Home Business Cadillac Fairview breaks privacy laws across Canada

Cadillac Fairview breaks privacy laws across Canada

by Gavin Mercier & Matthew Best

A joint investigation revealed facial recognition software inside cameras at malls

Cadillac Fairview, a major property management firm, was found to be unlawfully collecting data on its mall patrons, including those at Toronto’s Eaton Centre. (Photo from Reddit)

Toronto property management firm Cadillac Fairview illegally collected personal information from millions of shoppers at 12 shopping malls, including Toronto’s Eaton Centre, according to the findings of a joint federal-provincial privacy commission investigation released last week.

The Office of the Privacy Commissioner of Canada (OPCC), along with the offices of the information and privacy commissioners of Alberta and B.C., said the malls collected information on over five million people through cameras installed in kiosks to create an estimate of their age, gender and shopping patterns.

“Shoppers had no reason to expect their image was being collected by an inconspicuous camera, or that it would be used, with facial recognition technology, for analysis,” Daniel Therrien, federal privacy commissioner, said in a release accompanying the findings.

Although some of the Cadillac Fairview’s malls are in Ontario, the province doesn’t have the same privacy and data collection legislation as Alberta and B.C. Instead, privacy laws apply to health information, provincial and municipal bodies, and youth and family services. Consumer privacy in Ontario is governed by the federal Personal Information and Protection of Electronic Documents Act, or PIPEDA, which also gave the OPCC the right to investigate Cadillac Fairview.

The results of the investigation confirmed that Cadillac Fairview was using cameras to identify and track individuals within the mall. Cadillac Fairview claimed that they obtained consent from their customers via stickers at entrances. However, the investigation found that the stickers were insufficient to establish meaningful consent.

A photo from a Reddit user in Calgary showing an exposed command line with “FaceAnalyzer,” “gender” and “age” in its code running on a kiosk at Calgary’s Chinook Centre kicked off the investigation. (Photo from Reddit)

The issue was discovered in 2018, when a Reddit user posted a photo showing suspicious code running on a kiosk at the Chinook Centre in Calgary. Federal and provincial privacy offices in Alberta and B.C. launched a joint investigation shortly after the photo went viral.

Cadillac Fairview also claimed images were quickly deleted after a brief analysis. The investigation found that biometric data taken from the images was being kept on a centralized database run by Mappedin, a company that provides indoor maps and wayfinding. 

“Cadillac Fairview stated that it was unaware that the database of biometric information existed, which compounded the risk of potential use by unauthorized parties or, in the case of a data breach, by malicious actors,” stated the OPCC’s release.

“The lack of meaningful consent was particularly concerning given the sensitivity of biometric data, which is a unique and permanent characteristic of our body and a key to our identity,” Therrien said.

The OPCC does not have the power to levy fines against Cadillac Fairview. The cameras have since been removed.

This article may have been created with the use of AI software such as Google Docs, Grammarly, and/or Otter.ai for transcription.

You may also like