Privacy Law

7-Eleven customer survey: implied consent?

by

reviewed by

Malcolm Burrows

In 2020 the 7-Eleven Stores Pty Ltd ACN 005 299 427 (7-Eleven) chain launched a customer feedback mechanism nationwide which prompted customers to complete a voluntary survey about their experience in store on a tablet device.  When a customer completed the survey, a digital image was taken of the customer which was shared with two (2) Application Programming Interfaces (API) to assess and record certain information about the customer.

On 29 September 2021 the Office of the Australian Information Commissioner (OAIC) recently declared that 7-Eleven breached Australian Privacy Principles with these actions.[1]

Background to the OAIC’s investigation

7-Eleven is considered an ‘APP’ entity under section 6 of the Privacy Act 1988 (Cth) (Act).  In mid-2020 7-Eleven launched a customer survey mechanism across more than 700 stores throughout Australia, allowing customers to contribute voluntary feedback about their in-store experience.  The survey was supplied by a third party (Supplier) and was delivered on tablet devices, often located at the store counter.  Each time a survey was being completed, the tablet took images of the customer’s face using the built-in camera, and these images were uploaded to a secure server (Server).

The images were stored on the tablet for approximately twenty (20) seconds before being uploaded to the Server.  After seven (7) days, the images were deleted from the Server, however the Supplier used the first of two (2) APIs to convert each of the images into an encrypted algorithmic representation (Faceprint). The Faceprints were stored for an indefinite period of time on the server.

The Faceprint was used to identify information about the approximate gender and age of the customer, which was linked to the survey response.  Any Faceprints that were collected by a tablet within a twenty (20)-hour period were sent to a second API to detect similarities between customers and flagged matched survey results.

7-Eleven’s purpose for collecting such images and Faceprints was to allow an understanding of customer demographics and to detect survey responses from the same individual within a short time period in case such responses were not genuine.

APP and the issue of consent in the 7-Eleven case

The Australian Privacy Principles (APP) are contained within Schedule 1 of the Act and regulate the collection, use, disclosure and security of personal information held by APP entities.  APP 3.3 relates to the collection of sensitive information, defined at section 6 of the Act, and includes obtaining the consent of the person providing the sensitive information.  The OAIC found that Faceprints are considered sensitive information[2]  and reviewed the concept of ‘consent’.  Four (4) key elements of consent were identified:

  • the individual is adequately informed before giving consent;
  • the individual gives consent voluntarily;
  • the consent is current and specific; and
  • the individual has the capacity to understand and communicate their consent.[3]

7-Eleven submitted that all stores displayed a notice at the store entrance which had an image of a video or CCTV camera and alerted customers that, by entering the store, they agree to facial recognition technology capturing and storing their image.  The privacy policy contained on 7-Eleven’s website stated that they only collect personal information that is reasonably necessary for 7-Eleven’s business functions.[4]

The OAIC found that 7-Eleven solicited the Faceprints by inviting customers to complete the voluntary survey, and found that there was no clear evidence that individuals consented to the collection of the facial images or Faceprints as:

  • there was no information on or around the tablet noting the collection of the Faceprints;
  • the notices at the store entrances were unclear and may have created an impression that the images being captured were for surveillance purposes; and
  • the privacy policy contained on 7-Eleven’s website was not linked to the collection of Faceprints to the use of in-store ‘feedback kiosks’.[5]

OAIC declaration

The OAIC declared that, between 15 June 2020 and 24 August 2021, the 7-Eleven Stores Pty Ltd interfered with the privacy of customers through the collection of images and Faceprints and breached the APP by:

  • collecting customer images and Faceprints without consent, and where that information was not reasonably necessary for 7-Eleven’s functions and activities (APP 3.3); and
  • failing to take reasonable steps to notify individuals about the facts and circumstances of collection and the purposes of collection of that information (APP 5).[6]

The OAIC declared that 7-Eleven must destroy, or cause to be destroyed, all Faceprints, and must not repeat or continue the conduct.[7]

Takeaways for businesses

A key issue for 7-Eleven was that there was a lack of clear, express disclosure regarding the collection of the facial images and Faceprints.  The in-store notices were vague and the information was not provided in a clear manner within the vicinity of the tablet.  As such, customers were not adequately informed about what they were being asked to consent to and, as such, could not provide valid consent.

The OAIC declaration highlights that, to be properly compliant with the APPs, businesses must ensure that notices relating to the collection of personal information are displayed clearly and in an appropriate location, and they accurately outline what information is collected and why.

