7-Eleven biometric data collection found in breach of Australian privacy laws

The US convenience store chain has been ordered to scrap its facial scanning tool and delete any stored data

A view of a 7-Eleven convenience store located in Melbourne Australia

US convenience store chain 7-Eleven has been accused of breaching Australian privacy laws by collecting customers' biometric data without their consent.

The Office of the Australian Information Commissioner (OAIC) found that between 15 June 2020 and 24 August 2021, the Australian arm of 7-Eleven interfered with the privacy of individuals by gathering facial recognition data through a hidden mechanism in its customer feedback form.

The OAIC said that 7-Eleven's policy was in breach of the Privacy Act 1988, adding that the information wasn’t reasonably necessary for the store’s functions and activities. It also failed to take reasonable steps to notify individuals about the fact and circumstances of collection and the purposes of collecting that information.

The company has now been told to cease its data collection and destroy any data still held.

Tablet devices containing facial recognition technology were deployed inside 7-Eleven’s 700 stores nationwide, which allowed customers to complete a voluntary survey about their in-store experience. As of March 2021, 1.6 million survey responses had been completed.

As they completed this survey, the tablet’s built-in camera would take a facial image twice, once when the customer first engaged with the tablet, and then again after they completed the survey.

These facial images were stored on the tablet for around 20 seconds before being uploaded to a secure server hosted in Australia on Microsoft Azure. Once the upload finished, the facial image was deleted from the tablet but retained on the server for seven days.

The facial images were then encrypted, turning them into ‘faceprints’, and assessed, providing inferred information about the customers’ approximate age and gender. The store said it was capturing this data to detect if the same person was leaving multiple responses to the survey within a 20 hour period on the same tablet. If they were, it wanted to exclude their responses from the survey results in case they weren’t genuine.

Related Resource

The truth about cyber security training

Stop ticking boxes. Start delivering real change.

Pair of feet in socks with a chair and plant in the backgroundFree download

“I am not satisfied that it was reasonably necessary to collect ‘sensitive’ biometric information...for this function or activity,” said Angelene Falk, OAIC commissioner. “I note the risk of adversity to individuals should this kind of information be misused or compromised, as it cannot be reissued or cancelled like other forms of compromised identification information. The risks associated with collection of such information are not proportional to the function or activity of understanding and improving customers’ in-store experience.”

7-Eleven said it had obtained consent from customers who took part in the survey in the form of a notice at the entrance to its stores and on its website. However, the commissioner rejected this, finding that the store did not inform individuals about the fact and circumstances of collection of facial images and faceprints, as required by the law.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Microsoft to shutdown LinkedIn in China
Careers & training

Microsoft to shutdown LinkedIn in China

15 Oct 2021
Acer confirms breach after cyber attack on Indian servers
hacking

Acer confirms breach after cyber attack on Indian servers

14 Oct 2021
Australia plots harsher penalties for hackers involved in ransomware attacks
Policy & legislation

Australia plots harsher penalties for hackers involved in ransomware attacks

13 Oct 2021
Microsoft mitigated 'largest ever' 2.4Tbps DDoS attack
distributed denial of service (DDOS)

Microsoft mitigated 'largest ever' 2.4Tbps DDoS attack

12 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Cleaning up legacy IT to drag big tobacco into the future
digital transformation

Cleaning up legacy IT to drag big tobacco into the future

12 Oct 2021