In a day and age where unlocking your phone with your face is the norm, you may not think twice about completing an in-store survey on a tablet or device equipped with a front facing camera. However, late last year the Office of the Australian Information Commissioner (OAIC) found that 7-Eleven breached its customers’ privacy by using such a camera to collect facial images of its customers.
The case provides some interesting insight into what is considered “biometric information”, the extent to which consent of an individual to collect personal information can be implied and when the collection of certain information can be considered “reasonably necessary” to a business’ functions or activities.
The OAIC’s findings highlight the importance for organisations to ensure that the information they collect, in this case a particular type of sensitive information, is collected in a manner that is consistent with the Privacy Act 1988 (Cth) (the Privacy Act).
In June 2020, 7-Eleven introduced “feedback kiosks” in 700 of its stores for customers to voluntarily participate in a survey about their in-store experience. The surveys were conducted on a tablet, which collected facial images of the participating customers and converted these images to face prints (that is, an “algorithmic representation of the face”). The purpose of this was to identify if a person was leaving multiple responses to the survey, as well as to understand the demographic profile of these participating customers. By March 2021, some 1.6 million surveys had been completed.
In September 2021, the OAIC found that the “feedback kiosk” program implemented by 7-Eleven constituted a breach of the Australian Privacy Principles (APPs). Namely, that 7-Eleven collected “sensitive information” of customers without their consent, for purposes that were not reasonably necessary for its functions or activities and that it had failed to notify its customers about the facts and circumstances of the collection of the information.
Collection of “Sensitive Information”
“Sensitive information” (which includes “biometric information”) is not permitted to be collected by an organisation, unless the individual consents to be it being collected and the information is reasonably necessary for one or more of the functions or activities of the organisation. Unfortunately, in 7-Eleven’s case, the OAIC declared that neither of these criteria were satisfied in respect of the “feedback kiosk” program.
While “biometric information” is not defined in the Privacy Act, the OAIC commented that biometrics can stem from a variety of different technologies to recognise a person based on their biometric characteristics, such as their physiological attributes (for example, a person’s facial geometry) or behavioural attributes, and that these cannot normally be changed and are persistent and unique to the individual.
In this particular case, the facial images and faceprints meant that an individual could be reasonably identifiable as the image allowed for the individual to be distinguished from other individuals’ faceprints and could therefore be used for the purpose of “automated biometric verification or biometric identification” which falls under the definition of “sensitive information”.
Despite this, the OAIC found that:
- the use of the tablet did not unambiguously indicate a customer’s agreement to 7-Eleven collecting their facial image and faceprint;
- 7-Eleven’s efforts (outlined above) did not sufficiently link its disclosed collection of biometric information to the feedback kiosks; and
- there was no information provided on or in the vicinity of feedback kiosks.
While understanding and improving customers’ in-store experience was accepted by the OAIC to be a legitimate function or activity of 7-Eleven, it was not considered proportional to the risk it posed to an individual’s privacy. Instead, the OAIC took the view that other methods could have been employed to achieve the desired result (that is, to identify non-genuine responses and collect demographic information).
As technology evolves and provides new means to collect various types of information, it is more important than ever to ensure that your organisation has the appropriate privacy practices in place to meet its obligations under the Privacy Act and protect the personal information of its customers.
This case also shows the importance of obtaining express consent from customers when collecting personal information, especially when such personal information may include sensitive information. This is particularly important where consent may be considered ambiguous or where there could be reasonable doubt about the individual’s intention to provide their consent to the collection and use of their personal information.
Consideration should also be given to the methods used to collect personal or sensitive information, and whether these methods are the most appropriate or suitable in the circumstances. Whilst implied consent can be established in certain circumstances, the formality of the consent relied upon should be balanced against the type of information to be collected and in the context of any potential to an individual’s privacy.
The KKI Commercial Team understand and value the importance of privacy and are always here to help you with meeting your privacy obligations.