The use of facial recognition technology (FRT) in retail has faced criticism after Australia’s privacy authority ruled against a major retailer for violating consumer rights. The Office of the Australian Information Commissioner (OAIC) found that Kmart Australia unlawfully collected biometric data through facial recognition CCTV systems meant to identify fake returns.
On 18 September, the OAIC announced that Kmart violated the Australian Privacy Act 1988 by not informing customers or getting their consent before collecting biometric data. Facial images, which are considered sensitive personal information, have stronger legal protections under the Act. Between June 2020 and July 2022, the retailer scanned the faces of every person who entered its 28 participating stores.
Kmart claimed that its use of facial recognition fell under an exception in the Privacy Act that allows non-consensual biometric collection to prevent illegal activity or serious misconduct. The OAIC rejected this reasoning, stating that the surveillance was indiscriminate and applied to all shoppers instead of just those suspected of wrongdoing. The OAIC also noted that the system had limited effectiveness in deterring refund fraud and that less invasive options were available. Despite the absence of any financial penalties, the ruling serves as a warning to businesses considering similar technologies.
When it comes to the implications for Australian businesses, the OAIC’s decision follows a similar ruling against Bunnings, another retailer owned by Wesfarmers, in 2023. These cases demonstrate the regulator’s view that, even if businesses prioritise customer safety and fraud prevention, they are still required to comply with privacy laws. Privacy Commissioner Carly Kind emphasised that safety and privacy should coexist. She argued that businesses should incorporate privacy considerations into decision-making when evaluating new technologies.
It is crucial to understand that the Privacy Act does not completely ban facial recognition. Instead, it requires responsible use that respects individual rights. Companies must show necessity, proportionality, and transparency before implementing biometric surveillance systems.
In the United States, there is no federal law regulating FRT. Regulations differ by state, with some areas placing restrictions on biometric data collection. Civil rights advocates, including the U.S. Commission on Civil Rights, have warned that unregulated facial recognition disproportionately affects marginalised communities and may reinforce discrimination.
It can be mentioned that reports from human rights organisations show how facial recognition has been misused in oppressive situations. Reports suggest that Iran has used the technology to monitor women’s adherence to hijab laws. Moreover, in China, it has targeted ethnic minorities, while in Russia, authorities have allegedly leveraged it to suppress political dissent. Furthermore, the ruling against Kmart by the Australian regulator highlights the growing international agreement that, while facial recognition can provide benefits in safety and fraud prevention, its widespread use represents an undue invasion of privacy. Businesses, governments, and regulators must work to balance technological advancement with the protection of fundamental rights. Without clear rules, thorough testing, and a commitment to privacy, facial recognition risks becoming a tool for control rather than security.
