Supermarket chain 7-Eleven wrongfully collected the biometric information of customers 1.6 million times, the Office of the Australian Information Commissioner (OAIC) has found.

In a determination published last Thursday, Privacy Commissioner Angeline Falk said 7-Eleven breached Australian Privacy Principles when it took pictures of customers as they filled out in-store surveys and used those images to create faceprints to check for inauthentic survey responses.

“Biometric information is unique to an individual and cannot normally be changed,” Falk said.

“Entities must carefully consider whether they need to collect this sensitive personal information, and whether the privacy impacts are proportional to achieving the entity’s legitimate functions or activities.

“While I accept that implementing systems to understand and improve customers’ experience is a legitimate function for 7-Eleven’s business, any benefits to the business in collecting this biometric information were not proportional to the impact on privacy.”

Customers used tablets installed at 7-Eleven stores to voluntarily fill-out surveys about their experience.

At the beginning and end of the survey, the tablet’s in-built camera would snap a photo of the customer’s face and send it the images to a Microsoft Azure server for processing.

The processing involved approximating the customer’s age and gender as well as converting facial images into “an encrypted algorithmic representation of the face” which Falk refers to as a ‘faceprint’.

Faceprints recorded by the tablet in the past 20 hours would then get checked against one another for any matches in an attempt to weed out people who repeatedly entered the survey.

The service was run by a third party contracted by 7-Eleven.

7-Eleven failed to adequately notify customers that it was collecting their biometric information, Falk found, despite the company submitting that it posted notices in-store which supposedly told customers that “by entering the store you consent to facial recognition cameras capturing and storing your image”.

A 7-Eleven privacy policy also mentioned the capture and storage of biometric information but neither it nor the store notices asked for consent “before or during the survey process”.

Although the privacy commissioner dubbed 7-Eleven’s privacy breaches as “serious” – after all, it collected 1.6 million survey results – the remediation was fairly lenient, requiring 7-Eleven to delete all faceprints it gathered and “to ensure this act or practice is not continued”.

A spokesperson for 7-Eleven said the company stopped photographing its customers once the commissioner handed down its findings and that it has deleted the faceprints.

“7-Eleven appreciates the Commissioner’s recognition of 7-Eleven’s co-operation throughout the investigation process, as well as her confirmation that the matter is now closed without any further action required,” the spokesperson said.