Australia: Information Commissioner found Kmart Australia Limited’s use of facial recognition technology non-compliant with Privacy Act

On 18 September 2025, the Australian Information Commissioner issued a ruling in its investigation into Kmart Australia Limited, confirming that the company had breached the Privacy Act through its use of facial recognition technology (FRT) in 28 retail stores between 22 June 2020 and 15 July 2022. The Information Commissioner found that Kmart unlawfully collected sensitive biometric information without consent, failed to notify customers, and did not maintain a clear and up-to-date privacy policy. Reliance on the “permitted general situation” in Section 16A, item 2 was rejected on the grounds that indiscriminate biometric collection was disproportionate and that less intrusive alternatives were available. Declarations under Section 52(1A) of the Privacy Act required Kmart not to repeat the conduct, to publish an apology and explanatory statement in stores and online for 30 days (with web access for 12 months), to retain all FRT data for 12 months before destruction, and to confirm compliance in writing.