Retail giant Kmart has been pinged for breaching shoppers’ privacy by scanning the faces of unwitting customers returning products at dozens of its stores.

Privacy Commissioner Carly Kind found the company in breach after it collected people’s personal and sensitive information through a facial-recognition technology system designed to tackle refund fraud.

Between June 2020 and July 2022, Kmart used the technology at 28 of its stores to capture every person who lined up at a returns counter.

“Relevant to a technology like facial recognition, is also the public interest in protecting privacy,” the commissioner said on Thursday.

“I do not consider that [Kmart] could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy.”

Kmart argued that it was not required to obtain customer consent because of an exemption in the Privacy Act that allowed for information to be collected to tackle unlawful activity or serious misconduct.

But after a three-year investigation, Kind found sensitive biometric information of every individual who entered a store was “indiscriminately collected” by the facial-recognition system.

She said other, less-intrusive methods were available to Kmart to address refund fraud.

The volumes of biometric data collected on thousands of individuals without their knowledge showed “a disproportionate interference with privacy”, Kind said.

Kmart has been ordered not to use the facial-recognition technology again. It will also have to publish an apology to customers in stores and on its website within 30 days.

Digital Rights Watch commended the landmark determination for putting businesses on notice.

It called facial surveillance a “shady practice”.

“This isn’t the first time a large retailer has been caught playing fast and loose with Australians’ privacy,” head of policy Tom Sulston said.

“We need to be able to go to the shops without having our biometric information collected by big corporations.”

Consumer group Choice said it was “pleased” by the ruling.

“Biometric data collected through facial recognition technology, such as that used by Kmart, captures each person’s unique facial features, known as a faceprint – similar to having your fingerprints or DNA taken every time you shop,” Choice investigative journalist Jarni Blakkarly said.

“While you can easily change your email address if it’s involved in a data breach, you can’t get a new face – so consumers shouldn’t have to take that risk every time they buy clothes or household items.”

She said Australia’s privacy laws were confusing and difficult to enforce.

“While today’s Office of the Australian Information Commissioner determination sends a clear warning to other businesses who may be considering using facial recognition technology, what we really need are stronger, fit-for-purpose laws to hold businesses accountable as soon as they breach customer privacy,” she said.

“Without proper and clear regulation of facial recognition technology, there will continue to be the potential for harm through breaches of people’s privacy and sensitive, personal information.”

Signs at Kmart entries had warned it was using facial recognition technology. Photo: Choice

The Wesfarmers-owned company said it was disappointed with the decision about its “limited trial” of facial-recognition technology and it was reviewing appeal options.

Controls to protect customers’ privacy had been put in place during the scheme, it said in a statement.

“Images were only retained if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud,” Kmart said.

The determination is the second issued by the OAIC on use of facial recognition in retail settings.

Last October, Wesfarmers-owned hardware chain Bunnings was found to have contravened the privacy of its shoppers across 62 of its stores.

It is also appealing the finding, with managing director Michael Schneider urging for changes to Australia’s privacy laws to allow the use of FRT to reduce shoplifting and protect staff.

In a submission to a Productivity Commission review in July, Schneider said the tech could be used safely, responsibly and ethically.

“These technologies are essential to protecting team members and customers from rising incidents of violent and threatening behaviour across the retail sector, and other losses that come from retail crime,” he said.

-with AAP