OAIC Determines Kmart Breached the Privacy Act 1988 (Cth) Over Use of Facial Recognition Technology
Written By
Partner and Co-Head of Australia
Australia
I am a partner in our Media, Entertainment & Sports group, based in Sydney.
Associate
Australia
I am an associate in our Tech Transactions team in Sydney, specialising in technology, cybersecurity and privacy advisory work.
Related
Practices
Sectors
Trending Topics
Regions
Countries
Offices
Background – Why This Matters for Businesses
On 18 September 2025, the Privacy Commissioner, Carly Kind, published a determination finding that Kmart Australia Limited (“Kmart”) breached the Privacy Act 1988 (Cth) (“Privacy Act”) by using facial recognition technology (“FRT”) in 28 stores between June 2020 and July 2022. Kmart rolled out facial recognition technology to try to deter refund fraud.
Kmart’s system scanned and analysed the faces of everyone entering those stores and anyone presenting at a returns counter, capturing sensitive biometric data without notice or consent. While Kmart argued it was relying on the Privacy Act exemption for preventing unlawful activity, the Privacy Commissioner found the collection was indiscriminate, of limited utility, and disproportionate to the risk, and therefore in breach of the Privacy Act.
The case is highly relevant to all organisations considering biometric or surveillance technologies. It demonstrates that even when businesses deploy such tools for legitimate purposes — in Kmart’s case, preventing refund fraud — the Office of the Australian Information Commissioner (“OAIC”) will scrutinise whether the collection of sensitive information is proportionate, transparent, and genuinely necessary. The ruling shows that “fraud prevention” or “security” alone will not justify widespread collection of biometric data.
Key Legal Findings
| Law / Obligation | Breach Identified by OAIC |
|---|---|
| Australian Privacy Principle (APP) 3, Privacy Act– sensitive information may only be collected with consent, unless a narrow exception applies | Kmart collected biometric (sensitive) information without consent, and the “unlawful activity” exception was not available. |
| APP 5 – obligation to notify individuals of collection | Customers were not told that their facial images were being captured and analysed. |
| APP 11 – obligation to secure information and minimise risk of unauthorised use | Governance and data-handling safeguards were found to be inadequate for sensitive information. |
Context and Commissioner’s Comments
This is the second OAIC decision on FRT in retail, following the October 2024 ruling against Bunnings. In her blog accompanying the Kmart decision, Commissioner Kind stressed:
- The Privacy Act is technology-neutral: FRT is not banned, but its use must be consistent with privacy principles.
- Consent and notification are baseline expectations for biometric collection.
- Reliance on exemptions is a high bar and will rarely be available.
- The OAIC will assess each deployment on a case-by-case basis, factoring in context (e.g. essential services versus discretionary retail) and whether FRT is necessary or simply a cheaper alternative.
Practical Takeaways for Clients
- If you are considering FRT or other biometric tools, expect regulatory scrutiny.
- Always conduct a Privacy Impact Assessment before rollout, with a clear analysis of proportionality and alternatives.
- Transparency and consent mechanisms must be embedded in customer-facing processes.
- Contractual and governance arrangements with technology providers should be reviewed and strengthened to reflect APP 11 obligations.
Bottom Line
The Kmart determination is a key warning for retailers and other organisations: collecting sensitive biometric information at scale without consent will almost certainly breach the Privacy Act. Fraud prevention and safety are legitimate concerns, but they do not override privacy protections. Organisations should treat this as a strong signal from the OAIC to build privacy considerations into any new technology deployment from the outset.
