Face-off: What Kmart’s illegal surveillance means for shoppers

1 hour ago 1

If you’re one of the 8 million or so Australians who shop at Kmart every year, chances are you were being watched.

Not just by staff members or security, or even typical CCTV cameras, but by specialised facial recognition technology (FRT) that was rolled out into more than two dozen of the retailer’s stores between 2020 and 2022.

Every shopper who entered had their face scanned and stored in a system designed to catch refund fraudsters.

Kmart breached customers’ privacy by scanning their faces without consent, the privacy commissioner has found.

On Thursday, following a three-year investigation, Australia’s privacy commissioner ruled that the practice was in breach of the nation’s privacy laws, and thus illegal. It follows a similar finding against Bunnings – which has the same parent company, Wesfarmers – a decision under review by the Administrative Review Tribunal.

The rulings, while not carrying massive penalties or legal action – at least at this stage – sound a much larger warning in an era in which our faces and biometrics are being treated like raw data.

Kmart’s stated goal to stop fraudulent returns and related threats of violence. Kmart says its stores have been experiencing escalating incidents of theft, often accompanied by anti-social behaviour or violence.

Some will argue that if you’ve done nothing wrong you’ve got nothing to hide. But the truth is, privacy still matters.

“From August 2024 to March 2025 alone, refund-related customer threatening incidents increased by 85 per cent,” Kmart said on Thursday.

“Customer threatening incidents unrelated to refund requests increased by 28 per cent over the same period, demonstrating the heightened risk of the refund task for team members.”

Kmart’s goal, of stopping fraudulent returns, was narrow. But its execution was anything but. What it amounted to was the surveillance of every child, every parent, every person having their biometric signature – a digital replica of their face – recorded without their knowledge, for years.

“The sensitive biometric information of every individual who entered a store was indiscriminately collected by the FRT system,” Commissioner Carly Kind said in her ruling.

“I do not consider that Kmart could have reasonably believed that the benefits of the FRT system proportionately outweighed the impact on individuals’ privacy.”

The rise of retail violence is very real, and issues of threats and phsyical attacks against staff and customers is on the rise. The fact that retailers like Kmart, Bunnings and The Good Guys would feel the need to enact mass surveillance shows their desperation.

But the fact is, facial recognition technology isn’t just another security camera.

Unlike a CCTV feed, which captures blurry images that may or may not be useful, FRT generates biometric data. That data is unique, unchangeable and highly sensitive. If your password is hacked, you can reset it. If your “faceprint” is hacked, there’s no reset button.

It’s for that reason that the Privacy Act treats biometric data as ‘sensitive information’, which is subject to higher protections than other data.

The commissioner says that new laws may be needed to specifically deal with FRT.

“In the absence of parliamentary intervention to specifically authorise the use of FRT systems without consent, these are the kinds of considerations I will continue to bring to my application of the Privacy Act to these emerging technologies, on a case-by-case basis,” Kind said.

For everyday Australians, the ruling represents a rare victory in the privacy arena. We’re living in an age where our data trails us everywhere: supermarket loyalty cards like Flybuys track our shopping, smartphones log our movements, and smart doorbells monitor our streets. We’re relatively used to that by now, and we’ve collectively accepted the trade-off that our phones and other devices need our data to ably function.

Facial recognition adds another layer, however, one that turns our identities into trackable, storable, and potentially hackable data.

The collection and use of that data without consent is a trade-off that hasn’t yet been accepted.

Until now, one might have assumed that these types of technologies were confined to airports or policing. But as the Kmart and Bunnings cases show, the same tools are quietly creeping into the everyday spaces where we work, socialise and shop.

The lines of what’s acceptable are still being drawn. Some will argue that if you’ve done nothing wrong you’ve got nothing to hide. But the truth is, privacy still matters.

The commissioner’s ruling is a reminder that our faces aren’t loyalty cards, and that companies can’t just indiscriminately hoover up our most sensitive data without our permission.

As the commissioner herself put it: “The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted.”

There are legitimate reasons for businesses to use technologies like FRT. But amid this era of data breaches, cyberattacks and yes, escalating retail violence, we need to find a better balance that works for everyone.