OAIC finds Kmart Breached Privacy Laws over Facial Recognition Technology

On 18 September 2025, the Privacy Commissioner, Carly Kind issued a significant determination against Kmart Australia Ltd, concluding that its use of facial recognition technology in retail locations contravened the Privacy Act 1988 (Cth) (the Act). This decision reinforces the regulator’s heightened vigilance regarding the deployment of biometric technologies in the retail sector and provides critical guidance for businesses on compliance obligations.

Importantly, facial recognition technologies collect biometric information which is classified as sensitive personal information under the Act. Accordingly, the collection of such information must be both proportionate and transparent.

Key Findings Against Kmart

The Commissioner’s investigation determined that Kmart operated a facial recognition system at 28 stores between June 2020 and July 2022 to detect and reduce refund fraud. However, several deficiencies led to a finding of multiple privacy breaches:

1. Inadequate Consent: Kmart failed to obtain informed and voluntary consent from customers prior to the collection of personal and sensitive information, including biometric data.

2. No Applicable Exception: In the absence of consent, no exception under the Privacy Act applied that would otherwise permit such collection.

3. Insufficient Notification: Kmart did not take reasonable steps to notify customers or ensure awareness. Notices were displayed inconsistently and were deemed neither prominent nor informative enough to satisfy statutory requirements.

4. Not proportionate: The proportion of individuals who committed refund fraud in comparison to the collection of biometric information of all consumers who entered the 28 Kmart stores was a disproportionate interference with privacy.

5. Inadequate safeguards: There must be adequate protections in place to secure and prevent unauthorised use of any sensitive information collected.

The Commissioner emphasised that business imperatives such as safety and fraud prevention, while legitimate, do not override the Act’s requirements.

Regulator’s Guidance for Lawful Use of Facial Recognition

The Commissioner’s determination against Kmart, follows a similar outcome involving Bunnings in 2024, and clarifies regulatory priorities and best practices for retailers deploying advanced surveillance technologies.

Key takeaways for compliance include:

1. Undertake Privacy Risk Assessments: Conduct a robust privacy impact assessment, considering the scale of operations, data sensitivity, and opportunities for customer engagement at the point of collection.

2. Consent is Essential for Sensitive Data: Explicit and informed consent must be obtained for any collection of sensitive information such as facial images and biometric identifiers.

3. Prominence of Notices: Notification must be clear, prominent, and accessible throughout store premises. Notices cannot be restricted to vague or general references to “CCTV, including facial recognition technology” at entry points.

4. Transparency: Retailers must articulate precisely what information is being collected, the purposes of collection, and how the information will be used, managed, and stored.

Implications for Retailers and Businesses

The Kmart determination sets a clear precedent for privacy compliance in the Australian retail context, especially as biometric technologies proliferate. Retailers should review current and proposed uses of facial recognition and other surveillance technologies to ensure alignment with privacy law requirements. This should include to:

1. Develop and implement detailed privacy notices and consent mechanisms.

2. Consider a Privacy Impact Assessment of any project that might impact the privacy of individuals.

3. Document privacy assessments and decision-making processes, including potential alternatives and proportionality to the outcome achieved.

4. Seek advice, as failure to meet these requirements can expose businesses to regulatory investigation, determinations of breach, and associated reputational and legal risks.

The Commissioner’s decision highlights a growing regulatory expectation that privacy compliance remains central to technology adoption in retail settings. Retailers must ensure that any personal or sensitive data collection is lawful, transparent, and based on proper consent, or risk significant regulatory intervention and public scrutiny.

ABOUT THE AUTHOR

Isabella Tziolis assists as a paralegal in commercial, defamation, employment and general matters and is committed to supporting BlackBay Lawyers mission of delivering exceptional legal services. Her work focuses on assisting in providing comprehensive legal support, conducting extensive research, and offering strategic guidance to clients.

Isabella is currently studying a Bachelor of Laws and a Bachelor of Arts, majoring in Politics and International Relations at the University of New South Wales. Her academic and professional experience has fostered her high attention to detail and strong analytical skills which allows her to efficiently handle high-pressure situations and contribute to effective legal strategies.