Links and further references

Legislation

Privacy Act 1998 (Cth)

Cases

Commissioner initiated investigation into 7-Eleven Stores Pty Ltd (Privacy) (Corrigendum dated 12 October 2021) [2021] AICmr 50

Further information about Australian Privacy Principles

If you need advice on compliance with Australian Privacy Principles, contact us for a confidential and obligation-free discussion:

[1] Ibid, at [4] to [6].

[2] Ibid, at [80] to [84].

[3] Ibid, at [50].

[4] Ibid, at [89] to [91].

[5] Ibid, at [93].

[6] Ibid, at [107] and [125].

[7] Ibid, at [135].


Related insights about Australian Privacy Principles

  • WIJOAV v Goldstone – shareholder oppression in a private equity context

    WIJOAV v Goldstone – shareholder oppression in a private equity context

    The recent case of WIJOAV Services Pty Ltd v Goldstone Private Equity Pty Ltd [2025] FCA 622 (WIJOAV v Goldstone) involved a claim of shareholder oppression under section 232 of the Corporations Act 2001 (Cth) (Corporations Act).  The case established that a shareholder in a private equity fund may be oppressed by a co-investor where…

    Read more …

  • Mere puffery vs misleading and deceptive conduct – where is the line?

    Mere puffery vs misleading and deceptive conduct – where is the line?

    In the case of Australian Competition and Consumer Commission v TPG Internet Pty Ltd [2013] HCA 54 (ACCC v TPG), the High Court of Australia (High Court) drew a distinction between mere puffery and representations with the intention of marketing.  This article explores the decision in ACCC v TPG and the distinction between puffery and…

    Read more …

  • Federal Court dismisses continuous disclosure claim

    Federal Court dismisses continuous disclosure claim

    The Federal Court recently dismissed Australia Securities and Investment Commission’s (ASIC) claim in Australian Securities and Investment Commission v Nuix Limited [2026] FCA 490 (ASIC v Nuix) that Nuix Limited breached its obligations under section 674 of the Corporations Act 2001 (Cth) (Corporations Act).  Nuix Limited (Nuix) successfully contested ASIC’s allegation that it had breached…

    Read more …

  • Individual Flexibility Arrangements: an overview

    Individual Flexibility Arrangements: an overview

    Modern awards and enterprise agreements set out the minimum terms and conditions of employment for most Australian workers performing different roles.  The Fair Work Act 2009 (Cth) (Act) provides a mechanism by which an employer and an individual employee may, by agreement, adjust the operation of certain terms in their Award to better suit theircircumstances. …

    Read more …

  • Coercive control and shareholder oppression

    Coercive control and shareholder oppression

    The Criminal Law (Coercive Control and Affirmative Consent) and Other Legislation Amendment Act 2024 (Qld) came into effect on 18 March 2024, by adding chapter 29A to the Criminal Code Act 1899 (Qld) (Criminal Code).  This chapter establishes a separate offence of “coercive control’, which stems from domestic violence offences and involves the use of…

    Read more …

  • Overview of the Unfair Trading Practices Bill 2026

    Overview of the Unfair Trading Practices Bill 2026

    On 1 April 2026, the Australian Government introduced the Competition and Consumer Amendment (Unfair Trading Practices) Bill 2026 (Cth) (Bill) to amend the Competition and Consumer Act 2010 (Cth) (CCA) and Australian Consumer Law (ACL).[1]  If passed, the reform will take effect on 1 July 2027.  The Bill’s amendments aim to protect consumers from manipulative…

    Read more …

  • Does your start-up meet the ESIC tax-offset criteria?

    Does your start-up meet the ESIC tax-offset criteria?

    Federal government introduced the Tax Laws Amendment (Tax Incentives for Innovation) Act 2016 (Cth) to provide tax incentives for investors in an eligible early stage innovation company (ESIC), including 20% up-front non-refundable tax offset and capital gains tax (CGT) exemption for all types of investors meeting criteria.

    Read more …

  • White-Anting: An employer’s lawful termination guide

    White-Anting: An employer’s lawful termination guide

    Employees who use White Anting tactics to deliberately undermine management or disrupt workplace harmony may be summarily dismissed, provided the relevant legal conditions are met and a proper process is followed.  Following our 28 April 2026 article “White Anting: serious misconduct?“, this article provides practical “how to” steps for employers to lawfully dismiss employees who…

    Read more …

  • White Anting: serious misconduct?

    White Anting: serious misconduct?

    White Anting is an Australian term meaning to sabotage, undermine, or destroy an organisation, project, or person from within.  White Anting in the workplace often involves the quiet, insidious undermining of a colleague or superior through gossip, withholding information, exclusion, or spreading doubt.  White Anting  has been recognised by psychologists as a psychosocial hazard and…

    Read more …

Send this to a friend