According to a report by Medianama, a popular tea outlet in India Chaayos is gathering users face data without giving customers the option to opt-out of it. The popular chain is doing this as an alternative to OTP. In the UI of the display where one has to register, there is no option to opt-out of facial recognition. There is only a “start” option. There are a lot of questions that are left unanswered. For example how long is the data stored? Where is it stored? How long is it stored for? What other uses can Chhayos use the facial data for? Medianama points out that “In case the police approaches a Chaayos outlet to investigate a case, will the company share this facial data with them?” There is also no assurance on the safety of this data being collected.
Nikhil Pahwa, founder and editor of MediaNama said, “I was buying tea and didn’t even notice what was on the screen, and suddenly, the screen showed me. Remember, all this is happening without facial recognition norms, or a privacy law in India.”
In a series of tweets, Nikhil Pahwa says, “Issues: 1. No terms & conditions displayed.
2. Consent isn't real when there's no opt out option.
3. We don't know if Chaayos will sell this data/gives itself the right to.
4. We don't know what kind of other data this facial info is being linked to. We don't know what kind of info this data will be compared with from other external databases.
5. Biometric info is a permanent username+password. Should not be used.
6. This is sensitive personal info.+”
Chaayos terms and conditions page says the following which is quite alarming. It reads, “Unless a law prohibits us from excluding or limiting our liability, we are not liable for any loss you incur in connection with Login service, or your instructions, or any unauthorised transactions through or in connection with the Chaayos Face Login service. You agree to undertake any direct or indirect claims, legal procedures, legal liabilities, loses, damages arising from our actions in accordance with your orders or notices and all expenses (including all legal costs) which are of reasonable amount whatsoever and howsoever caused that may arise to be reasonably incurred by us in providing Chaayos Face Login service to you. And you promise to indemnify us, upon our request, for the losses and expenses that we have suffered”. You can read the complete terms and conditions here.
According to the source, Chai Point has had a similar system in place since 2018. The function of the system is the same, to remove the need for OTP.