Kmart’s Shady Secret Exposed: Retail Giant Broke Privacy Laws by Using Facial Recognition Technology on Unsuspecting Customers
- Kmart captured the facial data of “tens or hundreds of thousands” of customers without their consent
- Privacy commissioner finds Kmart’s use of facial recognition technology was “disproportionate” and breached privacy laws
- Kmart ordered to publish a statement on its website explaining its use of facial recognition technology and the regulator’s finding against it
**Carly Kind**, Australia’s privacy commissioner, has revealed that Kmart broke privacy laws by using facial recognition technology on its customers. The retail giant captured the facial data of **”tens or hundreds of thousands”** of customers at store entrances and return counters over a two-year period, sparking widespread concern about the potential misuse of personal information.
In a shocking development, **Ms Kind** found that Kmart’s use of facial recognition technology was “disproportionate” and breached privacy laws. The company had argued that it was exempt from obtaining consent due to an exemption in the Privacy Act, but **Ms Kind** rejected this argument, citing that Kmart could have taken more effective and proportionate security measures to prevent refund fraud.
The investigation, which began in July 2022, revealed that Kmart’s use of facial recognition technology was partially suitable at best in preventing fraud, with the number of fraudulent incidents detected being small and minimal compared to the company’s annual revenue of $9.2 billion in the 2020 financial year.
**Ms Kind** warned that the potential harms arising from the use of facial recognition technology are significant, including the risk of commercial surveillance, discrimination, and unlawful or arbitrary arrest. She emphasized that customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have for considering the deployment of new technologies.
However, **Ms Kind** stressed that these reasons do not provide a free pass to avoid compliance with the Privacy Act. “The sensitive information of every customer who entered a relevant store was indiscriminately collected by the FRT system,” she said.
Kmart has been ordered not to repeat the practice in the future and will have to publish a statement on its website within 30 days explaining its use of facial recognition technology and the regulator’s finding against it. The company has expressed disappointment with the decision and is reviewing its options for appeal.
In a statement, Kmart said it was committed to finding tools to reduce crime in its stores, ensuring team member and customer safety. However, the company’s actions have raised concerns about the potential misuse of personal information and the importance of protecting customer privacy.
As the debate surrounding facial recognition technology continues to grow, **Ms Kind**’s finding serves as a stark reminder of the need for businesses to prioritize customer privacy and comply with privacy laws.