Date published: 11 February 2026 | Author: Nina Rossi

The recent ruling against Kmart highlights how serious privacy compliance has become in Australia. The retailer was found to have breached the Privacy Act by using facial recognition technology in 28 stores without obtaining proper consent or notifying customers. This means sensitive biometric data — faces, body shapes and other identifiers — was collected indiscriminately, exposing tens of thousands of people to risks they hadn’t agreed to.

Why does this matter for your business? Biometric data is considered sensitive information under the Privacy Act. With AI tools now able to repurpose images in countless ways, misuse or poor handling of this data can lead to privacy claims, reputational damage, and significant penalties. The Kmart decision reinforces that fraud prevention or security alone will not justify widespread collection of biometric data. Transparency, proportionality, and consent are baseline expectations.

What should you check?

• Does your business collect personal or biometric information, even indirectly?
• Do you have clear systems for obtaining consent and notifying individuals?
• Are your storage and destruction processes robust enough to meet privacy obligations?
• Is your privacy policy up to date and specific about the kinds of information you collect?

Taking these steps now can help you avoid costly investigations and protect both your customers and your reputation.

You’re in control when you understand your legal position. Contact Rossi Law today to get the clarity and advice you need to move forward.

Legal Disclaimer: This blog is based on a video recorded by Rossi Law. It was first drafted with AI-assistance and reviewed by Rossi Law before publication. It provides general information only and is not legal advice. Please seek advice for your specific situation.