90 incidents on record · 2026 Headlights Incident reports by Ellie Harris · Melbourne
10 new this week Library last updated 13 July 2026
← The incident library
HD-INC-058
Retail & hospitality · Australia · 2021 · Biometric collection without consent

7-Eleven scanned the faces of customers filling in feedback surveys at 700 stores, and Australia's privacy regulator ordered the faceprints destroyed

By Ellie Harris · Filed Faceprints collected June 2020 to August 2021

Alleged: 7-Eleven Stores Pty Ltd (Australia) developed or deployed the AI system implicated in this incident. Details are drawn from public reports; parties are presumed innocent of any wrongdoing not established by an official finding.

7-Eleven scanned the faces of customers filling in feedback surveys at 700 stores, and Australia's privacy regulator ordered the faceprints destroyed

What happened

7-Eleven wanted to know what its Australian customers thought of its stores, so it put tablets running a feedback survey near the exits of around 700 of them. The tablets did more than record star ratings. Each had a built-in camera, and as a customer answered the survey it captured images of their face and turned them into a “faceprint,” an algorithmic template of their features. The stated reason was integrity: the faceprints let 7-Eleven detect when the same person filled in the survey more than once in a short window on the same tablet, and so weed out responses that were not genuine. A secondary purpose was to read a rough demographic profile of who was answering.

The customers were not meaningfully told any of this was happening, and they were not asked. Between June 2020 and August 2021 the system ran across the store network; in its first ten months alone customers completed some 1.6 million surveys. Faces were being converted into biometric templates at scale, quietly, as a side effect of rating a store out of five.

The Office of the Australian Information Commissioner investigated, and on its own initiative. In a determination issued in September 2021, the Australian Information Commissioner and Privacy Commissioner, Angelene Falk, found that 7-Eleven had breached the Privacy Act. Faceprints are sensitive information, a special category the law guards closely, and 7-Eleven had collected them without consent and where the collection was not reasonably necessary for its functions, contrary to Australian Privacy Principle 3.3, and had failed to take reasonable steps to notify customers of what it was doing, contrary to Australian Privacy Principle 5.1. The Commissioner found the practice disproportionate: whatever 7-Eleven gained from checking survey integrity this way did not justify collecting biometric data from millions of people. “Any benefits to the business in collecting this biometric information,” she found, “were not proportional to the impact on privacy.” She noted that biometric information is unique to a person and cannot normally be changed. 7-Eleven was ordered to stop the collection and to destroy the faceprints it held. No fine was imposed; the remedy was the destruction order and the finding itself.

What an auditable version would have shown

The problem with the 7-Eleven system was not a failure that needed detecting after the fact; it was the design itself. The relevant question, whether there was a lawful basis to collect biometric information from every surveyed customer and whether they had been told, had a clear answer, no, and the system simply never asked it before switching on. There was nothing between the decision to use faceprints and the collection of 1.6 million people’s faces.

An auditable version makes lawful basis and notice a precondition that is checked and recorded before sensitive data is collected, not a question raised by a regulator afterwards. Before a faceprint is generated, the system confirms that the collection is permitted and that the person has been notified and, where required, has consented, and it records that this check was made. With that, “we collect biometric data to verify surveys” is tested against the law at the point of collection, where the answer would have stopped it, instead of being adjudicated a year later across a network of 700 stores.

Where the gap was

The gap was that a system collecting sensitive biometric information ran without any check on whether it was lawfully entitled to, and without notifying the people it collected from. Consent and notice were not weighed and found sufficient; they were absent.

A ConstraintGate is the control. Collection of sensitive information is gated on a declared lawful basis and on notice to the individual, and it does not proceed where those conditions are not met; biometric data, which cannot be reissued like a password, sits at the strict end of that rule. A ConductRecord is the second: a record that, for each collection, the basis and notice were present, so the organisation can show it met the standard rather than assert it after the regulator asks.

What governance should have looked like

The pattern completes a set this library has seen before in Australian retail, where facial recognition was pointed at ordinary customers for ordinary commercial purposes, treating consent and proportionality as afterthoughts. The lesson each time is the same: sensitive data should not be collected until something has checked that it lawfully can be, and recorded that it checked. Biometrics raise the stakes because the person cannot get their face back.

The reference implementation of ConstraintGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.

Sources

The mailing list

Fresh incident reports every week. One email to match.

We add new incidents to the library regularly, and send a single short email each week with what's new. The library stays free and open; this is just how you keep up with it.

No tracking. Unsubscribe in one click.

The record

An auditable system would have produced a signed, tamper-evident record the moment this happened: what the system did, the version that did it, the basis it acted on, and the action taken, and 7-Eleven Stores Pty Ltd (Australia) could have produced it on demand.

This is the record the system as deployed did not produce in a signed, auditable form.

What this teaches
Capture what happened when it happens
What the system did, the version that did it, the basis it acted on, and the action taken, recorded at the moment, not reconstructed after.
Sign it, so no one has to trust the record-keeper
A tamper-evident entry. Edit it later and the signature breaks. The record does not ask for the benefit of the doubt.
Make it verifiable by anyone
A court, a regulator, a customer's lawyer can check the record themselves, without taking the company, or us, at our word.

Headlights summarises publicly reported AI incidents. All summaries are independently written, attributed to their original sources, and intended for research and educational purposes. Allegations are identified as such until established through official findings.

Last reviewed June 2026. This report is based on the sources listed above and reflects information available at the time of review; later developments may not be captured. Where a person is described as charged with or alleged to have done something, that allegation is unproven unless a conviction or a court or regulatory finding is stated. Headlights publishes journalism and commentary, not legal advice.

Want to write back?

Direct to my inbox.

ellie@useheadlights.com →