Last week’s ruling in Australia makes the use of facial recognition to fight fraud almost impossible and is the latest example of global regulators’ growing opposition to biometric technology in retail environments.
The Office of the Australian Information Commissioner (OAIC) has determined that Kmart Australia Limited breached the Privacy Act 1988 when it used facial recognition to prevent returns fraud and theft.
Kmart stores in Australia used facial recognition technology to catch fraudsters. Image: Wesfarmers.
Kmart and Bunnings
At issue was Kmart’s pilot program, which placed facial recognition technology (FRT) in 28 of the company’s retail locations from June 2020 to July 2022.
The company created a facial print, if you will, of every shopper entering one of the pilot program’s stores. When a customer returned an item, Kmart’s system compared that person’s facial fingerprint to a list of known thieves and fraudsters.
Kmart argued that the goal of the technology was to thwart return fraud and protect its employees, who were often threatened by thieves. However, biometrics represent a special category of privacy protection in Australia.
The case was similar to the OAIC’s November 2024 decision against home accessories retailer Bunnings for using FRT to identify criminals. Australian conglomerate Wesfarmers Limited owns Kmart Australia, Bunnings and other retail chains, including Target Australia.
FRT Challenges
The OAIC stated that its finding is No ban on FRT, but its terms make the technology difficult, if not impossible, to use.
For example, an Australian retailer would need approval before using FRT, and thieves who steal items to attempt return fraud would almost certainly refuse.
Kmart unveiled the FRT in a sign at the front of each pilot store that read: “This store has 24-hour CCTV coverage that includes facial recognition technology.” However, this notification does not constitute consent under the OAIC.
Asking potential criminals for permission to use facial recognition has the same effect as banning it, given the current state of the technology.
GDPR
The Kmart OAIC’s decision on express consent is consistent with other privacy regulations and directives.
For example, many privacy experts note that Article 9 of the European Union’s General Data Protection Regulation, which deals with the processing of special categories of personal data, requires explicit consent to use FRT.
FTC vs. Rite Aid
In the United States, there are cases of rulings against FRT and the use of biometrics.
In a 2023 ruling, the US Federal Trade Commission banned Rite Aid Pharmacy from using FRT and other automated biometric systems for five years.
The agency alleged that Rite Aid did not take sufficient measures to prevent false positives and algorithmic racial profiling.
Illinois BIPA
The Illinois Biometric Information Privacy Act was passed in 2008 and is perhaps the most stringent biometric privacy law in the country.
BIPA requires businesses to provide written notice of the use of biometric data and obtain written consent from purchasers. The law allows individuals to sue for infringement and has led to many cases against retailers such as:
- A 2022 lawsuit alleges Walmart’s “cameras and advanced video monitoring systems” secretly collect shoppers’ biometric data without notice or consent.
- A March 2024 class-action lawsuit against Target alleges the retailer used FRT to identify shoplifters without proper consent.
- A class-action lawsuit filed in August 2025 alleges that Home Depot illegally uses FRT in its self-service kiosks.
M•A•C cosmetics
From a retail and e-commerce perspective, the BIPA lawsuit may be most concerning Fiza Javid v. MAC Cosmetics Inc. The joint lawsuit, filed in August 2025, is not about crime-fighting, but about virtual trial technology.
The complaint states that M•A•C’s website asks shoppers to upload a photo or enable live video in order to detect someone’s facial structure and skin color. Plaintiff Fiza Javid contends that this feature would require BIPA’s written consent and therefore violates Illinois law.
M•A•C Cosmetics offers tools for virtual testing and skin color identification.
M•A•C’s virtual makeup testing tools enhance the shopper experience and almost certainly improve e-commerce conversion rates.
The merits of the case are pending, but BIPA has already created virtual test cases, including:
- Kukovec v. Estée Lauder Companies, Inc. (2022).
- Theriot v. Louis Vuitton North America, Inc. (2022).
- Gielow v. Pandora Jewelry LLC (2022).
- Shores v. Wella Operations US LLC (2022).
Engagement and enforcement
Artificial intelligence-driven facial recognition and biometric technologies are among the most promising trends in retail and e-commerce.
This technology has the potential to reduce fraud, prevent theft and support criminal prosecution. A 2023 article in the International Security Journal estimated that facial biometrics could reduce shoplifting by 50% to 90%, depending on location and use.
In addition, biometrics can improve online and in-store shopping with virtual try-on tools. Some merchants have reported a 35% increase in sales conversions when virtual shopping is available.
The question is how privacy regulations and ordinances like last week’s Kmart decision ultimately affect its use.