IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

7-Eleven biometric data collection found in breach of Australian privacy laws

The US convenience store chain has been ordered to scrap its facial scanning tool and delete any stored data

US convenience store chain 7-Eleven has been accused of breaching Australian privacy laws by collecting customers' biometric data without their consent.

The Office of the Australian Information Commissioner (OAIC) found that between 15 June 2020 and 24 August 2021, the Australian arm of 7-Eleven interfered with the privacy of individuals by gathering facial recognition data through a hidden mechanism in its customer feedback form.

The OAIC said that 7-Eleven's policy was in breach of the Privacy Act 1988, adding that the information wasn’t reasonably necessary for the store’s functions and activities. It also failed to take reasonable steps to notify individuals about the fact and circumstances of collection and the purposes of collecting that information.

The company has now been told to cease its data collection and destroy any data still held.

Tablet devices containing facial recognition technology were deployed inside 7-Eleven’s 700 stores nationwide, which allowed customers to complete a voluntary survey about their in-store experience. As of March 2021, 1.6 million survey responses had been completed.

As they completed this survey, the tablet’s built-in camera would take a facial image twice, once when the customer first engaged with the tablet, and then again after they completed the survey.

These facial images were stored on the tablet for around 20 seconds before being uploaded to a secure server hosted in Australia on Microsoft Azure. Once the upload finished, the facial image was deleted from the tablet but retained on the server for seven days.

The facial images were then encrypted, turning them into ‘faceprints’, and assessed, providing inferred information about the customers’ approximate age and gender. The store said it was capturing this data to detect if the same person was leaving multiple responses to the survey within a 20 hour period on the same tablet. If they were, it wanted to exclude their responses from the survey results in case they weren’t genuine.

Related Resource

The truth about cyber security training

Stop ticking boxes. Start delivering real change.

Pair of feet in socks with a chair and plant in the backgroundFree download

“I am not satisfied that it was reasonably necessary to collect ‘sensitive’ biometric information...for this function or activity,” said Angelene Falk, OAIC commissioner. “I note the risk of adversity to individuals should this kind of information be misused or compromised, as it cannot be reissued or cancelled like other forms of compromised identification information. The risks associated with collection of such information are not proportional to the function or activity of understanding and improving customers’ in-store experience.”

7-Eleven said it had obtained consent from customers who took part in the survey in the form of a notice at the entrance to its stores and on its website. However, the commissioner rejected this, finding that the store did not inform individuals about the fact and circumstances of collection of facial images and faceprints, as required by the law.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

India to roll out 6G by end of decade
Network & Internet

India to roll out 6G by end of decade

18 May 2022
Data centres that switch from HDDs to SSDs use 70% less power
data centres

Data centres that switch from HDDs to SSDs use 70% less power

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022
Australia pledges $5 million to create tech skills passport
Careers & training

Australia pledges $5 million to create tech skills passport

11 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Windows 11's nifty new search feature has one major downside
Microsoft Windows

Windows 11's nifty new search feature has one major downside

23 May 2022