A facial recognition technology pilot program that Kmart ran in Australia from 2020 to 2022 violated Australia’s privacy laws, according to the national privacy commissioner. Over the course of about two years, the stores were collecting shopper biometrics at store entrances and return counters without collecting proper consent. The commissioner also found that the use was disproportionate to the company’s stated needs.
The facial recognition technology was used at 28 Kmart stores across all of the Australian states and territories except for the Northern Territory and Tasmania. The pilot program does not impact what dwindling Kmart locations are left in other countries, including the United States; Australia’s Kmart brand is owned by the Perth-based conglomerate Wesfarmers and only operates stores there and in New Zealand.
Australia’s Kmart accused of using invasive facial recognition technology during covid-era pilot
The use of the facial recognition technology was considered a pilot test run that began in mid-2020 and carried on until July 2022. The Australian stores captured facial biometrics and cross-checked them against a reference list of known or suspected participants in refund fraud scams, unbeknownst to most customers as they stepped through the entrance or walked up to the refund desk. Tens to hundreds of thousands of Australian customers are thought to have been impacted during this time.
Kmart previously argued that an exemption in the national Privacy Act allowing sensitive personal information to be collected without consent when organizations have a “reasonable belief” that it is needed to address illegal activity. That argument was rejected by privacy commissioner Carly Kind, who said that other steps that were both less invasive and more effective were available to the company to protect itself from return fraudsters.
Kind also noted a proportionality issue, observing that return fraud had only taken a “minimal” amount from Kmart’s $9.2 billion regional revenue in 2020. The deployment of facial recognition technology indiscriminately against shoppers to combat such a relatively small financial issue was found to be in violation of privacy laws.
Kmart is not being fined for the breach of privacy laws, but will have to publish a statement on its website (within 30 days) that explains how it used facial recognition technology during this period and why it was found to be in violation. It must also cease this practice going forward, or face the possibility of future fines and legal action.
Australian privacy laws allow for use of facial recognition technology, but with important restrictions
The national privacy laws do leave room for deployment of this type of facial recognition technology, but with important safety and proportionality restrictions. Businesses are required to weigh potential harms, such as risks of discrimination or a mistaken or unlawful arrest, against the proportional need for security.
The privacy regulator has stressed that facial recognition technology is not off the table despite also issuing a decision against retailer Bunnings for use of it in October 2024. That case involved 62 stores but was somewhat different, though it also involved a trial program and ended up with a violation of privacy laws. From 2019 to 2021, Bunnings scanned customers to identify “persons of interest” with a previous record of committing or threatening violence against retail employees or committing “serious” retail theft.
These cases highlight the need for organizations implementing facial recognition technology to undertake a privacy impact assessment and fully develop policies and procedures for its use. Additionally, to avoid falling afoul of the national privacy laws, a public-facing privacy policy and proper staff training are also a necessity; in-store notifications about use of facial recognition technology are also necessary, as well as posted information about the purposes for collection. Customer and staff safety and fraud prevention are legitimate reasons for retailers to make use of facial recognition technology under the national privacy laws, but the assorted legal details must be attended to.
These precedents are also not entirely settled as of yet. The Bunnings decision is already under review, and Kmart has indicated that it will be reviewing its options for appeal. The company issued a statement expressing that it only retained images when a subject was flagged as having been suspected of or previously committed refund fraud, and that all other data and images were deleted and never used for marketing or any other purposes.
Another element to the action is that the privacy commissioner ultimately found that the facial recognition technology was not particularly effective. It found that the actual ability to correctly detect retail fraud suspects was “insignificant,” something that is devastating to the proportionality defense. And even when these systems do flag suspects correctly, a human security officer must be present to receive the notification of the suspicious behavior and personally intervene.
