The Privacy Commissioner has handed down her decision following an investigation into Kmart’s use of facial recognition technology (FRT), finding that the retailer collected sensitive biometric data from store visitors without adequate consent. The decision follows an earlier investigation into Bunnings, also part of the Wesfarmers stable, concerning its use of FRT.
Between June 2020 and July 2022, Kmart trialled FRT in 28 stores in an attempt to identify those committing refund fraud. The Commissioner found that:
- Kmart did not have adequate consent from visitors to collect their personal and sensitive information, including biometric facial images
- without the required consent, no applicable exception to the collection and use of the information applied under the Privacy Act
- Kmart failed to take reasonable steps to notify visitors or ensure they were aware of the matters required to be notified under Australian Privacy Principle (APP) 5 including because they did not display notices at all stores throughout the relevant period and the notices they did display were considered insufficient
- Kmart’s privacy policies did not include information about the types of personal information being collected, how it was collected and held, which is a requirement under APP 1.
A shopping list for privacy compliance
The Commissioner’s decision provides valuable guidance for retailers using FRT or other equivalent technologies on their premises, including:
- assess potential privacy risks – in this case, the large number of individuals affected, the sensitivity of the information, the company’s size and resources, the relative novelty of the technology and the practical ability to engage with visitors at entry and the returns counter all weighed in favour of Kmart needing to notify individuals more prominently under APP 5.2
- store entry notices are not sufficient on their own – although Kmart displayed a sign stating: ‘This store has 24-hour CCTV coverage, which includes facial recognition technology’, at the entrance of some stores, the Commissioner found this alone was not sufficient and the retailer should have also alerted visitors to the following:
- the purpose of collecting individuals’ personal information, which was to detect and prevent fraudulent refunds
- the consequences for an individual if all or some of their personal information was not collected, for example if they did not want their information to be collected, they would have to refrain from entering the store
- that Kmart’s privacy policy contained information about how individuals could access the personal information held about them and request corrections where necessary.
- collection notices should be displayed appropriately – notices should be displayed throughout the relevant period, in a prominent and accessible format, and provide clear directions to more detailed information about Kmart’s use of the FRT system
- obtain consent when collecting sensitive information – this case shows that retailers must ensure individuals provide consent by implementing measures like the above before using technology like FRT to collect biometric information
- be transparent – retailers must clearly disclose the types of personal information they collect and hold, as required by APP 1.4(a). The Commissioner noted that although Kmart updated its privacy policy to specify some of the personal information collected by the FRT system, it did not inform individuals that the collection would generate additional information, such as metadata, which constitutes an individual’s biometric information and is therefore sensitive data.
Using FRT to prevent unlawful activity does not exempt consent
While Kmart argued that consent was not required as their use of the information was reasonably necessary to protect against unlawful activity or misconduct of a serious nature, the Commissioner disagreed.
The Commissioner accepted the evidence provided by Kmart’s former Head of Central Operations, who at the time of adopting the FRT system believed it was necessary to take appropriate action to address refund fraud.
However, to be reasonably necessary:
- the FRT system needed to suitably address the prevention and detection of refund fraud. At best, the Commissioner found that it only partially addressed these aims
- there needed to be no effective alternatives available that were less privacy-intrusive, or that such alternatives were considered ineffective or not viable in project planning documents or a privacy impact assessment
- the use of the FRT system needed to be proportionate, which involves balancing the privacy impacts of collecting sensitive information against the benefits gained from using the FRT system. In Kmart’s case, the privacy impacts were considered significant given the system captured and processed the facial images of every individual who entered a relevant store during the relevant period, and the images were sensitive information. The potential harms from the use of FRT were also considered significant, and included the risk of commercial surveillance, discrimination, unlawful and arbitrary arrest and inequality before the law.
With growing media attention on retail fraud, the case for FRT may be gaining traction. If Kmart or other retailers seek to reintroduce FRT, these recent decisions provide helpful guidance on how to balance privacy risks while complying with the Privacy Act.
The Privacy Commissioner’s decision can be accessed here.
If you have any questions about implementing FRT technology in your business or need assistance with reviewing your privacy policies, please contact us.
Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.
Share this
