everyone's sensitive information affected their privacy.
The determination is the second issued by the OAIC on the use of FRT in retail settings, Kind noted. In October 2024, she found that Bunnings Group had breached people's privacy through its use of FRT in 62 stores across the country, a decision now under review by the Administrative Review Tribunal.
Kind stressed the decisions don't ban the use of FRT, but that businesses considering its use must make privacy a key feature. Wesfarmers, the parent company of Kmart Australia, didn't comment by our deadline.
In the U.S., Home Depot faces a class action under the Illinois Biometric Information Privacy Act over facial recognition used in an AI-powered system that manages inventory and mitigates theft at self-checkout stations (see 2508050063).