Kmart's FRT Breach: A Cautionary Tale for Retail Privacy

Kmart's FRT Breach: A Cautionary Tale for Retail Privacy

On September 18, 2025, the Privacy Commissioner, Carly Kind, issued a scathing determination against Kmart Australia Limited, finding that the company breached the Privacy Act 1988 (Cth) through its use of facial recognition technology (FRT) in 28 stores between June 2020 and July 2022. This case is a stark reminder for retailers and businesses considering biometric or surveillance technologies that the regulatory landscape is unforgiving.

The Scope of the Breach

Kmart's FRT system scanned and analyzed the faces of everyone entering the stores and anyone presenting at a returns counter, capturing sensitive biometric data without notice or consent. The company's primary defense was that the system was deployed to deter refund fraud. However, the Privacy Commissioner found that the collection was indiscriminate, of limited utility, and disproportionate to the risk, thereby breaching the Privacy Act.

Key Legal Findings

The OAIC identified several breaches of the Australian Privacy Principles (APPs):

1. APP 3: Kmart collected biometric (sensitive) information without consent, and the “unlawful activity” exception was not available.
2. APP 5: Customers were not informed that their facial images were being captured and analyzed.
3. APP 11: Governance and data-handling safeguards were inadequate for sensitive information.

Context and Commissioner’s Comments

This ruling is the second of its kind, following the October 2024 decision against Bunnings. Commissioner Kind emphasized that while the Privacy Act is technology-neutral, the use of FRT must be consistent with privacy principles. Key points from her comments include:

• Consent and Notification**: These are baseline expectations for biometric data collection.
• Exemption Bar**: Relying on exemptions for lawful activity is a high bar and will rarely be available.
• Case-by-Case Assessment**: The OAIC will evaluate each deployment based on context and necessity.

The Business Impact

The Kmart determination sends a clear message to retailers and other organizations: collecting sensitive biometric information at scale without consent will almost certainly breach the Privacy Act. While fraud prevention and safety are legitimate concerns, they do not override privacy protections. This ruling should serve as a strong signal for businesses to integrate privacy considerations into any new technology deployment from the outset.

Practical Takeaways for Retailers

1. Expect Regulatory Scrutiny: If you are considering FRT or other biometric tools, prepare for rigorous regulatory oversight.
2. Conduct a Privacy Impact Assessment (PIA): Before rollout, conduct a thorough PIA with a clear analysis of proportionality and alternatives.
3. Embed Transparency and Consent: Ensure that transparency and consent mechanisms are integral to customer-facing processes.
4. Strengthen Governance and Contracts: Review and strengthen contractual and governance arrangements with technology providers to meet APP 11 obligations.

The Bottom Line

The Kmart determination is a critical warning for retailers and other organizations. It underscores the importance of balancing legitimate business needs with robust privacy protections. While the use of FRT is not banned, it must be deployed with careful consideration of privacy principles. Retailers should treat this ruling as a wake-up call to prioritize privacy in their technology strategies.