What happened
Between June 2020 and July 2022, Kmart Australia, owned by Wesfarmers, ran facial recognition technology at the entrances and returns counters of 28 of its stores. The system captured the face of every person who entered, converted each face into a biometric template, and checked it against a database of individuals Kmart associated with refund fraud, the practice of returning stolen or previously refunded goods for cash. The stated purpose was narrow: to catch the small number of people running refund scams. The method was not. To find them, Kmart collected the biometric information of hundreds of thousands of ordinary shoppers who had done nothing wrong and were told nothing. Kmart later said the underlying problem was real, citing an 85 percent rise in refund-related threatening incidents between August 2024 and March 2025.
Under the Privacy Act 1988 (Cth), a facial template is “sensitive information.” The Act’s definition expressly covers biometric templates and biometric information used for automated identification, and sensitive information is given stronger protection than ordinary personal information because of how hard it is to undo once collected: a password can be changed, a face cannot.
On 18 September 2025, the Office of the Australian Information Commissioner, through Privacy Commissioner Carly Kind, determined that Kmart had breached the Act. The central finding was under Australian Privacy Principle 3 (APP 3), which prohibits an organisation from collecting sensitive information unless the individual consents and the collection is reasonably necessary, or a specific exception applies. Kmart had not obtained consent. It argued it did not need consent because it was relying on the section 16A “permitted general situation” exemption, which can allow collection without consent where an organisation reasonably believes it is necessary to take appropriate action in relation to suspected unlawful activity or serious misconduct. The Commissioner rejected that argument, finding the collection indiscriminate, of limited utility, and disproportionate to the refund-fraud risk it was meant to address. The Commissioner also found Kmart had not taken reasonable steps to notify shoppers that their faces were being collected, as Australian Privacy Principle 5 (APP 5) requires, and had not set the practice out properly in its privacy policy.
The Commissioner declared that Kmart must not repeat the conduct and ordered it to publish an apology and a statement about the practice within 30 days. No civil penalty was imposed. Kmart said it was disappointed and was reviewing its options to appeal; the determination is now before the Administrative Review Tribunal.
The Kmart determination did not arrive alone. It followed the Commissioner’s October 2024 determination against Bunnings, also a Wesfarmers business and also now under review in the Tribunal, and earlier investigations into 7-Eleven and Clearview AI. Read together, they mark a clear regulatory line: a legitimate problem, retail theft, does not license the mass collection of a population’s biometric data, and the question a business must answer is not “did this help us catch offenders” but “for each face we captured, what was the lawful basis, and was it proportionate.”
What an auditable version would have shown
The defence in a case like this is operational: the technology worked, it caught real fraud, the intent was legitimate. None of that is what the law asks. APP 3 asks, for each person whose biometric template was generated, whether the collection was authorised by consent or by a genuine exception, whether it was reasonably necessary, and whether it was proportionate to the purpose.
For a small, defined watch-list, that record is easy to keep. For a system that scans everyone at the door, the record condemns the practice by its own arithmetic. To match a few hundred suspected fraudsters, Kmart’s system first captured and templated every other face it saw. An auditable log of those captures would show, in a single column, hundreds of thousands of biometric collections for which the answer to “consent or applicable exemption?” is blank and the answer to “reasonably necessary and proportionate?” is no. That log does not exculpate the practice; it is the practice, written down, and written down it is plainly disproportionate, which is what the Commissioner found.
This is the uncomfortable property of biometric surveillance: the record that would prove responsible use is the same record that proves the opposite. An organisation confident in its lawful basis can produce it on demand. An organisation that captured a population to find a handful cannot, because no per-person basis ever existed.
Where the gap was
The gap was not the matching technology, which did what it was sold to do. The gap was the absence of a check, at the point of capture, that asked whether this particular collection was lawful before it happened.
Refund fraud is a real cost. The lawful ways to address it with biometrics are narrow. For a retailer, which is not an enforcement body, collecting a biometric template lawfully generally requires the individual’s genuine consent together with reasonable necessity, or that the collection squarely fits an exception such as section 16A, applied to a specific person already suspected on reasonable grounds and proportionate even then. Notice under APP 5 and a retention limit under Australian Privacy Principle 11 (APP 11) are additional obligations, not substitutes for a lawful basis. Mass capture at the door satisfies none of this. It inverts the proportionality test: rather than collecting the minimum needed for a defined purpose, it collects the maximum and then searches it.
What was missing was a gate between “the camera sees a face” and “the system stores a biometric template,” a gate that refused the collection unless a lawful basis for that specific person existed. With no such gate, the default was capture-everyone, and the lawful-basis question went unasked until the regulator asked it, three years and hundreds of thousands of faces later.
What governance should have looked like
For a retailer, the honest starting point is that facial recognition on ordinary shoppers is very hard to make lawful, and the safest course is usually not to collect biometric data at all. Refund fraud can be pursued with transaction records, receipts, and trained staff, none of which collect sensitive information. The OAIC’s determinations against Kmart and Bunnings point the same way.
Where an organisation does collect sensitive information, APP 3 has to be satisfied at the moment of collection, not in a privacy policy read after the fact. A ConstraintGate placed in front of the capture step encodes that. It refuses to store a biometric template unless a lawful basis exists for this specific person: consent that is genuinely voluntary and informed, or a documented exception such as section 16A, together with a specified purpose, a recorded proportionality assessment, and a retention limit under APP 11. Consent extracted under pressure, for instance as a condition of processing a disputed refund, is unlikely to be valid, so it cannot be the workaround that makes mass capture lawful. When a face is seen with no lawful basis, as it would be for an anonymous shopper, the gate refuses the capture and a ConductRecord logs the refusal rather than the biometric.
Run that way, the record a regulator asks for is short, specific, and defensible, and in most retail settings it is close to empty because no lawful collection was warranted. Run the way Kmart ran it, the record is a list of hundreds of thousands of people whose faces were taken to find a few, with the lawful-basis column blank all the way down. That list is not a defence. It is the finding.
The reference implementation of ConstraintGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. Anyone can read every line and verify the signatures. The repository is public now.
Sources
- Kmart’s use of facial recognition to tackle refund fraud unlawful, Privacy Commissioner finds (OAIC)
- Kmart facial recognition broke privacy laws, regulator finds (Information Age, ACS)
- OAIC determines Kmart breached the Privacy Act 1988 (Cth) over use of facial recognition technology (Bird & Bird)
- Key learnings from the OAIC’s determination on Kmart’s use of facial recognition (Maddocks)