In Australia, the country's information commissioner has found that 7-Eleven breached customers' privacy by collecting their sensitive biometric information without adequate notice or consent.
From June 2020 to August 2021, 7-Eleven conducted surveys that required customers to fill out information on tablets with built-in cameras. These tablets, which were installed in 700 stores, captured customers' facial images at two points during the survey-taking process -- when the individual first engaged with the tablet, and after they completed the survey.
After becoming aware of this activity in July last year, the Office of the Australian Information Commissioner (OAIC) commended an investigation into 7-Eleven's survey.
During the investigation [PDF], the OAIC found 7-Eleven stored the facial images on tablets for around 20 seconds before uploading them to a secure server hosted in Australia within the Microsoft Azure infrastructure. The facial images were then retained on the server, as an algorithmic representation, for seven days to allow 7-Eleven to identify and correct any issues, and reprocess survey responses, the convenience store giant claimed.
The facial images were uploaded to the server as algorithmic representations, or "faceprints", that were then compared with other faceprints to exclude responses that 7-Eleven believed may not be genuine.
7-Eleven also used the personal information to understand the demographic profile of customers who completed the survey, the OAIC said.
7-Eleven claimed it received consent from customers who participated in the survey as it provided a notice on its website stating that 7-Eleven may collect photographic or biometric information from users. The survey resided on 7-Eleven's website.
As at March 2021, approximately 1.6 million survey responses had been completed.
Angelene Falk, Australia's Information Commissioner and Privacy Commissioner, determined that this large-scale collection of sensitive biometric information breached Australia's privacy laws and was not reasonably necessary for the purpose of understanding and improving customers' in-store experience.
In Australia, an organisation is prohibited from collecting sensitive information about an individual unless consent is provided.
Falk said facial images that show an individual's face is sensitive information. She added that any algorithmic representation of a facial image is also sensitive information. In regards to 7-Eleven's claim that consent was provided, Falk said 7-Eleven did not provide any information about how customers' facial images would be used or stored, which meant 7-Eleven did not receive any form of consent when it collected the images.
"For an individual to be 'identifiable', they do not necessarily need to be identified from the specific information being handled. An individual can be 'identifiable' where it is possible to identify the individual from available information, including, but not limited to, the information in issue," Falk said.
"While I accept that implementing systems to understand and improve customers' experience is a legitimate function for 7-Eleven's business, any benefits to the business in collecting this biometric information were not proportional to the impact on privacy."
As part of the determination, Falk has ordered for 7-Eleven to cease collecting facial images and faceprints as part of the customer feedback mechanism.
7-Eleven has also been ordered to destroy all the faceprints it collected.