7-Eleven stores capture images of their customers’ faces without their consent

The Office of the Australian Information Commissioner (OAIC) confirmed that convenience store chain 7-Eleven violated the privacy of thousands of customers by collecting sensitive biometric data without prior consent between June 2020 and August 2021.

During the aforementioned period, the company conducted thousands of surveys using electronic tablets with integrated cameras installed in 700 of its stores, taking advantage of this campaign to capture the facial features of thousands of customers at the time of initiating the survey and at the end of answering the questions.

This campaign caught the attention of the OAIC, which launched an investigation into the survey, finding that the collected images are stored for about 20 seconds on the devices before being sent to a Microsoft Azure server.

Subsequently, the facial images are kept on this server for at least one week, a period where 7-Eleven managed to identify and correct any problems and reprocess the survey responses.

Facial images were uploaded to the server as algorithmic representations, another way of saying facial records. This information was used by the company to compare the responses collected and delete possible non-genuine records.

On the other hand, the company claims that users consented to the collection of data at the time of answering the survey, since it includes a notice that mentions that 7-Eleven can collect biometric data. According to data from the company itself, around 1.6 million customers responded to the survey.

Angelene Falk, Commissioner for Information and Privacy, determined that this data collection strategy violates Australia’s privacy guidelines and there is insufficient argument to support how this practice improves the customer experience. It should be remembered that, in Australia, companies are prohibited from collecting confidential information about their customers without express consent.

The Commissioner concluded by mentioning that facial images showing a person’s face should be considered as sensitive information, so 7-Eleven cannot simply add to its survey a small dialog box mentioning that biometric information will be collected. The OAIC ordered 7-Eleven to stop collecting facial images as part of its feedback programs, and they must destroy all records collected so far. 

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.