Kmart Australia Facial Recognition Privacy Breach – OAIC Ruling and Timeline
Kmart Australia breached the Privacy Act 1988 by deploying facial recognition technology across 28 retail stores for two years, collecting biometric data from shoppers without clear notification or consent. The Office of the Australian Information Commissioner determined on 18 September 2025 that the retailer’s use of automated face scanning between June 2020 and July 2022 violated multiple Australian Privacy Principles.
The technology captured facial vectors—unique biometric identifiers—from every person entering monitored stores and those processing returns at customer service counters. This indiscriminate data collection occurred despite Kmart generating $9.2 billion in annual revenue, with the stated aim of preventing refund fraud.
The determination marks the second major retail privacy ruling by the OAIC within 12 months, following a similar finding against Bunnings in October 2024. Consumer advocacy group CHOICE, which lodged the initial complaint, described the outcome as a significant warning to retailers deploying surveillance technology.
What Happened in the Kmart Australia Facial Recognition Privacy Breach?
- Kmart scanned faces of all store entrants and returns counter users indiscriminately
- Biometric data qualifies as sensitive information under Australian Privacy Principle 3
- Retailer claimed exemption for preventing unlawful activity but OAIC rejected this justification
- No monetary fines imposed; remedial compliance orders issued instead
- Precedent builds on October 2024 Bunnings determination
- CHOICE investigation triggered the three-year OAIC probe
| Fact | Details | Source |
|---|---|---|
| Stores Affected | 28 Kmart locations across Australia | OAIC |
| Duration | Approximately 25 months (June 2020–July 2022) | Twobirds |
| Legal Basis Challenged | Section 16A “permitted general situation” exemption | Addisons |
| Determination Date | 18 September 2025 (public release) | OAIC |
| Internal Determination Date | 26 August 2025 | CBP |
| Fine Imposed | None; compliance-focused outcome | Clayton Utz |
What Was the OAIC’s Determination on Kmart’s Facial Recognition Use?
Privacy Commissioner Carly Kind found that Kmart’s deployment violated Australian Privacy Principles 3 and 5. APP 3 governs the collection of solicited personal information, while APP 5 mandates notification of data collection practices.
The OAIC determined that facial vectors constitute sensitive biometric information requiring explicit consent for collection. Kmart’s systems captured these identifiers from every individual entering specified stores or using returns counters, rather than targeting specific suspects.
Did Kmart Australia Get Fined for the Privacy Breach?
No monetary penalties were imposed. The OAIC issued declaratory orders requiring immediate cessation of the technology in its current form, publication of a public statement and apology within 30 days, and updates to the website privacy policy. Kmart must retain existing biometric data for 12 months for accountability purposes, then delete it.
What Privacy Laws Did Kmart Breach?
The specific breaches involved APP 3, which prohibits collecting sensitive information without consent unless an exception applies, and APP 5, which requires adequate notification. Kmart argued for exemption under section 16A of the Privacy Act for preventing unlawful activity, claiming the FRT targeted refund fraud.
The OAIC ruled that section 16A exemptions require targeted, necessary action against specific unlawful activity. Indiscriminate scanning of all customers without reasonable suspicion does not satisfy this threshold.
The Commissioner rejected Kmart’s justification on three grounds: the collection was indiscriminate rather than targeted, disproportionate given minimal fraud losses relative to $9.2 billion revenue, and of limited utility for the stated purpose.
Timeline of the Kmart Facial Recognition Privacy Incident
When Did Kmart Start Using Facial Recognition Technology?
Deployment began in June 2020 across select stores. The technology remained active until July 2022, capturing biometric data for approximately 25 months.
Key Dates in the Investigation
CHOICE investigated the retailer’s practices and lodged a formal complaint in 2022, prompting the OAIC to initiate proceedings. The investigation lasted three years, with Kmart cooperating fully throughout the process.
In October 2024, the OAIC issued a similar determination against Bunnings for FRT use in 62 stores. That matter remains under Administrative Review Tribunal review, establishing the legal framework for the Kmart ruling.
Has Kmart Stopped Facial Recognition and What Are the Customer Impacts?
Kmart ceased using the facial recognition technology in July 2022, coinciding with the commencement of the OAIC investigation. The retailer has since updated its website privacy policy to include details about the previous FRT usage.
What Are the Outcomes for Customers Affected?
Customers who entered affected stores or used returns counters between June 2020 and July 2022 had their facial vectors collected without notification or consent. While no direct compensation mechanism was established, the ruling affirms heightened protections for biometric data in retail environments.
The determination signals that customers have recourse through complaints to the OAIC when retailers deploy mass surveillance technologies.
