A joint investigation revealed facial recognition software inside cameras at malls
Toronto property management firm Cadillac Fairview illegally collected personal information from millions of shoppers at 12 shopping malls, including Toronto’s Eaton Centre, according to the findings of a joint federal-provincial privacy commission investigation released last week.
The Office of the Privacy Commissioner of Canada (OPCC), along with the offices of the information and privacy commissioners of Alberta and B.C., said the malls collected information on over five million people through cameras installed in kiosks to create an estimate of their age, gender and shopping patterns.
“Shoppers had no reason to expect their image was being collected by an inconspicuous camera, or that it would be used, with facial recognition technology, for analysis,” Daniel Therrien, federal privacy commissioner, said in a release accompanying the findings.
Although some of the Cadillac Fairview’s malls are in Ontario, the province doesn’t have the same privacy and data collection legislation as Alberta and B.C. Instead, privacy laws apply to health information, provincial and municipal bodies, and youth and family services. Consumer privacy in Ontario is governed by the federal Personal Information and Protection of Electronic Documents Act, or PIPEDA, which also gave the OPCC the right to investigate Cadillac Fairview.
The results of the investigation confirmed that Cadillac Fairview was using cameras to identify and track individuals within the mall. Cadillac Fairview claimed that they obtained consent from their customers via stickers at entrances. However, the investigation found that the stickers were insufficient to establish meaningful consent.
The issue was discovered in 2018, when a Reddit user posted a photo showing suspicious code running on a kiosk at the Chinook Centre in Calgary. Federal and provincial privacy offices in Alberta and B.C. launched a joint investigation shortly after the photo went viral.
Cadillac Fairview also claimed images were quickly deleted after a brief analysis. The investigation found that biometric data taken from the images was being kept on a centralized database run by Mappedin, a company that provides indoor maps and wayfinding.
“Cadillac Fairview stated that it was unaware that the database of biometric information existed, which compounded the risk of potential use by unauthorized parties or, in the case of a data breach, by malicious actors,” stated the OPCC’s release.
“The lack of meaningful consent was particularly concerning given the sensitivity of biometric data, which is a unique and permanent characteristic of our body and a key to our identity,” Therrien said.
The OPCC does not have the power to levy fines against Cadillac Fairview. The cameras have since been removed.
