Skip to main content
News 14 Oct 2021 - 2 min read

CX fail: 7-Eleven in breach of Australian privacy laws over facial recognition tablets

By Sam Buckingham-Jones - Senior Writer
Angelene Falk, Australian Privacy Commissioner

“Entities must carefully consider whether they need to collect this sensitive personal information, and whether the privacy impacts are proportional to achieving the entity’s legitimate functions or activities,” Information Commissioner Angelene Falk said

Facial analysis software used by 7-Eleven has been found in breach of Australia’s privacy laws, with the chain harvesting 1.6 million Australian faces over the 10 months to August this year.

What you need to know:

  • 7Eleven has been found in breach of Australia’s privacy laws for collecting and analysing biometric face scans as part of a customer satisfaction survey using tablets in stores.
  • The Australian Information Commissioner, Angelene Falk, ruled the convenience chain had failed to justify the potential harms associated with the collection of the images, and ordered 7-Eleven to destroy the images.

7-Eleven has fallen afoul of Australia’s privacy laws for unnecessarily harvesting customers’ facial images, or “faceprints”, without permission for a survey aiming to gauge customer experience and satisfaction.

The Office of the Australian Information Commissioner found the convenience store chain used tablets with built-in cameras in 700 stores to collect customer surveys between June 2020 and August 2021, harvesting 1.6 million surveys in that time.

Whenever customers filled in the anonymous survey, two images were taken of their face, which were then uploaded via a Microsoft Azure server. The stores then used software to create an “encrypted algorithmic representation” of each face, which they then assessed based on age and gender. The reason for collecting the faces was to exclude people who filled in the survey multiple times within a certain period.

“Entities must carefully consider whether they need to collect this sensitive personal information, and whether the privacy impacts are proportional to achieving the entity’s legitimate functions or activities,” Information and Privacy Commissioner Angelene Falk said.

“Any benefit to the respondent was disproportionate to, and failed to justify, the potential harms associated with the collection and handling of sensitive biometric information”

Falk found 7-Eleven did not have express or implied consent to collect facial images or faceprints, nor did the chain tell individuals it was collecting them.

7-Eleven has stopped collecting the images after the OAIC started investigating, and says it has destroyed existing images. It must provide written confirmation that all images have been destroyed within 90 days of the September 29 decision.

What do you think?

Search Mi3 Articles