The Office of the Australian Information Commissioner (OAIC) has handed down its second major ruling on facial recognition technology (FRT) in Australian retail, finding that Kmart Australia breached the Privacy Act 1988 (Cth) through its use of FRT across 28 stores between June 2020 and July 2022. This determination follows the October 2024 ruling against Bunnings and sends a consistent, strengthening signal to any organisation — including those in facilities management, building operations, and electronic security — that biometric data collection must clear a high legal and procedural bar before deployment.
What Kmart Did and Why the OAIC Rejected It
Kmart deployed FRT at in-store returns counters to detect customers who had previously engaged in refund fraud or theft. Every customer presenting at those counters had their facial image captured and matched against a historical database. When a match was identified, staff could refuse the refund.
Kmart’s legal defence rested on a “permitted general situation” exemption under section 16 of the Privacy Act — specifically, that it had reason to suspect unlawful activity and reasonably believed FRT was necessary to address it. If that exemption held, consent would not have been required to collect biometric information.
The Commissioner rejected this argument on several grounds:
- Consent was required and not obtained. The exemption was incorrectly applied. The Commissioner found the fraud problem was proportionally small relative to Kmart’s scale of operations, and that less privacy-intrusive alternatives existed — including repositioning the returns counter outside the store footprint or using RFID tagging for high-risk goods.
- Notification was inadequate. Kmart displayed a Conditions of Entry notice referencing FRT as part of “24-hour CCTV coverage” and a Privacy Poster at some entry points, with a privacy policy on its website. The Commissioner found these measures failed to communicate the specific facts of collection, the purpose, the consequences of not providing information, and how individuals could seek access or corrections.
- Privacy policies were insufficiently transparent. Three versions of Kmart’s privacy policy were in force during the FRT operation. None adequately disclosed that facial image collection also generated additional biometric metadata — and the Commissioner found they failed to do so even in generic terms.
What the OAIC Has Ordered
The OAIC’s declarations against Kmart include:
- A prohibition on repeating the conduct (noting Kmart had already ceased FRT operations in July 2022 when the investigation began).
- Within 30 days of the determination — by 18 October 2025 — Kmart must publish a public apology on its website and in affected stores, and a detailed public statement explaining its FRT use, the breach, and how affected individuals can seek further information or lodge complaints. This statement must remain publicly available for at least 12 months.
- All personal and sensitive information collected through the FRT system must be retained for 12 months following publication of the statement, then destroyed.
Privacy Commissioner Carly Kind has stated publicly that these successive determinations do not constitute an effective ban on FRT in Australia — the Privacy Act is technology neutral. Rather, the Bunnings and Kmart cases are intended to clarify the threshold for exemptions and set expectations for transparency and consent, which she described as “a high bar that must be cleared, and for good reason.”
Operational Implications for Building Owners and Facilities Managers
These rulings are directly relevant to anyone operating or considering biometric-capable systems in Australian commercial, retail, strata, or venue environments. Modern IP cameras from a range of manufacturers include built-in or licensable facial recognition, people-counting, and biometric analytics capabilities — features that may be active by default or enabled as part of a broader video management platform deployment. The OAIC’s position makes clear that:
- Biometric data is sensitive information under the Privacy Act. Facial recognition systems that generate faceprints or biometric templates — as distinct from ordinary CCTV footage — collect sensitive information and trigger heightened obligations.
- Operational convenience or fraud prevention intent does not automatically justify collection. The proportionality of the threat, the availability of less intrusive alternatives, and the necessity of the specific technology will all be weighed by a regulator.
- Signage and privacy policies must be specific, not generic. References to “CCTV” in entry notices will not cover FRT. If biometric analytics are running, that fact, its purpose, and the rights of individuals must be clearly and specifically communicated.
- System configuration must be documented and auditable. Knowing which analytics features are enabled on installed cameras and VMS platforms, and having clear records of when those features were active, is essential to any future regulatory response.
Mallen’s Take
For facilities managers and building owners who have engaged Mallen Services to design, install, or maintain CCTV and access control systems, now is the right time to audit what analytics capabilities are active across your installed camera estate and video management platforms. Facial recognition features in enterprise VMS and smart camera firmware are not always installed or enabled deliberately — they can be bundled into platforms and turned on as part of broader upgrades.
If your organisation is operating or considering biometric-capable systems for loss prevention, access control, or occupancy analytics, a privacy impact assessment conducted before deployment — not during an OAIC investigation — is the correct order of operations. The Kmart and Bunnings decisions together establish that the regulator will scrutinise both the technical implementation and the surrounding governance framework: consent processes, notification signage, privacy policy language, and data retention controls.
Contact Mallen Services if you would like to review the analytics capabilities active on your current system, or if you are scoping a new deployment that may involve biometric or behavioural analytics.
Original source: https://privacymatters.dlapiper.com/2025/09/australia-facial-recognition-technology-continues-to-breach-australian-privacy-act/