7-Eleven facial recognition tool breached customer privacyApr 2022 | Workplace Advisory
An investigation initiated by the Privacy Commissioner into 7-Eleven’s practise of capturing facial images and faceprints through its customer feedback mechanism has found that 7-Eleven interfered with customer privacy without consent.
Over a period of approximately 14 months in 2020 and 2021, 7-Eleven used facial recognition technology in 700 of its stores via tablets which invited customers to complete a voluntary survey about their in-store experience (Facial Recognition Tool).
Each tablet had a built-in camera which took photographs of a customer as they completed the survey at two points in time: when the customer first engaged with the tablet, and after they completed the survey.
Customer photographs were stored on the tablet for approximately 20 seconds before being uploaded to a secure server and deleted from the tablet. A third-party supplier then processed the photographs and converted each image to an encrypted algorithmic representation of the face (Faceprint) and assessed and recorded inferred information about the customer’s approximate age and gender.
Over an eight month period, approximately 1.6 million survey responses were completed.
At its own initiative, the Office of the Australian Information Commissioner (Commission) commenced an investigation into 7-Eleven’s use of the Facial Recognition Tool. This investigation considered whether 7-Eleven had met the requirements of the Australian Privacy Principles (APPs).
APP 5.1 requires an APP entity that collects personal information about an individual to take such steps as are reasonable in the circumstances to notify the individual of a range of matters specified in APP 5. Relevantly, those matters include that:
- the APP entity has collected their personal information and the circumstances and method of the collection; and
- the purpose for which the APP entity collects personal information.
APP 3.3 prohibits an APP entity from collecting ‘sensitive information’ about an individual unless:
- the individual consents to the collection of the information; and
- the information is reasonably necessary for one or more of the entity’s functions or activities; or
- an exception applies.
The definition of sensitive information includes ‘biometric information that is to be used for the purpose of automated biometric verification or biometric identification’ or ‘biometric templates’.
Findings by the Commission
The Commission was satisfied that the photographs and Faceprints collected by 7-Eleven constituted information about an identified individual or an individual who is reasonably identifiable, and therefore fell within the definition of ‘personal information’.
7-Eleven displayed a notice at the entrance to its stores with an image of a CCTV camera and the following text:
'Site is under constant video surveillance. By entering the store you consent to facial recognition cameras capturing and storing your image.'
'7-Eleven may also collect photographic or biometric information from users of our 7-Eleven App and visitors to our stores, again, where you have provided your consent. 7-Eleven collects and holds such information for the purposes of identity verification…We collect most personal information directly from you, for example where you:…use a feedback kiosk from our stores…'
In order to meet the requirements of APP 5, the Commission considered 7-Eleven needed a collection notice that specifically notified individuals of the following matters:
- the fact that 7-Eleven collects photographs of individuals who complete the feedback survey;
- 7-Eleven analyses the photographs using facial recognition technology to generate and collect Faceprints of those individuals; and
- the purpose of the collection explained in a way that could be understood by the individuals from whom the photographs were collected, noting that simply stating the collection was for ‘identity verification’ was insufficient.
APP 3.3 – consent
The Commission was satisfied that the photographs and Faceprints collected by 7-Eleven constituted biometric information used for the purpose of automated biometric identification or verification, and therefore fell within the definition of ‘sensitive information’.
In circumstances where no express consent was given by 7-Eleven’s customers to the collection of their photographs and Faceprints, the Commission considered whether individuals impliedly consented to the collection.
- the individuals did not have the capacity to understand and communicate their consent. Because they were inadequately informed, they were not in a position to understand the implications of providing or withholding consent.
APP 3.3 – information was reasonably necessary for 7-Eleven’s functions and activities
7-Eleven stated that its purpose for capturing facial images and generating Faceprints was to detect if the same person was leaving multiple responses to the survey within a 20 hour period on the same tablet. It also enabled 7-Eleven to have a broad understanding of the demographic profile of customers who completed the survey.
The Commission was not satisfied that the large-scale collection of customers’ sensitive information through 7-Eleven’s customer feedback mechanism was reasonably appropriate or adapted to the activity of understanding and improving customers’ in-store experience. The Commission relevantly considered the following matters in reaching its conclusion:
- the risk of adversity to individuals if their photographs or Faceprints were misused or compromised was not proportional to the function or activity of understanding and improving customers’ instore experience;
- 7-Eleven did not conduct a privacy impact assessment in relation to its instore feedback mechanism project; and
- there were other ways that 7-Eleven could have achieved its stated purpose.
If an APP entity intends to collect sensitive information, a request for consent should:
- clearly identify the kind of information to be collected, the recipient entities and the purpose of collection;
- be sought expressly at the point in time the information is collected; and
- be fully informed, freely given, and not bundled with other consents.
This article may provide CPD/CLE/CIP points through your relevant industry organisation.
The material contained in this publication is in the nature of general comment only, and neither purports nor is intended to be advice on any particular matter. No reader should act on the basis of any matter contained in this publication without considering, and if necessary, taking appropriate professional advice upon their own particular circumstances.