book a virtual meeting Search Search
brisbane

one eagle – waterfront brisbane
level 30, 1 eagle street
brisbane qld 4000
+61 7 3235 0400

dandenong

40-42 scott st,
dandenong vic 3175
+61 3 9794 2600

melbourne

level 7, 600 bourke st,
melbourne vic 3000
+61 3 8615 9900

sydney

grosvenor place
level 11, 225 george st,
sydney nsw 2000
+61 2 8298 9533

hello. we’re glad you’re
getting in touch.

Fill in form below, or simply call us on 1800 888 966

Biometrics is the measurement and statistical analysis of unique physical and behavioural characteristics. While it may not be something you give much thought to, your biometrics can be assessed to provide valuable data for businesses looking to collect as much information as they can about their customers or clients. When used in this way, they also may cause privacy concerns.

But to what extent are our biometrics protected? And what obligations apply to businesses that are collecting this data? A recent determination involving Convenience store giant 7-Eleven serves as a reminder of a company’s obligation to protect the privacy of its customers.

The Australian Information Commissioner and Privacy Commissioner has handed down her determination against 7-Eleven in relation to its in-store customer survey practices. The commissioner found that the business had interfered with the privacy of individuals who completed in-store surveys.

This decision serves as an important reminder that businesses should be constantly mindful of complying with applicable privacy legislation when collecting new forms of personal information about individuals. The obligation is especially relevant when it involves sensitive information such as health information or biometric information.

The determination echoes the Privacy obligations that should be particularly front of mind for Victorians right now, where some businesses are now being required to routinely collect vaccination information from employees and customers alike.

 transparency required when collecting facial imagery

In the 7-Eleven scenario, between June 2020 and August 2021, customers could complete voluntary surveys on tablet devices in-store about their experiences. The tablets had built-in cameras, which captured facial images as customers completed the survey. Approximately 1.6 million surveys were completed in the first 10 months.

7-Eleven used the facial images to help preserve the integrity of the survey responses by detecting if the same individual was leaving multiple responses to the survey within a certain timeframe on the same tablet. The information also gave 7-Eleven demographic information about the survey participants.

The Privacy Commissioner found that 7-Eleven interfered with customers’ privacy by collecting facial images, which constitute sensitive biometric information for the purposes of the Federal Privacy Act 1988 (Cth) (Privacy Act). In particular, the Privacy Commissioner determined that:

  • the customers did not give either express or implied consent to the collection of their facial images;
  • 7-Eleven’s collection of the facial images was not reasonably necessary for its business functions or activities; and
  • 7-Eleven failed to give adequate notice and transparency to individuals of the purpose of the collection and usage practices for the facial images.

For these reasons, 7-Eleven was found to have breached some of the Australian Privacy Principles (APPs) under the Privacy Act – specifically APP 3.3, which governs the collection of sensitive information, and APP 5, which governs the notification of the collection of personal information.

privacy obligations apply to new advancements

One key takeaway from this determination is that businesses should be thinking about potential privacy implications when introducing new practices or initiatives. For example, when rolling out this customer feedback mechanism throughout 700 stores nationwide, it is possible that 7-Eleven did not comprehend that capturing facial images of the customers could give rise to such an extent of privacy obligations.

Information collected by businesses can often provide more or different data and use scenarios than they originally thought or anticipated.  Likewise, rapid developments in technology enable businesses to streamline their practices and collect more data about their customers than ever before. As such, it is crucial that this information is collected and held in a lawful and proper manner in compliance with applicable privacy legislation.

Even if a business already has privacy obligations under the Privacy Act, or State or Territory legislation, the collection of a new type of personal information (in 7-Eleven’s case, biometric information) can give rise to new obligations and require the business to take additional privacy compliance measures. This is equally true for vaccination information that businesses are required to (or want to) collect.

consider your privacy obligations

If your business is not fully across its privacy obligations, either under the Federal or the State or Territory privacy legislation, we strongly recommend that you consider whether you are at risk of breaching your obligations.

