Kmart and Bunnings Are Tracking Customers With Facial Recognition

For the most part, customers are having their biometric data captured without their knowledge or consent.
Facial recognition surveillance hardware
Photo by Qilai Shen / Bloomberg via Getty Images

Some of Australia’s most trusted department stores have been using facial recognition on customers without their knowledge, a consumer investigation has found. Now, privacy experts say the retailers could find themselves in breach of the privacy act.

The findings come as a result of an investigation conducted by the Australian consumer group, Choice, which found that Kmart, Bunnings, and even The Good Guys are among a crop of local retailers that have been actively capturing and storing customer “faceprints”—a person’s unique biometric facial identifiers—as they shop. 


For the most part, customers are having their biometric data captured without their knowledge or consent, as privacy policies are often buried deep on retailer websites, or couched in the fine print of small posters scattered by store entrances. Kate Bower, a consumer data advocate at Choice, said it’s likely “no one is reading a privacy policy” before walking into a store. 

The consumer group conducted a survey that returned a similar sentiment. After canvassing more than 1,000 Australians across the country, Choice found that 76 percent were otherwise unaware it was happening. 

Those who had a sneaking suspicion that they were being tracked, though, wrongly guessed that Coles and Woolworths would be the most likely to do so. 

Not surprisingly, the customers asked about it weren’t happy. 

The survey’s respondents commonly described the tech’s use as “creepy and invasive” while “unnecessary and dangerous”, with as many as 65 percent of those who were asked airing concerns over how the technology could be used to create harmful customer profiles. 

Experts flocked to point out that the technology shouldn’t have a human use case. Mark Andrejevic, a professor of media studies at Monash University and a member of the ARC Centre of Excellence for Automated Decision-Making and Society, said facial recognition technology is only likely to become more pervasive among retailers and venues as it gets cheaper and more effective. 


“The first concern is notice and consent,” Andrejevic said. “It’s not in highly visible forms of public notification that would invite people to understand what’s taking place.”

“I think the other set of concerns is we don’t have a clear set of regulations or guidelines on the appropriate use of the technology. That leaves it pretty wide open. Stores may be using it for the purposes of security, but down the road, they may also include terms of use that would say that they can use it for marketing purposes.”

In response to Choice’s findings, Bunnings’s chief operating officer, Simon McDowell, said he was “disappointed” by what he believed to be an “inaccurate” characterisation of the retailers use of facial recognition surveillance.

He told VICE that the hardware chain had turned to adopting the technology off the back of an increasing “number of challenging interactions” between customers and staff, and is primarily being used for safety purposes.

At Bunnings, McDowell told VICE, facial recognition profiling is typically reserved for those who have been banned from a store or been involved in “a suspected threatening situation”. Images of children aren’t stored, he said, and all CCTV footage is destroyed within 30 days.

Kmart and The Good Guys have also been reached by VICE for comment.

Choice’s Kate Bower said the way these companies are using biometric data could see each of them fall afoul of the Australian Privacy Act. Under the legislation, biometric information like unique faceprints are considered “sensitive data”, and is regulated under a “higher standard” than other types of personal information in Australia.


“It requires that your collection of that information has to be suitable for the business purpose that you’re collecting it for, and that it can’t be disproportionate to the harms involved,” Bower said. 

“We also believe that these retail businesses are disproportionate in their over-collection of this information, which means that they may be in breach of the Privacy Act. We intend to refer them to the Information Commissioner on that basis. 

Should the Commissioner rule against them, Kmart, Bunnings and The Good Guys could join the convenience store giants, 7/11, in being guilty of interfering with the privacy of its customers, after the franchise was forced to disable the facial recognition tech being used across more than 700 of its stores last year. 

At the time, Anna Johnston, the principal at Salinger Privacy, told The Guardian that the case “clearly shows that putting things in your privacy policy does not equal consent”.

Follow John on Twitter.

Read more from VICE Australia.