7-Eleven biometric data collection found in breach of Australian privacy laws

The US convenience store chain has been ordered to scrap its facial scanning tool and delete any stored data

A view of a 7-Eleven convenience store located in Melbourne Australia

US convenience store chain 7-Eleven has been accused of breaching Australian privacy laws by collecting customers' biometric data without their consent.

The Office of the Australian Information Commissioner (OAIC) found that between 15 June 2020 and 24 August 2021, the Australian arm of 7-Eleven interfered with the privacy of individuals by gathering facial recognition data through a hidden mechanism in its customer feedback form.

The OAIC said that 7-Eleven's policy was in breach of the Privacy Act 1988, adding that the information wasn’t reasonably necessary for the store’s functions and activities. It also failed to take reasonable steps to notify individuals about the fact and circumstances of collection and the purposes of collecting that information.

The company has now been told to cease its data collection and destroy any data still held.

Tablet devices containing facial recognition technology were deployed inside 7-Eleven’s 700 stores nationwide, which allowed customers to complete a voluntary survey about their in-store experience. As of March 2021, 1.6 million survey responses had been completed.

As they completed this survey, the tablet’s built-in camera would take a facial image twice, once when the customer first engaged with the tablet, and then again after they completed the survey.

These facial images were stored on the tablet for around 20 seconds before being uploaded to a secure server hosted in Australia on Microsoft Azure. Once the upload finished, the facial image was deleted from the tablet but retained on the server for seven days.

The facial images were then encrypted, turning them into ‘faceprints’, and assessed, providing inferred information about the customers’ approximate age and gender. The store said it was capturing this data to detect if the same person was leaving multiple responses to the survey within a 20 hour period on the same tablet. If they were, it wanted to exclude their responses from the survey results in case they weren’t genuine.

Related Resource

The truth about cyber security training

Stop ticking boxes. Start delivering real change.

Pair of feet in socks with a chair and plant in the backgroundFree download

“I am not satisfied that it was reasonably necessary to collect ‘sensitive’ biometric information...for this function or activity,” said Angelene Falk, OAIC commissioner. “I note the risk of adversity to individuals should this kind of information be misused or compromised, as it cannot be reissued or cancelled like other forms of compromised identification information. The risks associated with collection of such information are not proportional to the function or activity of understanding and improving customers’ in-store experience.”

7-Eleven said it had obtained consent from customers who took part in the survey in the form of a notice at the entrance to its stores and on its website. However, the commissioner rejected this, finding that the store did not inform individuals about the fact and circumstances of collection of facial images and faceprints, as required by the law.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

FCC expels China Telecom from the US
Network & Internet

FCC expels China Telecom from the US

27 Oct 2021
AWS and Google win Japanese government cloud contract
cloud computing

AWS and Google win Japanese government cloud contract

27 Oct 2021
Telstra to acquire Digicel Pacific for $1.6 billion with help from government
Network & Internet

Telstra to acquire Digicel Pacific for $1.6 billion with help from government

26 Oct 2021
Australian Federal Police plots "aggressive" cyber division following law change
encryption

Australian Federal Police plots "aggressive" cyber division following law change

25 Oct 2021

Most Popular

UK spy agencies supercharge espionage efforts with AWS data deal
cloud computing

UK spy agencies supercharge espionage efforts with AWS data deal

26 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021