A three year probe into Kmart’s use of facial recognition across dozens of stores has found the retailer breached privacy law when it captured and analysed customers’ faces without consent or notification.
Kmart deployed the facial recognition technology at 28 stores between 2020 and 2022 in an attempt to identify people committing refund fraud.
But it did not notify shoppers or seek their consent despite collecting biometric information, which is considered sensitive personal information under Australian privacy law.
Kmart has been ordered to apologise and destroy the information, while the regulator has moved to clarify there is no outright ban on facial recognition despite a also ruling against Bunnings last year about its use of facial recognition.
An appeal from Kmart is now under consideration, with a spokesperson saying the retailer “remains committed to finding tools to reduce crime in our stores”.
Privacy Commissioner Carly Kind on Thursday released her determination from August that found Kmart breached Australians’ privacy by collecting their personal and sensitive information.
She found the retail giant had indiscriminately collected the sensitive information of customers with facial recognition, including thousands of shoppers not suspected of refund fraud.
In making her decision, the regulator considered the estimated value of fraudulent returns against the respondent’s total operations and profits, the limited effectiveness of the technology and the extent of the privacy impacts in collecting the sensitive information of every individual who entered the stores.
“I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the [facial recognition technology] system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” Ms Kind said.
A spokesperson for Kmart told InnovationAus.com the company is disappointed in the decision and “is reviewing its options to appeal the determination”.
“Like most other retailers, Kmart is experiencing escalating incidents of theft in stores which are often accompanied by anti-social behaviour or acts of violence against team members and customers,” the spokesperson said.
Bunnings was also found to have breached privacy law last year after using facial recognition technology as a crime prevention and safety tool in 62 stores. The Bunnings decision is currently under review in the Administrative Review Tribunal.
“These two decisions do not impose a ban on the use of [facial recognition technology],” Ms Kind said Thursday.
“The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted. Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.”
Do you know more? Contact James Riley via Email.