https://www.zdnet.com/article/7-eleven-collected-customer-facial-imagery-during-in-store-surveys-without-consent/ Search What are you looking for? [ ] Go * Windows 11 * 5G * Best VPNs * Cloud * Security * AI * Innovation * more + Working from Home + Best Web Hosting + ZDNet Recommends + Tonya Hall Show + Executive Guides + ZDNet Academy + See All Topics + Downloads + Reviews + Galleries + Videos * Edition: + Asia + Australia + Europe + India + United Kingdom + United States + + ZDNet around the globe: + ZDNet France + ZDNet Germany + ZDNet Korea + ZDNet Japan * Newsletters * All Writers * + Preferences + Community + Newsletters + Log Out * * + What are you looking for? [ ] Go * Menu + Windows 11 + 5G + Best VPNs + Cloud + Security + AI + Innovation + Working from Home + Best Web Hosting + ZDNet Recommends + Tonya Hall Show + Executive Guides + ZDNet Academy + See All Topics + Downloads + Reviews + Galleries + Videos * us + Asia + Australia + Europe + India + United Kingdom + United States + + ZDNet around the globe: + ZDNet France + ZDNet Germany + ZDNet Korea + ZDNet Japan * * + o Preferences o Community o Newsletters o Log Out 7-Eleven breached customer privacy by collecting facial imagery without consent The OAIC has found 7-Eleven breached customers' privacy by collecting and storing their facial images as part of efforts to understand the demographic profile of its customers. * * * * * * * Campbell Kwan By Campbell Kwan | October 13, 2021 | Topic: Security gettyimages-490600374.jpg Image: Getty Images In Australia, the country's information commissioner has found that 7-Eleven breached customers' privacy by collecting their sensitive biometric information without adequate notice or consent. From June 2020 to August 2021, 7-Eleven conducted surveys that required customers to fill out information on tablets with built-in cameras. These tablets, which were installed in 700 stores, captured customers' facial images at two points during the survey-taking process -- when the individual first engaged with the tablet, and after they completed the survey. After becoming aware of this activity in July last year, the Office of the Australian Information Commissioner (OAIC) commended an investigation into 7-Eleven's survey. During the investigation [PDF], the OAIC found 7-Eleven stored the facial images on tablets for around 20 seconds before uploading them to a secure server hosted in Australia within the Microsoft Azure infrastructure. The facial images were then retained on the server, as an algorithmic representation, for seven days to allow 7-Eleven to identify and correct any issues, and reprocess survey responses, the convenience store giant claimed. The facial images were uploaded to the server as algorithmic representations, or "faceprints", that were then compared with other faceprints to exclude responses that 7-Eleven believed may not be genuine. 7-Eleven also used the personal information to understand the demographic profile of customers who completed the survey, the OAIC said. 7-Eleven claimed it received consent from customers who participated in the survey as it provided a notice on its website stating that 7-Eleven may collect photographic or biometric information from users. The survey resided on 7-Eleven's website. As at March 2021, approximately 1.6 million survey responses had been completed. Angelene Falk, Australia's Information Commissioner and Privacy Commissioner, determined that this large-scale collection of sensitive biometric information breached Australia's privacy laws and was not reasonably necessary for the purpose of understanding and improving customers' in-store experience. In Australia, an organisation is prohibited from collecting sensitive information about an individual unless consent is provided. Falk said facial images that show an individual's face is sensitive information. She added that any algorithmic representation of a facial image is also sensitive information. In regards to 7-Eleven's claim that consent was provided, Falk said 7-Eleven did not provide any information about how customers' facial images would be used or stored, which meant 7-Eleven did not receive any form of consent when it collected the images. "For an individual to be 'identifiable', they do not necessarily need to be identified from the specific information being handled. An individual can be 'identifiable' where it is possible to identify the individual from available information, including, but not limited to, the information in issue," Falk said. "While I accept that implementing systems to understand and improve customers' experience is a legitimate function for 7-Eleven's business, any benefits to the business in collecting this biometric information were not proportional to the impact on privacy." As part of the determination, Falk has ordered for 7-Eleven to cease collecting facial images and faceprints as part of the customer feedback mechanism. 