Kmart must retain the collected biometric data for 12 months from the determination date to ensure accountability, after which complete deletion is required.
Is Facial Recognition Legal in Australian Retail Stores?
Facial recognition technology remains legal under Australian privacy law but must comply with strict proportionality, transparency, and necessity requirements. The Privacy Act operates as technology-neutral legislation, meaning FRT is not banned but requires consent as the baseline.
Mass surveillance applications rarely qualify for exemptions. Term Deposit Calculator – Compare Best Australian Rates 2024 provides tools for financial comparison unrelated to privacy compliance.
Chronology of the Kmart Privacy Investigation
-
Kmart deploys facial recognition technology in 28 stores to combat refund fraud.
-
Kmart ceases FRT operations; OAIC investigation begins following CHOICE complaint. Source
-
OAIC rules against Bunnings for similar FRT use, establishing precedent.
-
Internal OAIC determination finalised (AICmr 155).
-
Privacy Commissioner Carly Kind publicly releases determination.
What Facts Remain Uncertain in the Kmart Case?
Established Information
- 28 stores used FRT from June 2020 to July 2022
- Biometric data collection breached APP 3 and APP 5
- OAIC rejected section 16A exemption claims
- No financial penalties imposed
- Kmart cooperated with the three-year investigation
Remaining Uncertainties
- Exact number of individuals whose data was captured
- Specific technical specifications of the FRT systems used
- Whether Kmart will pursue Administrative Review Tribunal appeal
- Long-term compliance monitoring mechanisms post-12 months
How Does the Kmart Ruling Fit Into Australian Privacy Law?
The determination reinforces that the Privacy Act 1988 applies technology-neutrally to biometric surveillance. While facial recognition itself remains lawful, collection must be proportionate to the specific threat and transparent to affected individuals.
Retailers face higher compliance thresholds than essential services. The OAIC guidance emphasizes privacy-by-design principles, requiring organizations to assess necessity before deploying surveillance technologies. Charles Darwin University – Rankings, Campuses, Courses 2025 offers educational context on technology governance studies.
Consumer advocates including CHOICE continue calling for stronger legislative reforms to address enforcement gaps in biometric data protection. Legal analysis suggests retail applications face particular scrutiny under current frameworks.
What Did Officials Say About the Kmart Determination?
Kmart’s use of facial recognition to tackle refund fraud was unlawful.
— Privacy Commissioner Carly Kind, OAIC Media Centre, 18 September 2025
This is a warning to all retailers that they cannot indiscriminately collect sensitive biometric information.
— CHOICE Media Release, September 2025
What Are the Key Takeaways from the Kmart Privacy Breach?
Kmart Australia’s use of facial recognition technology between 2020 and 2022 violated the Privacy Act 1988 by collecting sensitive biometric data without consent or adequate notification. The OAIC determination establishes that mass surveillance exemptions are narrowly construed, requiring targeted rather than indiscriminate collection. Retailers must now ensure biometric surveillance is proportionate, transparent, and justified by specific security threats rather than general loss prevention.
Frequently Asked Questions About the Kmart Facial Recognition Case
Why did Kmart use facial recognition technology?
Kmart deployed FRT specifically to combat refund fraud, though the OAIC determined this purpose did not justify indiscriminate collection of biometric data from all customers.
Who made the complaint against Kmart?
Consumer advocacy group CHOICE investigated Kmart’s practices and lodged the formal complaint with the OAIC in 2022.
Is Kmart still using facial recognition cameras?
Kmart ceased using the technology in July 2022 and has been directed not to resume usage in its previous form.
What should customers do if they shopped at Kmart during 2020-2022?
The OAIC has ordered Kmart to retain data for 12 months then delete it. Customers concerned about their biometric data may contact the OAIC or Kmart directly.
Will Kmart face financial penalties?
No monetary fines were imposed. The outcome focuses on compliance declarations and public accountability measures.
How long was the investigation?
The OAIC investigation lasted three years from initial complaint to final determination.
Does this mean facial recognition is banned in Australia?
No. Facial recognition remains legal but must comply with Australian Privacy Principles, including consent requirements and proportionality tests.
More related posts
A Deadly American Marriage: Jason Corbett Case Explained
Quarter Zip Jumper Guide: Best Picks for All Ages
Maggie Kang: Biography, Husband, Daughter, and Career
Pancakes Near Me Dublin: Best Spots, Health & Traditions
Ligue 2 Standings 2025/26: Promotion Rules & Table
West Ham Standings: Current Premier League Position & History
Mermaid Hair Curler – Top Picks and Styling Guide
In the Tall Grass: Plot, Ending Explained & Review
