The Office of the Australian Information Commissioner (OAIC) has determined 7/11 interfered with the privacy of customers by collecting sensitive biometric data through their facial recognition and faceprint technology. 7/11 were ordered to destroy all faceprints collected.
From July 2020 to August 2021, 7/11 made tablets available instore for customers to voluntarily complete a survey about their instore experience. These devices used a camera to capture the customer’s facial image both before and after they completed the survey.
Faceprints and Facial Images
7/11 argued that faceprints do not amount to personal information as they are not used to identify, monitor, or track an individual. Faceprints are “created by automatically converting facial images into an encrypted algorithmic representation of a customer’s face”. Therefore, although the images themselves amount to personal information, as they show an individual’s face that can be linked back to a particular person, once turned into a faceprint it is more difficult to identify the person.
The OAIC determined faceprints are personal information as they are digital representations of an individual’s facial features and thus are ‘about’ an individual. How 7/11 used this information meant faceprints could be distinguished from one another and individuals could be identified from the faceprints.
Both the facial images and faceprints collected by 7/11 were considered biometric information and therefore sensitive information by the OAIC.
Contravening the Privacy Act
Australian Privacy Principle (APP) 3.3 prohibits the collection of sensitive information about an individual unless they consent. 7/11 argued that since the survey tool which used facial recognition technology was voluntary, those who completed the survey consented to the collection of their sensitive information. The OAIC determined that the customer’s consent could not be implied based on their voluntarily completing a survey and 7/11 did not adequately inform the customers of what they were being asked to consent to.
The OAIC also held that the collection of sensitive biometric information was not reasonably necessary for 7/11’s functions or activities. The information was collected to detect non-genuine survey responses and give a broad demographic profile of its customers. The OAIC held that although wanting to understand and improve customers’ in-store experiences is a legitimate function of a business, the collection of the biometric sensitive data was not reasonably necessary. Some of the reasons given by the OAIC include
- 7/11 did not conduct a privacy impact assessment (PIA) prior to rolling out the survey or faceprint system; and
- There were other ways 7/11 could have identified non-genuine responses without collecting sensitive biometric information.
The OAIC found 7/11 interfered with the privacy of individuals and therefore in breach of APP 3.3.
7/11 were ordered to destroy all faceprints collected through the customer feedback mechanism within 90 days of the decision and ordered not repeat or continue the conduct.
This case is a reminder of the importance of informed consent. Consent to collect sensitive information is key to building trust with your customers and complying with Australia’s privacy laws. Consent to collect sensitive information can be express or implied but the OAIC’s determination is an indication that the bar to establish inferred or implied consent is high. Collection statements are an important tool to explain to your customers what information you are collecting and why, but it is not enough to rely on a collection statement when collecting sensitive or biometric information. Indication of informed, voluntary consent is needed.
Collection statements should be reviewed regularly to ensure they accurately reflect the practices of your business and are effective if your business is collecting sensitive information.
If you need assistance in drafting or reviewing your collection statements and identifying if privacy consents are required, please feel free to contact us.