7-Eleven has also been ordered to destroy all the faceprints it collected. Related Coverage * 446 Australian breach notifications with 30% of system faults found after a year * European Parliament passes non-binding resolution to ban facial recognition * South Australia uses facial recognition drones to help save koalas * Police are investing in facial recognition and AI. Not everyone thinks that it's going well Related Topics: Australia Security TV Data Management CXO Data Centers * * * * * * * Campbell Kwan By Campbell Kwan | October 13, 2021 | Topic: Security Show Comments LOG IN TO COMMENT * My Profile * Log Out | Community Guidelines Join Discussion Add Your Comment Add Your Comment More from Campbell Kwan * [][travel-plane-gettyimage] Tech & Work NSW opens to vaccinated world with cap on unvaccinated arrivals at 210 per week * [][fbr7egdvcac5rgz] Innovation COVID-19 digital certificate now fully available on Service NSW app * [][redhat-logo-with-blue-b] Edge Computing RedHat announces new edge capabilities in OpenShift and Advanced Cluster Management * [][hands-on-a-keyboard-wit] Security Google analysed 80 million ransomware samples: Here's what it found Please review our terms of service to complete your newsletter subscription. [ ] You agree to receive updates, promotions, and alerts from ZDNet.com. You may unsubscribe at any time. By joining ZDNet, you agree to our Terms of Use and Privacy Policy. [ ] You agree to receive updates, promotions, and alerts from ZDNet.com. You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy. Continue Newsletters See All See All Related Stories * 1 of 3 * * [][fortnite-gamer-11333328] Twitch says no passwords or login credentials leaked in massive breach The company is still investigating a massive hack that drew headlines two weeks ago. * [][ransomware] $5.2 billion in BTC transactions tied to top 10 ransomware variants: US Treasury For the first half of 2021, almost $600 million was linked to ransomware payments thanks to reports filed by financial services firms. * [][istock-942607134] Brazilian insurance giant Porto Seguro hit by cyberattack The incident caused instability to the company's systems and customer service channels. * [][istock-1156726052] Critical infrastructure security dubbed 'abysmal' by researchers Researchers find that lax ICS security is putting critical services at risk of exploitation. * [][delta-max-pc-section-4-] Ecoflow Delta Max: Battery-powered generator can get you through most power outages With the increase in natural disasters like wildfires and severe hurricanes, having a method to keep power on is becoming an necessity. We look at a surprisingly viable alternative ... * [][shutterstock-2032695119] Google: We're sending out lots more phishing and malware attack warnings - here's why Google's state-sponsored hacker alerts are outpacing last year's warnings by a big margin. Turn on multi-factor authentication, it warns. * [][shutterstock-1253457799] This malware botnet gang has stolen millions with a surprisingly simple trick Malware researchers reckon this botnet has made millions by exploiting an easy shortcut taken by many. * [][whatsapp-e2ee-backups-u] WhatsApp starts slowly rolling out encrypted backups Users will need the latest version of WhatsApp to take advantage of the new functionality. * [][fbro79gwyaysmzh] Missouri governor faces backlash and ridicule for threatening reporter who discovered exposed teacher SSNs Governor Mike Parson called a St. Louis Post-Dispatch reporter a "hacker" and threatened criminal prosecution because he notified state officials about a database that exposed ... ZDNet Connect with us (c) 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use * Topics * Galleries * Videos * Sponsored Narratives * Do Not Sell My Information * About ZDNet * Meet The Team * All Authors * RSS Feeds * Site Map * Reprint Policy * Manage | Log Out * Join | Log In * Membership * Newsletters * Site Assistance * ZDNet Academy