In 2020 the 7-Eleven Stores Pty Ltd ACN 005 299 427 (7-Eleven) chain launched a customer feedback mechanism nationwide which prompted customers to complete a voluntary survey about their experience in store on a tablet device. When a customer completed the survey, a digital image was taken of the customer which was shared with two (2) Application Programming Interfaces (API) to assess and record certain information about the customer.
On 29 September 2021 the Office of the Australian Information Commissioner (OAIC) recently declared that 7-Eleven breached Australian Privacy Principles with these actions.[1]
Background to the OAIC’s investigation
7-Eleven is considered an ‘APP’ entity under section 6 of the Privacy Act 1988 (Cth) (Act). In mid-2020 7-Eleven launched a customer survey mechanism across more than 700 stores throughout Australia, allowing customers to contribute voluntary feedback about their in-store experience. The survey was supplied by a third party (Supplier) and was delivered on tablet devices, often located at the store counter. Each time a survey was being completed, the tablet took images of the customer’s face using the built-in camera, and these images were uploaded to a secure server (Server).
The images were stored on the tablet for approximately twenty (20) seconds before being uploaded to the Server. After seven (7) days, the images were deleted from the Server, however the Supplier used the first of two (2) APIs to convert each of the images into an encrypted algorithmic representation (Faceprint). The Faceprints were stored for an indefinite period of time on the server.
The Faceprint was used to identify information about the approximate gender and age of the customer, which was linked to the survey response. Any Faceprints that were collected by a tablet within a twenty (20)-hour period were sent to a second API to detect similarities between customers and flagged matched survey results.
7-Eleven’s purpose for collecting such images and Faceprints was to allow an understanding of customer demographics and to detect survey responses from the same individual within a short time period in case such responses were not genuine.
APP and the issue of consent in the 7-Eleven case
The Australian Privacy Principles (APP) are contained within Schedule 1 of the Act and regulate the collection, use, disclosure and security of personal information held by APP entities. APP 3.3 relates to the collection of sensitive information, defined at section 6 of the Act, and includes obtaining the consent of the person providing the sensitive information. The OAIC found that Faceprints are considered sensitive information[2] and reviewed the concept of ‘consent’. Four (4) key elements of consent were identified:
- the individual is adequately informed before giving consent;
- the individual gives consent voluntarily;
- the consent is current and specific; and
- the individual has the capacity to understand and communicate their consent.[3]
7-Eleven submitted that all stores displayed a notice at the store entrance which had an image of a video or CCTV camera and alerted customers that, by entering the store, they agree to facial recognition technology capturing and storing their image. The privacy policy contained on 7-Eleven’s website stated that they only collect personal information that is reasonably necessary for 7-Eleven’s business functions.[4]
The OAIC found that 7-Eleven solicited the Faceprints by inviting customers to complete the voluntary survey, and found that there was no clear evidence that individuals consented to the collection of the facial images or Faceprints as:
- there was no information on or around the tablet noting the collection of the Faceprints;
- the notices at the store entrances were unclear and may have created an impression that the images being captured were for surveillance purposes; and
- the privacy policy contained on 7-Eleven’s website was not linked to the collection of Faceprints to the use of in-store ‘feedback kiosks’.[5]
OAIC declaration
The OAIC declared that, between 15 June 2020 and 24 August 2021, the 7-Eleven Stores Pty Ltd interfered with the privacy of customers through the collection of images and Faceprints and breached the APP by:
- collecting customer images and Faceprints without consent, and where that information was not reasonably necessary for 7-Eleven’s functions and activities (APP 3.3); and
- failing to take reasonable steps to notify individuals about the facts and circumstances of collection and the purposes of collection of that information (APP 5).[6]
The OAIC declared that 7-Eleven must destroy, or cause to be destroyed, all Faceprints, and must not repeat or continue the conduct.[7]
Takeaways for businesses
A key issue for 7-Eleven was that there was a lack of clear, express disclosure regarding the collection of the facial images and Faceprints. The in-store notices were vague and the information was not provided in a clear manner within the vicinity of the tablet. As such, customers were not adequately informed about what they were being asked to consent to and, as such, could not provide valid consent.
The OAIC declaration highlights that, to be properly compliant with the APPs, businesses must ensure that notices relating to the collection of personal information are displayed clearly and in an appropriate location, and they accurately outline what information is collected and why.
Links and further references
Legislation
Cases
Further information about Australian Privacy Principles
If you need advice on compliance with Australian Privacy Principles, contact us for a confidential and obligation-free discussion:
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au
Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
[1] Ibid, at [4] to [6].
[2] Ibid, at [80] to [84].
[3] Ibid, at [50].
[4] Ibid, at [89] to [91].
[5] Ibid, at [93].
[6] Ibid, at [107] and [125].
[7] Ibid, at [135].
Related insights about Australian Privacy Principles
-
Labor plan to abolish non-compete clauses from 2027
On 25 March 2025, the Albanese Labor government announced in its 2025-26 Budget (Budget), that it intended to abolish non-compete clauses in employment contracts for approximately three (3) million workers from 2027.
-
Damages for competitor misleading conduct under the ACL
Section 236 of the Australian Consumer Law (ACL) entitles any person, including corporations – to claim compensation for loss or damage suffered from misleading or deceptive conduct. The High Court has developed numerous general principles for assessing loss or damage which we will discuss in this article.
-
Federal parliament passes cyber security laws
On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024. The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.
-
Changes to the Franchising Code of Conduct
The current Franchising Code of Conduct (Old Code) is scheduled to “sunset” (meaning it will automatically expire unless extended or replaced) on 1 April 2025, with the Competition and Consumer (Industry Codes–Franchising) Regulations 2024 (Cth) (New Regulations) coming into effect on the same date.
-
New Anti-Money Laundering Bill
On 11 September 2024 the (Bill) was introduced to the House of Representatives.[1] The Bill will amend the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) to include provisions regarding deterrence, detection and disruption of money laundering and terrorism financing.[2] Most changes will take effect from 31 March 2026.
-
The Digital ID Bill 2023 (Cth)
On 30 November 2023, the Digital ID Bill 2023 (Cth) and the Digital ID (Transitional and Consequential Provisions) Bill 2023 (Digital ID Bills) were introduced in the Australian Senate. Digital IDs are designed to provide individuals with a convenient way to verify their identity when completing certain online transactions and dealing with government and certain…
-
Overview of the illegal phoenixing regime
The Treasury Laws Amendment (Combating Illegal Phoenixing) Act 2020 (Cth) (Amending Act) came into force on 18 February 2020 and was designed to prevent illegal phoenixing activity. The Amending Act introduced reforms such as creditor-defeating disposition provisions to combat phoenixing activity. Additional provisions amending the Corporations Act 2001 (Cth) were aimed to encourage accountability by…
-
Unfair contract terms – automatic renewal clauses
9 November 2023 was a crucial date for Australian businesses because from that date significant penalties can now be imposed on businesses found to have unfair contract terms (UCT) in their contracts. The Federal Government had introduced significant changes to laws relating to UCT on 10 November 2022.
-
Misinformation and Disinformation Bill 2023 – exposure draft
The Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill 2023 (Cth) (Misinformation Bill) was announced by the Department of Infrastructure, Transport, Regional Development, Communication and the Arts (DITRDCA) in January 2023. The Misinformation Bill is aimed at restricting the flow of misinformation and disinformation by providing the Australian Communications and Media Authority (ACMA) with increased…