Please contact a member of our Commercial team if you have any questions or concerns, or would like tailored advice on your business’ specific obligations under Australian privacy legislation.

The full Determination about 7-Eleven can also be found here.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.

stay up to date with our news & insights

7-Eleven interferes with survey entrants’ privacy

22 October 2021
kelly dickson greta walters

Biometrics is the measurement and statistical analysis of unique physical and behavioural characteristics. While it may not be something you give much thought to, your biometrics can be assessed to provide valuable data for businesses looking to collect as much information as they can about their customers or clients. When used in this way, they also may cause privacy concerns.

But to what extent are our biometrics protected? And what obligations apply to businesses that are collecting this data? A recent determination involving Convenience store giant 7-Eleven serves as a reminder of a company’s obligation to protect the privacy of its customers.

The Australian Information Commissioner and Privacy Commissioner has handed down her determination against 7-Eleven in relation to its in-store customer survey practices. The commissioner found that the business had interfered with the privacy of individuals who completed in-store surveys.

This decision serves as an important reminder that businesses should be constantly mindful of complying with applicable privacy legislation when collecting new forms of personal information about individuals. The obligation is especially relevant when it involves sensitive information such as health information or biometric information.

The determination echoes the Privacy obligations that should be particularly front of mind for Victorians right now, where some businesses are now being required to routinely collect vaccination information from employees and customers alike.

 transparency required when collecting facial imagery

In the 7-Eleven scenario, between June 2020 and August 2021, customers could complete voluntary surveys on tablet devices in-store about their experiences. The tablets had built-in cameras, which captured facial images as customers completed the survey. Approximately 1.6 million surveys were completed in the first 10 months.

7-Eleven used the facial images to help preserve the integrity of the survey responses by detecting if the same individual was leaving multiple responses to the survey within a certain timeframe on the same tablet. The information also gave 7-Eleven demographic information about the survey participants.

The Privacy Commissioner found that 7-Eleven interfered with customers’ privacy by collecting facial images, which constitute sensitive biometric information for the purposes of the Federal Privacy Act 1988 (Cth) (Privacy Act). In particular, the Privacy Commissioner determined that:

  • the customers did not give either express or implied consent to the collection of their facial images;
  • 7-Eleven’s collection of the facial images was not reasonably necessary for its business functions or activities; and
  • 7-Eleven failed to give adequate notice and transparency to individuals of the purpose of the collection and usage practices for the facial images.

For these reasons, 7-Eleven was found to have breached some of the Australian Privacy Principles (APPs) under the Privacy Act – specifically APP 3.3, which governs the collection of sensitive information, and APP 5, which governs the notification of the collection of personal information.

privacy obligations apply to new advancements

One key takeaway from this determination is that businesses should be thinking about potential privacy implications when introducing new practices or initiatives. For example, when rolling out this customer feedback mechanism throughout 700 stores nationwide, it is possible that 7-Eleven did not comprehend that capturing facial images of the customers could give rise to such an extent of privacy obligations.

Information collected by businesses can often provide more or different data and use scenarios than they originally thought or anticipated.  Likewise, rapid developments in technology enable businesses to streamline their practices and collect more data about their customers than ever before. As such, it is crucial that this information is collected and held in a lawful and proper manner in compliance with applicable privacy legislation.

Even if a business already has privacy obligations under the Privacy Act, or State or Territory legislation, the collection of a new type of personal information (in 7-Eleven’s case, biometric information) can give rise to new obligations and require the business to take additional privacy compliance measures. This is equally true for vaccination information that businesses are required to (or want to) collect.

consider your privacy obligations

If your business is not fully across its privacy obligations, either under the Federal or the State or Territory privacy legislation, we strongly recommend that you consider whether you are at risk of breaching your obligations.

Please contact a member of our Commercial team if you have any questions or concerns, or would like tailored advice on your business’ specific obligations under Australian privacy legislation.

The full Determination about 7-Eleven can also be found here.