90 incidents on record · 2026 Headlights Incident reports by Ellie Harris · Melbourne
10 new this week Library last updated 13 July 2026
← The incident library
HD-INC-021
Retail & hospitality · Australia · 2025 · Biometric surveillance

Kmart scanned the face of everyone who walked into 28 stores to catch refund fraud, and the privacy regulator ruled it unlawful

By Ellie Harris · Filed June 2020 to July 2022

Alleged: Kmart Australia (Wesfarmers) developed or deployed the AI system implicated in this incident. Details are drawn from public reports; parties are presumed innocent of any wrongdoing not established by an official finding.

Kmart scanned the face of everyone who walked into 28 stores to catch refund fraud, and the privacy regulator ruled it unlawful

What happened

Between June 2020 and July 2022, Kmart Australia, owned by Wesfarmers, ran facial recognition technology at the entrances and returns counters of 28 of its stores. The system captured the face of every person who entered, converted each face into a biometric template, and checked it against a database of individuals Kmart associated with refund fraud, the practice of returning stolen or previously refunded goods for cash. The stated purpose was narrow: to catch the small number of people running refund scams. The method was not. To find them, Kmart collected the biometric information of hundreds of thousands of ordinary shoppers who had done nothing wrong and were told nothing. Kmart later said the underlying problem was real, citing an 85 percent rise in refund-related threatening incidents between August 2024 and March 2025.

Under the Privacy Act 1988 (Cth), a facial template is “sensitive information.” The Act’s definition expressly covers biometric templates and biometric information used for automated identification, and sensitive information is given stronger protection than ordinary personal information because of how hard it is to undo once collected: a password can be changed, a face cannot.

On 18 September 2025, the Office of the Australian Information Commissioner, through Privacy Commissioner Carly Kind, determined that Kmart had breached the Act. The central finding was under Australian Privacy Principle 3 (APP 3), which prohibits an organisation from collecting sensitive information unless the individual consents and the collection is reasonably necessary, or a specific exception applies. Kmart had not obtained consent. It argued it did not need consent because it was relying on the section 16A “permitted general situation” exemption, which can allow collection without consent where an organisation reasonably believes it is necessary to take appropriate action in relation to suspected unlawful activity or serious misconduct. The Commissioner rejected that argument, finding the collection indiscriminate, of limited utility, and disproportionate to the refund-fraud risk it was meant to address. The Commissioner also found Kmart had not taken reasonable steps to notify shoppers that their faces were being collected, as Australian Privacy Principle 5 (APP 5) requires, and had not set the practice out properly in its privacy policy.

The Commissioner declared that Kmart must not repeat the conduct and ordered it to publish an apology and a statement about the practice within 30 days. No civil penalty was imposed. Kmart said it was disappointed and was reviewing its options to appeal; the determination is now before the Administrative Review Tribunal.

The Kmart determination did not arrive alone. It followed the Commissioner’s October 2024 determination against Bunnings, also a Wesfarmers business and also now under review in the Tribunal, and earlier investigations into 7-Eleven and Clearview AI. Read together, they mark a clear regulatory line: a legitimate problem, retail theft, does not license the mass collection of a population’s biometric data, and the question a business must answer is not “did this help us catch offenders” but “for each face we captured, what was the lawful basis, and was it proportionate.”

What an auditable version would have shown

The defence in a case like this is operational: the technology worked, it caught real fraud, the intent was legitimate. None of that is what the law asks. APP 3 asks, for each person whose biometric template was generated, whether the collection was authorised by consent or by a genuine exception, whether it was reasonably necessary, and whether it was proportionate to the purpose.

For a small, defined watch-list, that record is easy to keep. For a system that scans everyone at the door, the record condemns the practice by its own arithmetic. To match a few hundred suspected fraudsters, Kmart’s system first captured and templated every other face it saw. An auditable log of those captures would show, in a single column, hundreds of thousands of biometric collections for which the answer to “consent or applicable exemption?” is blank and the answer to “reasonably necessary and proportionate?” is no. That log does not exculpate the practice; it is the practice, written down, and written down it is plainly disproportionate, which is what the Commissioner found.

