OAIC Finds 7-Eleven Breached 1.6 Million Customers’ Privacy


By Staff Writer

The Office of the Australian Information Commissioner (OAIC) has found the convenience store chain 7-Eleven collected customers’ facial images or faceprints improperly and without their informed consent.

Between June 2020 and August 2021, 7-Eleven asked customers to complete an in-store customer satisfaction survey using 7-Eleven supplied tablets. More than 1.6 million customers took part across 700 stores.

But the tablet’s cameras also took a photo of customers while completing the surveys. The convenience store group captured up to 3.2 customers images.

7-Eleven says they used the photos to generate algorithmic representations, or ‘faceprints’, which were compared with other faceprints to exclude responses that may not be genuine.

The company uploaded customer photos to an Australian-hosted server. The images were converted to an encrypted algorithmic faceprint. Upon assessment of the faceprint, the customer had an approximate age and gender assigned to them.

After cross-matching to exclude “non-genuine” survey results, 7-Eleven held onto the images for up to seven days.

Signage at 7-Eleven stores around Australia states the store uses facial recognition technology to capture and store images. Consenting to this is a condition of entering the store.

But following a customer complaint, an OAIC investigation found the convenience store group collected biometric information that was not reasonably necessary for its functions and without adequate notice or consent.

“While I accept that implementing systems to understand and improve customers’ experience is a legitimate function for 7-Eleven’s business, any benefits to the business in collecting this biometric information were not proportional to the impact on privacy,” said Commissioner Angelene Falk in her finding.

Commissioner Falk found 7-Eleven breached the Privacy Act 1988 (Cth) by collecting customers’ sensitive information without their consent when it was not necessary to do so.

It was further found 7-Eleven breached the Australian Privacy Principle (APP) 3.3 by not telling customers it was photographing them or why it was doing so.

7-Eleven said capturing customers’ images was designed to prevent employees from participating or customers from participating more than once. But 7-Eleven could not tell the OAIC how many “non-genuine” survey responses were captured.

Commissioner Falk ordered 7-Eleven to destroy the customer photographs within 90 days but declined to impose further penalties.

7-Eleven says it accepts the Commissioner’s determination. They say the determination relates to a feedback system used by many businesses across the retail sector.

A spokesperson for the convenience store chain said the survey was entirely voluntary and did not require the customer to provide personal details like their name or contact information.  7-Eleven says the information collected was used solely to improve products and services in-store.

“On being notified of the Commissioner’s findings, we promptly disabled this feature, and all images taken by the system in our stores have been permanently deleted,” 7-Eleven’s spokesperson said.

“7-Eleven appreciates the Commissioner’s recognition of 7-Eleven’s co-operation throughout the investigation process, as well as her confirmation that the matter is now closed without any further action required.”


Leave A Reply