Retail giant Kmart has been pinged for breaching shoppers’ privacy by scanning the faces of unwitting customers returning products at dozens of its stores.
Privacy Commissioner Carly Kind found the company in breach after it collected people’s personal and sensitive information through a facial-recognition technology (FRT) system designed to tackle refund fraud.
Between June 2020 and July 2022, Kmart used the technology at 28 of its stores to capture every person who lined up at a returns counter.
“Relevant to a technology like facial recognition, is also the public interest in protecting privacy,” the commissioner said on Thursday.
“I do not consider that (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy.”
Kmart argued that it was not required to obtain customer consent because of an exemption in the Privacy Act that allowed for information to be collected to tackle unlawful activity or serious misconduct.
But after a three-year investigation, the commissioner found sensitive biometric information of every individual who entered a store was “indiscriminately collected” by the facial-recognition system.
She said other, less-intrusive methods were available to Kmart to address refund fraud.
The volumes of biometric data collected on thousands of individuals without their knowledge showed “a disproportionate interference with privacy”, the commissioner said.
Kmart has been ordered not to use the facial-recognition technology again and will have to publish an apology to customers in stores and on its website within 30 days.
The Wesfarmers-owned company said it was disappointed with the decision about its “limited trial” of facial-recognition technology and it was reviewing appeal options.
Controls to protect customers’ privacy had been put in place during the scheme, it said in a statement.
“Images were only retained if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud,” Kmart said.
The determination is the second issued by the Office of the Australian Information Commissioner on the use of facial recognition in retail settings.
In October, Wesfarmers-owned hardware chain Bunnings was found to have contravened the privacy of its shoppers across 62 of its stores. It is also appealing the finding.