In September 2025, the Australian Privacy Commissioner ruled that Kmart’s use of facial recognition technology (FRT) between 2020 and 2022 was unlawful. The retailer had deployed FRT across 28 stores to combat refund fraud, capturing biometric data from every customer entering the premises—without notice or consent.
The Commissioner found that:
- Sensitive biometric data was collected indiscriminately, impacting thousands of individuals not suspected of wrongdoing.
- Less privacy-intrusive alternatives were available, such as improved CCTV or staff training.
- The utility of the FRT system was limited, and its deployment was disproportionate to the privacy risks involved.
This case underscores the importance of privacy-by-design when considering new technologies in commercial settings.
Assessing Privacy Risks in Facial Recognition Technology
The Office of the Australian Information Commissioner (OAIC) provides clear guidance for organisations evaluating FRT. Key principles include:
- Necessity & Proportionality: Only collect biometric data if it’s essential and cannot be achieved by less intrusive means.
- Consent & Transparency: Individuals must be informed and able to give meaningful, voluntary consent.
- Accuracy & Bias: Systems must be tested for false positives/negatives and monitored for demographic bias.
- Governance & Assurance: Organisations should conduct Privacy Impact Assessments (PIAs), maintain clear policies, and regularly review their practices.
SPAAL encourages members to stay informed and ensure any use of biometric technologies aligns with privacy obligations and community expectations.
For more detail on the K-Mart findings: Australian Security Magazine: K-Marts Facial Recognition Unlawful
For more on assessing privacy risks around facial recognition technology: Australian Government: Officer of the Australian Information Commissioner