This is the uncomfortable property of biometric surveillance: the record that would prove responsible use is the same record that proves the opposite. An organisation confident in its lawful basis can produce it on demand. An organisation that captured a population to find a handful cannot, because no per-person basis ever existed.

Where the gap was

The gap was not the matching technology, which did what it was sold to do. The gap was the absence of a check, at the point of capture, that asked whether this particular collection was lawful before it happened.

Refund fraud is a real cost. The lawful ways to address it with biometrics are narrow. For a retailer, which is not an enforcement body, collecting a biometric template lawfully generally requires the individual’s genuine consent together with reasonable necessity, or that the collection squarely fits an exception such as section 16A, applied to a specific person already suspected on reasonable grounds and proportionate even then. Notice under APP 5 and a retention limit under Australian Privacy Principle 11 (APP 11) are additional obligations, not substitutes for a lawful basis. Mass capture at the door satisfies none of this. It inverts the proportionality test: rather than collecting the minimum needed for a defined purpose, it collects the maximum and then searches it.

What was missing was a gate between “the camera sees a face” and “the system stores a biometric template,” a gate that refused the collection unless a lawful basis for that specific person existed. With no such gate, the default was capture-everyone, and the lawful-basis question went unasked until the regulator asked it, three years and hundreds of thousands of faces later.

What governance should have looked like

For a retailer, the honest starting point is that facial recognition on ordinary shoppers is very hard to make lawful, and the safest course is usually not to collect biometric data at all. Refund fraud can be pursued with transaction records, receipts, and trained staff, none of which collect sensitive information. The OAIC’s determinations against Kmart and Bunnings point the same way.

Where an organisation does collect sensitive information, APP 3 has to be satisfied at the moment of collection, not in a privacy policy read after the fact. A ConstraintGate placed in front of the capture step encodes that. It refuses to store a biometric template unless a lawful basis exists for this specific person: consent that is genuinely voluntary and informed, or a documented exception such as section 16A, together with a specified purpose, a recorded proportionality assessment, and a retention limit under APP 11. Consent extracted under pressure, for instance as a condition of processing a disputed refund, is unlikely to be valid, so it cannot be the workaround that makes mass capture lawful. When a face is seen with no lawful basis, as it would be for an anonymous shopper, the gate refuses the capture and a ConductRecord logs the refusal rather than the biometric.

Run that way, the record a regulator asks for is short, specific, and defensible, and in most retail settings it is close to empty because no lawful collection was warranted. Run the way Kmart ran it, the record is a list of hundreds of thousands of people whose faces were taken to find a few, with the lawful-basis column blank all the way down. That list is not a defence. It is the finding.

The reference implementation of ConstraintGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. Anyone can read every line and verify the signatures. The repository is public now.

Sources

The mailing list

Fresh incident reports every week. One email to match.

We add new incidents to the library regularly, and send a single short email each week with what's new. The library stays free and open; this is just how you keep up with it.

No tracking. Unsubscribe in one click.

The record

An auditable system would have produced a signed, tamper-evident record the moment this happened: what the system did, the version that did it, the basis it acted on, and the action taken, and Kmart Australia (Wesfarmers) could have produced it on demand.

This is the record the system as deployed did not produce in a signed, auditable form.

What this teaches
Capture what happened when it happens
What the system did, the version that did it, the basis it acted on, and the action taken, recorded at the moment, not reconstructed after.
Sign it, so no one has to trust the record-keeper
A tamper-evident entry. Edit it later and the signature breaks. The record does not ask for the benefit of the doubt.
Make it verifiable by anyone
A court, a regulator, a customer's lawyer can check the record themselves, without taking the company, or us, at our word.

Headlights summarises publicly reported AI incidents. All summaries are independently written, attributed to their original sources, and intended for research and educational purposes. Allegations are identified as such until established through official findings.

Last reviewed June 2026. This report is based on the sources listed above and reflects information available at the time of review; later developments may not be captured. Where a person is described as charged with or alleged to have done something, that allegation is unproven unless a conviction or a court or regulatory finding is stated. Headlights publishes journalism and commentary, not legal advice.

Want to write back?

Direct to my inbox.

ellie@useheadlights.com →