International convenience store chain, 7-Eleven, has come under fire from the Privacy Commissioner for unlawfully collecting biometric data from Australian patrons.

Much like most businesses that operate these days, 7-Eleven utilises CCTV security to monitor its 700 locations in Australia, however, in June last year the company also introduced survey tablets. These tablets came with in-built cameras and captured facial photos whenever customers completed a satisfaction survey. These facial images were uploaded to a local server where they were converted into “encrypted algorithmic facepints” which recorded a person’s approximate age and gender. Close to 3.2M facial images have been taken to date and have been used as tools to cross-reference flagged individuals that enter 7-Eleven stores. According to 7-Eleven, these images remained stored on the local servers for seven days although were said to expire after 24 hours after being captured. Interestingly, 7-Eleven did not specify how the faceprints expired or whether they were in fact deleted.

Upon reviewing this facial imaging scheme, the Privacy Commissioner noted that such collection of data interfered with Australian privacy laws. In her decision, the Privacy Commissioner provided that 7-Eleven breached the Privacy Act 1988 (Cth) by collecting individual sensitive information without consent, and without a reasonable cause for its business operation, and failed to take reasonable steps to notify individuals about the fact and method of collection as well as the purposes of the collection. In its defence, 7-Eleven argued that the data collection was not used for personal identification, nor to track or monitor individuals. Additionally, 7-Eleven believed they had put up effective notices of facial recognition use in their stores. When assessing these arguments, the Privacy Commissioner did acknowledge that implementing systems to improve customer experience is a legitimate function for businesses such as 7-Eleven, however, the means of acquiring such data were not expressly communicated to the customer and instead acted as an involuntary opt-in method rather than opt-out. As such, 7-Eleven was issued a 90-day notice to destroy and dispose of all collected faceprints and provide a written notice to the Office of the Australian Information Commissioner of its compliance.

This decision demonstrates that a privacy policy or warning of facial recognition technology does not automatically guarantee a customer’s consent. It is clear that a proper regulatory framework must be enacted to safeguard individual privacy whilst benefiting commercial use.