Customers not aware that their sensitive biometric info was gathered
Cadillac Fairview – one of North America’s largest commercial real estate companies – embedded cameras inside their digital information kiosks at 12 shopping malls across Canada and used facial recognition technology without their customers’ knowledge or consent, an investigation by the federal, Alberta and BC Privacy Commissioners has found.
Cadillac Fairview also asserted that it was not collecting personal information, since the images taken by camera were briefly analyzed then deleted. However, the Commissioners found that Cadillac Fairview did collect personal information, and contravened privacy laws by failing to obtain meaningful consent as they collected the 5 million images with small, inconspicuous cameras. Cadillac Fairview also used video analytics to collect and analyze sensitive biometric information of customers.
The investigation also found that:
- Facial recognition software was used to generate additional personal information about individual shoppers, including estimated age and gender.
- While the images were deleted, investigators found that the sensitive biometric information generated from the images was being stored in a centralized database by a third party.
- Cadillac Fairview stated that it was unaware that the database of biometric information existed, which compounded the risk of potential use by unauthorized parties or, in the case of a data breach, by malicious actors.
“Shoppers had no reason to expect their image was being collected by an inconspicuous camera, or that it would be used, with facial recognition technology, for analysis,” says Privacy Commissioner of Canada Daniel Therrien. “The lack of meaningful consent was particularly concerning given the sensitivity of biometric data, which is a unique and permanent characteristic of our body and a key to our identity.”
“This investigation exposes how opaque certain personal information business practices have become,” says Jill Clayton, Information and Privacy Commissioner of Alberta. “Not only must organizations be clear and up front when customers’ personal information is being collected, they must also have proper controls in place to know what their service providers are doing behind the scenes with that information.”
“Questions about when an organization is collecting personal information can be complex, but the conclusion we came to about cameras in mall directories was straight-forward,” says Michael McEvoy, Information and Privacy Commissioner for British Columbia. “Pictures of individuals were taken and analyzed in a manner that required notice and consent.”
The regulators launched the investigation following media reports that raised questions about Toronto-based Cadillac Fairview’s practices.
In response to the investigation, the company removed the cameras from its digital directory kiosks. It has no current plans to reinstall the technology. It has also deleted all information associated with the video analytics technology that is not required for legal purposes, and confirmed it will not retain or use such data for any other purpose. This includes the more than 5 million biometric representations of individual shoppers’ faces, which it had retained for no discernable reason.
The three privacy commissioners have recommended that if Cadillac Fairview were to use such technology in the future, it should take steps to obtain express, meaningful consent, before capturing and analyzing the biometric facial images of shoppers.
The Commissioners remain concerned that Cadillac Fairview refused their request that it commit to ensuring express, meaningful consent is obtained from shoppers should it choose to redeploy the technology in the future.