← Shopping Apps
F

Kmart Australia

Fail
Kmart Australia · 🇦🇺 Australia
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
Manufacturer: Kmart Australia (Wesfarmers)

⚠️ The bottom line

Every person who walked into 28 Kmart stores had their face scanned. Not suspected shoplifters. Not known fraudsters. Everyone. Children. Elderly. People buying socks. The OAIC found it breached the Privacy Act — the collection was disproportionate to the fraud risk. Kmart scanned millions of faces to catch a handful of people returning stolen items. They were ordered to apologise. Bunnings did the same thing and got the same finding. Two of Australia's biggest retailers decided that catching a few fraudsters justified building a facial recognition database of millions of innocent shoppers. The regulator disagreed. The apology was the punishment. You walked into Kmart to buy towels. Kmart scanned your face and ran it against a surveillance database. 28 stores. Every customer. To catch a handful of refund fraudsters at a company with $7 billion in revenue. The Privacy Commissioner called it disproportionate and ordered a public apology. Your face, in a database, for twelve-dollar towels.

Legal jurisdiction
🇦🇺 Australia (headquarters)
Assistance and Access Act read more →
Govt can force companies to build backdoors in encryption — and gag them from telling you
Metadata Retention read more →
ISPs and telcos must store 2 years of your connection data for law enforcement
Spying
4/4 EXTREME
Is someone spying on me?
Kids at risk
Data Sharing
0/4 N/A
Who gets my data?
Security
3/4 HIGH
Is it actually secure?
Kids at risk
Honesty
1/4 LOW
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
3Contradictions
2Critical
1High
0Medium
2Sources
Findings by concern
Spying 4/4 EXTREME 3 findings
⚠️ criticalpolicy claim vs regulatory finding
Every person who walked into 28 Kmart stores had their face scanned. Not suspected shoplifters. Not known fraudsters. Everyone. Children. Elderly. People buying socks. The OAIC found it breached the Privacy Act — the collection was disproportionate to the fraud risk. Kmart scanned millions of faces to catch a handful of people returning stolen items. They were ordered to apologise. Bunnings did the same thing and got the same finding. Two of Australia's biggest retailers decided that catching a few fraudsters justified building a facial recognition database of millions of innocent shoppers. The regulator disagreed. The apology was the punishment.

What they claim: Kmart stated its facial recognition system was used to combat refund fraud in stores.

What we found: In September 2025, the OAIC found Kmart breached the Privacy Act by using facial recognition technology in 28 stores between June 2020 and July 2022. The system captured the face of every person who entered these stores — not just suspected fraudsters. The Privacy Commissioner found the collection was disproportionate to the fraud risk: scanning the faces of millions of innocent shoppers to catch a small number of fraudsters. Kmart was ordered to publish an apology. The technology captured children, elderly people, and anyone who walked through the door — none of whom were suspected of anything. To stop a few people stealing, Kmart scanned millions of faces.

⚠️ criticalmarketing vs regulatory
You walked into Kmart to buy towels. Kmart scanned your face and ran it against a surveillance database. 28 stores. Every customer. To catch a handful of refund fraudsters at a company with $7 billion in revenue. The Privacy Commissioner called it disproportionate and ordered a public apology. Your face, in a database, for twelve-dollar towels.

What they claim: Kmart Australia operates as an affordable family retailer

What we found: The Privacy Commissioner found Kmart breached the Privacy Act by using facial recognition in 28 stores from 2020 to 2022. Every person entering those stores had their face captured and compared against a watchlist to combat refund fraud. The Commissioner called it "disproportionate" and ordered Kmart to publish a public apology and destroy all biometric data. You went to buy $12 towels. Kmart ran your face through a surveillance database.

⚡ highmarketing claim vs regulatory finding
Three Australian retailers — Kmart, Bunnings, The Good Guys — were all scanning faces at the same time. This wasn't one rogue store manager. It was an industry decision. During COVID, when your shopping options were limited, these stores scanned your face every time you walked in. The OAIC caught them. Kmart was ordered to apologise. Bunnings is appealing. The punishment for scanning millions of faces without consent was: write a sorry note on your website. An apology. For biometric surveillance. That's the enforcement gap.

What they claim: Kmart positions itself as an affordable, family-friendly retailer.

What we found: Kmart's facial recognition wasn't an isolated decision. Bunnings (also Wesfarmers-owned) deployed the same technology and received the same OAIC finding in October 2024 — Bunnings is appealing. The Good Guys also used facial recognition. Three of Australia's largest retailers simultaneously decided to scan every customer's face. The OAIC found Kmart scanned faces between June 2020 and July 2022 — during COVID, when people had no choice about which stores were open. Kmart was ordered to apologise. The penalty for scanning millions of faces without consent: publish a statement on your website.

Sources