14 October 2021
Australian Information Commissioner and Privacy Commissioner Angelene Falk has determined that convenience store group 7-Eleven interfered with customers’ privacy by collecting sensitive biometric information that was not reasonably necessary for its functions and without adequate notice or consent.
It follows an investigation by the Office of the Australian Information Commissioner (OAIC) into 7‑Eleven collecting facial images while surveying customers about their in-store experience.
The investigation found customers’ facial images were used to generate algorithmic representations, or ‘faceprints’, which were compared with other faceprints to exclude responses that may not be genuine. The personal information was also used to give a broad understanding of the demographic profile of customers who completed the survey.
The surveys were completed between June 2020 and August 2021 on tablets with built-in cameras installed in 700 stores. Customers completed 1.6 million surveys in the first 10 months.
Commissioner Falk found the facial images and faceprints were sensitive information covered by additional protections under the Privacy Act 1988 because they were ‘biometric information that was used for the purpose of automated biometric identification’, and the faceprints were also ‘biometric templates’.
“Biometric information is unique to an individual and cannot normally be changed,” Commissioner Falk said.
“Entities must carefully consider whether they need to collect this sensitive personal information, and whether the privacy impacts are proportional to achieving the entity’s legitimate functions or activities.”
Commissioner Falk found that individuals did not give either express or implied consent to the collection of their facial images or faceprints, nor did 7-Eleven take reasonable steps to notify individuals of the collection of personal information.
The Commissioner also found that the large-scale collection of sensitive biometric information through 7-Eleven’s customer feedback mechanism was not reasonably necessary for the purpose of understanding and improving customers’ in-store experience.
“While I accept that implementing systems to understand and improve customers’ experience is a legitimate function for 7-Eleven’s business, any benefits to the business in collecting this biometric information were not proportional to the impact on privacy.”
In response to the OAIC investigation, 7-Eleven has ceased collecting facial images and faceprints as part of the customer feedback mechanism. It has also destroyed existing facial images.
Commissioner Falk has ordered that 7-Eleven also destroy all the faceprints it collected.
The full determination can be read on the OAIC website.
It finds that 7-Eleven:
- collected sensitive information in breach of Australian Privacy Principle 3.3, in circumstances where the collection was not reasonably necessary for its functions and activities, and 7-Eleven had not obtained valid consent.
- did not take reasonable steps to notify individuals about the facts and circumstances of collection, or the purpose of collecting their facial images and faceprints through the customer feedback mechanism, in breach of Australian Privacy Principle 5.1.