The Australian Information Commissioner and Privacy Commissioner, Angelene Falk, recently determined that 7-Eleven interfered with up to 1.6 million customers’ privacy by collecting sensitive biometric information, via in-store customer satisfaction surveys, that was not reasonably necessary for its functions and without adequate notice or consent. This determination is a timely reminder to businesses to collect personal and sensitive information which is reasonably necessary for legitimate business functions. If sensitive information is required to be collected, businesses need to obtain valid consent from the individual concerned.
From June 2020 to August 2021, 7-Eleven used tablets with built in cameras in 700 stores to survey customers about their in-store experience. The survey collected facial images of the persons completing the survey. A third party service provider converted each facial image into an encrypted algorithmic representation, or a ‘faceprint’, to provide an understanding of the demographic of customers and to eliminate multiple surveys being completed by the same person at the same store.
Commissioner Falk determined that the facial images and faceprints were biometric information which is unique to individuals and therefore considered ‘sensitive information’ and subject to additional protections under the Privacy Act 1988 (Cth). The determination found that 7-Eleven:
- collected sensitive information in breach of Australian Privacy Principle (APP) 3.3 in circumstances where the collection was not reasonably necessary for 7-Eleven’s functions and activities and 7-Eleven had not obtained valid consent. Individuals completing the in-store survey did not give either express or implied consent to the collection of their facial images; and
- did not take reasonable steps to notify individuals of the collection of their personal information in breach of APP 5.1.
7-Eleven was ordered to destroy all faceprints collected and to discontinue the conduct.
The Commissioner recognised that while implementing systems to understand and improve customers’ experience is a legitimate function for 7-Eleven’s business, any benefit created by collecting the biometric information was not proportional to the impact on an individual’s privacy.
The determination also confirmed that 7-Eleven ultimately had contractual control of the data even in circumstances where the data was collected on its behalf by a third party service provider and 7-Eleven themselves had no access to it.
7-Eleven argued that customers had consented to the collection of their sensitive information as all stores displayed a notice at the store entry with an image of a surveillance camera. Some of the notices also included the text ‘by entering the store you consent to facial recognition cameras capturing and storing your image’. The Company also emphasised the existence of their Privacy Policy published on their website. However, the Commissioner determined that these actions were not sufficient.
A privacy policy is not a tool for obtaining consent. Instead it is a general tool informing people about how an organisation handles personal information.
Where consent is required for the collection, use and disclosure of personal information, that consent must be valid. For consent to be valid:
- the individual must be adequately informed before giving the consent;
- it must be voluntary and an individual must be given a genuine opportunity to decline;
- it must be current and specific and consent should not be requested for undefined future uses; and
- the individual must have capacity to understand and communicate their consent.
View the full determination here.
This article was written by Special Counsel Hayley Bowman. For advice on how to lawfully collect biometric information, please contact Hayley Bowman.