Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks
from the small-privacy-breach-with-larger-repercussions dept
Of all the places to come across illegal facial recognition tech deployment, a convenience store chain is certainly one of the strangest. The tech wasn’t deployed to stop shoplifting or keep unwanted people off the premises. Instead, somewhat ironically, it was deployed to help 7-Eleven convenience stores quantify how well it was doing in the customer service department.
In Australia, the country’s information commissioner has found that 7-Eleven breached customers’ privacy by collecting their sensitive biometric information without adequate notice or consent.
From June 2020 to August 2021, 7-Eleven conducted surveys that required customers to fill out information on tablets with built-in cameras. These tablets, which were installed in 700 stores, captured customers’ facial images at two points during the survey-taking process — when the individual first engaged with the tablet, and after they completed the survey.
After becoming aware of this activity in July last year, the Office of the Australian Information Commissioner (OAIC) commenced an investigation into 7-Eleven’s survey.
The investigation [PDF] says 7-Eleven handled pretty much everything about this badly. It also shows the company tried to distance itself from its own tablet-based survey by blaming the third-party vendor handling the survey on its behalf.
The facial images were collected twice during the survey and stored locally on the tablets for about 20 seconds. After that, they went to the third party’s servers, where they were processed and converted into an algorithmic representation of the face. The original images were then deleted from the device used to perform the survey.
These “representations” were then used to check for matches on other surveys. This was done to detect any potential gaming of the system by individuals repeatedly performing surveys and to make guesses about the age and gender of survey takers. All of that data was deleted after seven days. In total, 1.6 million surveys were performed.
7-Eleven argued this was not a violation of Australian law because the images were not used to identify, track, or monitor respondents. It also said it had no access to facial images on the local device, nor any access to images once they had been moved to the third party servers.
Wrong, says the information commissioner. The problem isn’t how the collected information was handled. The problem is how it was collected. 7-Eleven needed consent from survey takers and didn’t get it. The commissioner found “no evidence” individuals “expressly” agreed to have their biometric information collected by 7-Eleven.
7-Eleven argued it did get at least implied consent. As evidence of this it offered the blanket notice displayed in front of all stores:
Site is under constant video surveillance.
By entering the store you consent to facial recognition cameras capturing and storing your image.
7-Eleven may also collect photographic or biometric information from users of our 7-Eleven App and visitors to our stores, again, where you have provided your consent. 7-Eleven collects and holds such information for the purposes of identity verification.
None of this is sufficient, says the commissioner.
Consent may not be implied if an individual’s consent is ambiguous or there is reasonable doubt about the individual’s intention. While I accept that use of the tablet was voluntary, I am not satisfied that the act of using the tablet unambiguously indicated an individual’s agreement to collect their facial image and faceprint, in circumstances where:
There was no information provided on or in the vicinity of the tablet, or during the process of completing the survey, about the respondent’s collection of facial images and faceprints.
The Store Notices were unclear, and, given the prevalence of these kind of notices in stores and public places, may have created an impression that the respondent captured customers’ images using a facial recognition CCTV camera as part of surveillance of the store.
Non-specific blanket statements about possible collections are not the same thing as informing survey takers prior to taking a survey that their biometric information will definitely be collected if they fill out a survey.
That’s some lawbreaking right there. The company that processed the facial images on behalf of 7-Eleven is ordered to destroy all faceprints collected by this survey. It’s also forbidden from engaging in this sort of thing again without securing explicit permission from clients’ customers. How much of a deterrent this is remains to be seen since the third party already declared all facial recognition data was deleted seven days after it was collected and processed.