7-Eleven biometric data collection found in breach of Australian privacy laws

US convenience store chain 7-Eleven has been accused of breaching Australian privacy laws by collecting customers' biometric data without their consent.

The Office of the Australian Information Commissioner (OAIC) found that between 15 June 2020 and 24 August 2021, the Australian arm of 7-Eleven interfered with the privacy of individuals by gathering facial recognition data through a hidden mechanism in its customer feedback form.

The OAIC said that 7-Eleven's policy was in breach of the Privacy Act 1988, adding that the information wasn’t reasonably necessary for the store’s functions and activities. It also failed to take reasonable steps to notify individuals about the fact and circumstances of collection and the purposes of collecting that information.

The company has now been told to cease its data collection and destroy any data still held.

Tablet devices containing facial recognition technology were deployed inside 7-Eleven’s 700 stores nationwide, which allowed customers to complete a voluntary survey about their in-store experience. As of March 2021, 1.6 million survey responses had been completed.

As they completed this survey, the tablet’s built-in camera would take a facial image twice, once when the customer first engaged with the tablet, and then again after they completed the survey.

These facial images were stored on the tablet for around 20 seconds before being uploaded to a secure server hosted in Australia on Microsoft Azure. Once the upload finished, the facial image was deleted from the tablet but retained on the server for seven days.

The facial images were then encrypted, turning them into ‘faceprints’, and assessed, providing inferred information about the customers’ approximate age and gender. The store said it was capturing this data to detect if the same person was leaving multiple responses to the survey within a 20 hour period on the same tablet. If they were, it wanted to exclude their responses from the survey results in case they weren’t genuine.

“I am not satisfied that it was reasonably necessary to collect ‘sensitive’ biometric information...for this function or activity,” said Angelene Falk, OAIC commissioner. “I note the risk of adversity to individuals should this kind of information be misused or compromised, as it cannot be reissued or cancelled like other forms of compromised identification information. The risks associated with collection of such information are not proportional to the function or activity of understanding and improving customers’ in-store experience.”

7-Eleven said it had obtained consent from customers who took part in the survey in the form of a notice at the entrance to its stores and on its website. However, the commissioner rejected this, finding that the store did not inform individuals about the fact and circumstances of collection of facial images and faceprints, as required by the law.