Convenience store company 7-Eleven breached customer privacy by gathering facial imagery data without consent, according to an Australian privacy commission, which began looking into the matter in July of 2020.

The Information Commissioner’s Office said in a release that the data was collected illegally from June 2020 to August 2021 using camera-enabled tablets in 700 stores. The stores were located across Victoria, New South Wales, ACT, Queensland and Western Australia. Images were captured when customers completed voluntary surveys about their in-store experience, according to the report.

The data was collected when the customers initially engaged with the tablet and after they completed the survey, then was uploaded to a secure server hosted in Australia within the Microsoft Azure infrastructure.

The facial images were then deleted from the tablet. The stated purpose of the facial image collection was to determine if the same person was leaving multiple responses to the survey within 20 hours on the same tablet.

As of March 2021, the report said, 1.6 million survey responses were completed for a total of 3.2 million images.

The company infringed on customers’ privacy, the OAIC statement said, by “collecting those individuals’ sensitive information without consent, and where that information was not reasonably necessary for the respondent’s functions and activities, in breach of Australian Privacy Principle (APP) 3.3 b. failing to take reasonable steps to notify individuals about the fact and circumstances of collection and the purposes of collection of that information, in breach of APP 5.”

The office ordered 7-Eleven to destroy the faceprints and provide written confirmation of doing so within 90 days.

Representatives for the company did not immediately return a request for comment on the findings or the order to destroy the faceprints.