Kmart’s Facial Recognition Gamble on Refund Fraud Ruled Unlawful by Australian Privacy Commissioner

Key Takeaways

• Unlawful Collection: Kmart used facial recognition at 28 stores to combat refund fraud but failed to notify or gain consent, breaching the Privacy Act.
• Limited Effectiveness: The Privacy Commissioner found the system had little impact on preventing fraud and was disproportionate compared to the scale of losses.
• Not a Free Pass: Businesses can cite safety and fraud prevention, but these justifications do not exempt them from privacy compliance.
• Retail Precedent: The ruling follows a similar decision against Bunnings in 2024, signaling growing regulatory resistance to biometric surveillance in retail.

Deep Dive

Kmart’s experiment with high-tech fraud prevention has backfired. Australia’s Privacy Commissioner has ruled that the retailer unlawfully harvested shoppers’ biometric data in its attempt to stop refund fraud, a decision that places facial recognition technology under fresh scrutiny in the retail sector.

From June 2020 to July 2022, anyone walking into 28 Kmart stores, or approaching a returns counter, had their face scanned. The goal was simple: catch repeat offenders gaming the refund system. But the execution, according to Commissioner Carly Kind, was anything but lawful. Sensitive biometric information was gathered from everyone, not just suspected fraudsters, without notice or consent.

Kmart leaned on a Privacy Act exemption meant for tackling unlawful activity, arguing that the technology was necessary to deal with refund abuse. The Commissioner disagreed. Not only was the system blunt, capturing thousands of faces regardless of suspicion, it also offered limited effectiveness, ignored less invasive alternatives, and was wildly disproportionate compared to the scale of the problem.

“The benefits of the FRT system in addressing refund fraud did not proportionately outweigh the impact on individuals’ privacy,” Kind concluded, calling the collection “a disproportionate interference.”

Retailers’ Surveillance Dilemma

This isn’t the first time Australian regulators have stepped in. In October 2024, Bunnings was found to have breached privacy law with its own facial recognition rollout, a decision now under appeal. Taken together, the cases show how retailers are testing the boundaries of surveillance in the name of security and how quickly regulators are pushing back.

The Commissioner was careful to note that the ruling does not amount to a ban. Businesses can legitimately point to safety and fraud prevention when weighing new technologies. But that rationale, she stressed, is “not a free pass to avoid compliance with the Privacy Act.”

The Kmart decision lands at a time when consumers are increasingly wary of being tracked in public spaces, and as regulators worldwide wrestle with how to balance innovation with fundamental rights. For now, Australian retail chains may find themselves under the microscope if they gamble on surveillance tech without clear safeguards.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.