7-Eleven facial recognition tool breached customer privacy

Apr 2022 | Workplace Advisory

An investigation initiated by the Privacy Commissioner into 7-Eleven’s practise of capturing facial images and faceprints through its customer feedback mechanism has found that 7-Eleven interfered with customer privacy without consent.

Background

Over a period of approximately 14 months in 2020 and 2021, 7-Eleven used facial recognition technology in 700 of its stores via tablets which invited customers to complete a voluntary survey about their in-store experience (Facial Recognition Tool). 

Each tablet had a built-in camera which took photographs of a customer as they completed the survey at two points in time: when the customer first engaged with the tablet, and after they completed the survey.

Customer photographs were stored on the tablet for approximately 20 seconds before being uploaded to a secure server and deleted from the tablet. A third-party supplier then processed the photographs and converted each image to an encrypted algorithmic representation of the face (Faceprint) and assessed and recorded inferred information about the customer’s approximate age and gender.

Over an eight month period, approximately 1.6 million survey responses were completed. 

At its own initiative, the Office of the Australian Information Commissioner (Commission) commenced an investigation into 7-Eleven’s use of the Facial Recognition Tool. This investigation considered whether 7-Eleven had met the requirements of the Australian Privacy Principles (APPs).

Applicable law

APP 5.1 requires an APP entity that collects personal information about an individual to take such steps as are reasonable in the circumstances to notify the individual of a range of matters specified in APP 5. Relevantly, those matters include that:

  • the APP entity has collected their personal information and the circumstances and method of the collection; and
  • the purpose for which the APP entity collects personal information. 

APP 3.3 prohibits an APP entity from collecting ‘sensitive information’ about an individual unless:

  • the individual consents to the collection of the information; and 
  • the information is reasonably necessary for one or more of the entity’s functions or activities; or
  • an exception applies. 

The definition of sensitive information includes ‘biometric information that is to be used for the purpose of automated biometric verification or biometric identification’ or ‘biometric templates’.

Findings by the Commission

APP 5

The Commission was satisfied that the photographs and Faceprints collected by 7-Eleven constituted information about an identified individual or an individual who is reasonably identifiable, and therefore fell within the definition of ‘personal information’.

7-Eleven displayed a notice at the entrance to its stores with an image of a CCTV camera and the following text:

'Site is under constant video surveillance. By entering the store you consent to facial recognition cameras capturing and storing your image.'

7-Eleven’s Privacy Policy, available on its website, included the following:

'7-Eleven may also collect photographic or biometric information from users of our 7-Eleven App and visitors to our stores, again, where you have provided your consent. 7-Eleven collects and holds such information for the purposes of identity verification…We collect most personal information directly from you, for example where you:…use a feedback kiosk from our stores…'

The Commission determined that 7-Eleven breached APP 5 because it was not satisfied that the notices at store entrances and 7-Eleven’s Privacy Policy addressed all the APP 5 matters. In particular, the Commission determined that:

  • neither the notices at store entrances nor 7-Eleven’s Privacy Policy informed individuals about the fact and circumstances of 7-Eleven’s collection of facial images and Faceprints; and
  • neither the notices at store entrances nor 7-Eleven’s Privacy Policy adequately informed individuals about the purpose for which the facial images and Faceprints were collected.

In order to meet the requirements of APP 5, the Commission considered 7-Eleven needed a collection notice that specifically notified individuals of the following matters:

  • the fact that 7-Eleven collects photographs of individuals who complete the feedback survey;
  • 7-Eleven analyses the photographs using facial recognition technology to generate and collect Faceprints of those individuals; and
  • the purpose of the collection explained in a way that could be understood by the individuals from whom the photographs were collected, noting that simply stating the collection was for ‘identity verification’ was insufficient. 

APP 3.3 – consent

The Commission was satisfied that the photographs and Faceprints collected by 7-Eleven constituted biometric information used for the purpose of automated biometric identification or verification, and therefore fell within the definition of ‘sensitive information’.

In circumstances where no express consent was given by 7-Eleven’s customers to the collection of their photographs and Faceprints, the Commission considered whether individuals impliedly consented to the collection.

The Commission found that consent could not be implied from the notices at store entrances or from 7-Eleven’s Privacy Policy because:

  • the store notice and privacy policy did not state what information was being collected or handled. Individuals were therefore not adequately informed before giving consent;
  • the privacy policy bundled together multiple collections, uses and disclosures of personal information, thereby undermining the voluntariness of any consent provided. It did not give individuals the opportunity to choose which collections they agreed to and which they did not agree to, and it was therefore not possible for individuals to consent voluntarily to the collection of their photographs and Faceprints;
  • the store notices and privacy policy did not request consent contemporaneously before or during the survey process or refer to that process. Any consent was therefore neither current nor specific; and
  • the individuals did not have the capacity to understand and communicate their consent. Because they were inadequately informed, they were not in a position to understand the implications of providing or withholding consent.

APP 3.3 – information was reasonably necessary for 7-Eleven’s functions and activities 

7-Eleven stated that its purpose for capturing facial images and generating Faceprints was to detect if the same person was leaving multiple responses to the survey within a 20 hour period on the same tablet. It also enabled 7-Eleven to have a broad understanding of the demographic profile of customers who completed the survey. 

The Commission was not satisfied that the large-scale collection of customers’ sensitive information through 7-Eleven’s customer feedback mechanism was reasonably appropriate or adapted to the activity of understanding and improving customers’ in-store experience. The Commission relevantly considered the following matters in reaching its conclusion:

  • the risk of adversity to individuals if their photographs or Faceprints were misused or compromised was not proportional to the function or activity of understanding and improving customers’ instore experience;
  • 7-Eleven did not conduct a privacy impact assessment in relation to its instore feedback mechanism project; and
  • there were other ways that 7-Eleven could have achieved its stated purpose.

Key takeaways

If an APP entity intends to collect sensitive information, a request for consent should:

  • clearly identify the kind of information to be collected, the recipient entities and the purpose of collection;
  • be sought expressly at the point in time the information is collected; and
  • be fully informed, freely given, and not bundled with other consents. 

Importantly, an APP entity cannot rely on disclosures in a privacy policy to provide notice and obtain consent for the following reasons:

  • A privacy policy is a transparency mechanism that, in accordance with APP 1.4, must include information about an entity’s personal information handling practices. 
  • A privacy policy published on an entity’s website is not generally a basis for providing notice and inferring or obtaining consent. Further, any consent inferred from the existence of a privacy policy would not be current and specific to the circumstances in which the information is being collected. 

 

This article may provide CPD/CLE/CIP points through your relevant industry organisation.

The material contained in this publication is in the nature of general comment only, and neither purports nor is intended to be advice on any particular matter. No reader should act on the basis of any matter contained in this publication without considering, and if necessary, taking appropriate professional advice upon their own particular circumstances.