7-Eleven biometric data collection found in breach of Australian privacy laws
The US convenience store chain has been ordered to scrap its facial scanning tool and delete any stored data
US convenience store chain 7-Eleven has been accused of breaching Australian privacy laws by collecting customers' biometric data without their consent.
The Office of the Australian Information Commissioner (OAIC) found that between 15 June 2020 and 24 August 2021, the Australian arm of 7-Eleven interfered with the privacy of individuals by gathering facial recognition data through a hidden mechanism in its customer feedback form.
The OAIC said that 7-Eleven's policy was in breach of the Privacy Act 1988, adding that the information wasn’t reasonably necessary for the store’s functions and activities. It also failed to take reasonable steps to notify individuals about the fact and circumstances of collection and the purposes of collecting that information.
The company has now been told to cease its data collection and destroy any data still held.
Tablet devices containing facial recognition technology were deployed inside 7-Eleven’s 700 stores nationwide, which allowed customers to complete a voluntary survey about their in-store experience. As of March 2021, 1.6 million survey responses had been completed.
As they completed this survey, the tablet’s built-in camera would take a facial image twice, once when the customer first engaged with the tablet, and then again after they completed the survey.
These facial images were stored on the tablet for around 20 seconds before being uploaded to a secure server hosted in Australia on Microsoft Azure. Once the upload finished, the facial image was deleted from the tablet but retained on the server for seven days.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The facial images were then encrypted, turning them into ‘faceprints’, and assessed, providing inferred information about the customers’ approximate age and gender. The store said it was capturing this data to detect if the same person was leaving multiple responses to the survey within a 20 hour period on the same tablet. If they were, it wanted to exclude their responses from the survey results in case they weren’t genuine.
The truth about cyber security training
Stop ticking boxes. Start delivering real change.
“I am not satisfied that it was reasonably necessary to collect ‘sensitive’ biometric information...for this function or activity,” said Angelene Falk, OAIC commissioner. “I note the risk of adversity to individuals should this kind of information be misused or compromised, as it cannot be reissued or cancelled like other forms of compromised identification information. The risks associated with collection of such information are not proportional to the function or activity of understanding and improving customers’ in-store experience.”
7-Eleven said it had obtained consent from customers who took part in the survey in the form of a notice at the entrance to its stores and on its website. However, the commissioner rejected this, finding that the store did not inform individuals about the fact and circumstances of collection of facial images and faceprints, as required by the law.
Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.