The convenience store giant collected facial images while surveying customers on their in-store experience
The Office of the Australian Information Commissioner (OAIC) has found that convenience store giant 7-Eleven breached consumers’ privacy when it collected what the OAIC described as the “sensitive biometric information” of customers who were responding to store surveys without their express or implied consent.
Between June 2020 and August 2021, 7-Eleven had installed tablets with built-in cameras in 700 of its stores for customers to provide their feedback on the in-store experience. The OAIC’s investigation revealed that facial images of the customers had been collected in the process and then used to generate “faceprints”, an “algorithmic representation of a face.”
During this period, the company recorded 1.6 million completed surveys.
7-Eleven claimed that the purpose of the facial images and faceprints was to “detect and flag potentially non-genuine survey responses” and to give the company “a broad understanding of the demographic profile of its customers who completed the survey.” 7-Eleven also argued that the data obtained were not regarded as personal information because they were not used to “identify, monitor or track any individual.”
However, Australian Information Commissioner and Privacy Commissioner Falk pointed out that the facial images and faceprints were “biometric information that was used for the purpose of automated biometric identification” and therefore covered by additional protections in Privacy Act 1988.
“Biometric information is unique to an individual and cannot normally be changed. Entities must carefully consider whether they need to collect this sensitive personal information, and whether the privacy impacts are proportional to achieving the entity’s legitimate functions or activities,” Falk said.
She ruled that the collection of sensitive biometric information was in fact “not reasonably necessary” in understanding and improving the in-store experience at 7-Eleven.
“While I accept that implementing systems to understand and improve customers’ experience is a legitimate function for 7-Eleven’s business, any benefits to the business in collecting this biometric information were not proportional to the impact on privacy,” Falk said.
The OAIC also determined that the company had not taken reasonable steps to inform those who participated in the survey about the "the facts and circumstances " of the collection process. Moreover, customers were not notified about the reason why their facial images and faceprints were obtained through the feedback form.
Falk ordered the destruction of the faceprints collected by 7-Eleven. The company also destroyed the facial images it had obtained, and halted the process of collecting facial images and faceprints through the survey.
On 3 November, the OAIC concluded a similar investigation in which it partnered with the UK’s Information Commissioner’s Office to examine Clearview AI Inc’s personal information handling practices. The company had also utilised biometric information for facial recognition.