7-Eleven has received a slap on the wrist from Australia’s Information and Privacy Commissioner, after she ruled the convenience store group interfered with customers’ privacy by collecting sensitive biometric information, without their consent.
Commissioner Angelene Falk said 7-Eleven’s data collection was not reasonably necessary for its functions and was done without adequate notice or consent. Yikes.
7-Eleven ran some surveys from June 2020 through August 2021. The surveys (about the customer’s in-store experience) were conducted on tablets with built-in cameras.
Customers completed a whopping 1.6 million surveys in the first 10 months, across 700 stores.
7-Eleven collected facial images while customers were filling out their responses – once at the start and again at the end.
The customers’ facial images were used to generate algorithmic representations (or ‘faceprints’) which were compared with other faceprints to exclude responses that may not be genuine.
Surveys are good, they help a business do better, but collecting biometric info, not so good. Customers did not give either express or implied consent to the collection of their facial images or faceprints, nor did 7-Eleven take reasonable steps to notify individuals of the collection of personal information.
Commissioner Falk said this collection was not reasonably necessary for the purpose of understanding and improving customers’ in-store experience.
She declared the facial images and faceprints were sensitive information covered by additional protections under the Privacy Act 1988. Her reasoning was because they were ‘biometric information that was used for the purpose of automated biometric identification’, and the faceprints were also ‘biometric templates’.
After investigating the convenience store group, Falk’s agency, the Office of the Australian Information Commissioner (OAIC), found 7-Eleven also used the personal information to profile its demographic.
“Entities must carefully consider whether they need to collect this sensitive personal information, and whether the privacy impacts are proportional to achieving the entity’s legitimate functions or activities,” Falk said.
“While I accept that implementing systems to understand and improve customers’ experience is a legitimate function for 7-Eleven’s business, any benefits to the business in collecting this biometric information were not proportional to the impact on privacy.”
7-Eleven has now destroyed the faceprints it collected and must promise to never, ever do this kind of thing again.