‘Shady practice’: Kmart face-scanning breaches privacy

Farid Farid |

Kmart used technology at 28 of its stores to capture every person who lined up at a returns counter.
Kmart used technology at 28 of its stores to capture every person who lined up at a returns counter.

Retail giant Kmart has been called out for “playing fast and loose” with customers’ privacy by scanning the faces of unwitting shoppers at dozens of stores.

Privacy Commissioner Carly Kind found the company in breach after it collected people’s personal and sensitive information through a facial-recognition technology (FRT) system designed to tackle refund fraud.

Between June 2020 and July 2022, Kmart used the technology at 28 stores to capture every person who entered and again when they lined up at a returns counter.

The pilot program included stores within all Australian states and territories, except the Northern Territory and Tasmania.

“Relevant to a technology like facial recognition is also the public interest in protecting privacy,” the commissioner said on Thursday.

“I do not consider that (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy.”

Kmart, which has millions of Australian shoppers every month, argued it was not required to obtain customer consent because of an exemption in the Privacy Act that allowed for information to be collected to tackle unlawful activity or serious misconduct.

But after a three-year investigation, the commissioner found the facial-recognition system “indiscriminately collected” sensitive biometric information of every individual who entered a store.

Pedestrians walks past an advertisement (file image)
Kmart used facial-recognition technology to capture every person who entered 28 stores. (Mick Tsikas/AAP PHOTOS)

Ms Kind said other, less-intrusive methods were available to Kmart to address refund fraud.

The volumes of biometric data collected on thousands of individuals without their knowledge showed “a disproportionate interference with privacy”, the commissioner said.

Roy Morgan in 2019 found one-in-five Australians shopping for home products went to Kmart, underlining its huge customer base across more than 300 stores.

Digital Rights Watch commended the landmark determination for putting businesses on notice.

It called facial surveillance a “shady practice”.

Security cameras (file image)
People should be able to shop without having biometric information collected, privacy advocates say. (Lukas Coch/AAP PHOTOS)

“This isn’t the first time a large retailer has been caught playing fast and loose with Australians’ privacy,” head of policy Tom Sulston said.

“We need to be able to go to the shops without having our biometric information collected by big corporations.”

Kmart has been ordered not to use the facial-recognition technology again and will have to publish an apology to customers in stores and on its website within 30 days.

The Wesfarmers-owned company said it was disappointed with the decision about its “limited trial” of the technology and was reviewing appeal options.

Controls to protect customers’ privacy had been put in place during the scheme, which aimed to tackle a growing problem of refund fraud, it said in a statement.

KMART STOCK
The information of every individual who entered a store was “indiscriminately collected”. (Bianca De Marchi/AAP PHOTOS)

“Images were only retained if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud,” Kmart said.

The company said it paused the trial when the privacy commissioner began the investigation.

The determination is the second issued by the Office of the Australian Information Commissioner on the use of facial recognition in retail settings.

In October, Wesfarmers-owned hardware chain Bunnings was found to have contravened the privacy of shoppers across 62 stores. It is also appealing the finding.

AAP