Convenience store group 7-Eleven has been found collecting facial recognition data from customers without their consent, according to Australia’s data protection authority.
The Office of the Australian Information Commissioner (OAIC) said facial images of customers were collected while they completed surveys on their in-store experience.
Over 1.6 million surveys were completed in 10 months across 700 stores, starting from June 2020.
The investigation by the OAIC found that customers’ facial images were collected to generate algorithmic representations, or “faceprints,” that were then compared to other faceprints to filter out responses that were not genuine.
Angelene Falk, the Australian information and privacy commissioner, said faceprints were protected under the Privacy Act 1988, and that customers did not give express or implied consent to the collection of that data.
Nor did 7-Eleven take “reasonable steps” to notify individuals that their personal information was being collected.
“Entities must carefully consider whether they need to collect this sensitive personal information, and whether the privacy impacts are proportional to achieving the entity’s legitimate functions or activities,” Falk said in a statement on Oct. 14.
Falk said collecting faceprints was not a necessary part of 7-Eleven’s customer feedback system.
“While I accept that implementing systems to understand and improve customers’ experience is a legitimate function for 7-Eleven’s business, any benefits to the business in collecting this biometric information were not proportional to the impact on privacy,” he said.
In response to the investigation, 7-Eleven has stopped collecting facial images and has destroyed all data collected.
Collection of facial images has gained headlines in recent months following the growing use of such technology in smartphone apps to monitor compliance with COVID-19 health restrictions.
Currently, South Australia, New South Wales, and Victoria are trialling home quarantine with such apps, while Western Australia’s G2G pass has been in use the longest registering over 97,000 residents.
South Australia’s home quarantine app, Quarantine SA, is set to become the national model once trials are deemed successful.
Residents entering home quarantine are required to download the app and will need to “check-in” with the app at random intervals during their quarantine period of two weeks.
Users have just 15 minutes to respond to a random check-in notification (in Western Australia, this is just five minutes) by scanning their faces.
If they miss a scan, they will receive a follow-up phone call from the Home Quarantine SA team to discuss the reason why. If the individual misses the phone call, a compliance officer may be sent to the approved address to check on their situation.
Use of facial recognition technology in this way has raised concerns it could “normalise” surveillance. Further, unclear protections around the data could leave it open to being exploited.