Cadillac Fairview is censured by Canadian privacy regulators
On Oct. 28 the Federal Privacy Commissioner and the Privacy Commissioners of Alberta and British Columbia (collectively, Regulators) unveiled findings that The Cadillac Fairview Corporation Limited (CF) had been collecting and using the personal information (including sensitive biometric information) of visitors to its Canadian malls, without valid consent, in contravention of Canada’s Personal Information Protection and Electronic Documents Act, Alberta’s Personal Information Protection Act, and British Columbia’s Personal Information Protection Act (Acts).
As early as 2018 Canadian media sources had begun sounding the alarm as to whether CF was using certain facial recognition/analytic technologies without adequate consent. The concern arose from the use of Anonymous Video Analytics (AVA) technology installed on digital wayfinding directories, the touchscreen digital maps that allow visitors to locate stores and find their way through CF shopping malls.
AVA technology generally refers to software designed to gather metrics about digital signage audience engagement. It operates by scanning real-time feeds from video cameras utilizing pattern detection algorithms to identify shoppers anonymously for the purpose of creating aggregate reports. The Regulators considered whether CF’s use of the AVA technology (i) resulted in the collection, use and/or disclosure of personal information; and if yes, (ii) whether CF obtained adequate consent for that collection, use and/or disclosure, and (iii) whether CF retained that information for longer than necessary.
The AVA technology was first installed by Mappedin, the provider of the wayfinding directories and AVA technology, on June 13, 2017 for a testing phase until it was disabled on Dec. 1, 2017. It was ultimately rolled out in 12 shopping malls across Canada between May 31, 2018 and July 31, 2018, including the CF Pacific Centre in Vancouver and the CF Toronto Eaton Centre.
The wayfinding directories all contained optical devices (i.e., cameras) behind protective glass on the periphery of the screen, but they were virtually invisible. The AVA technology assessed objects coming into the field of view of the camera in real time to determine if there was a human face present. If the software detected a human face it produced assessments of the probable gender and the age range for that face, also attributing a unique identifier, a random number, to each face detected. The AVA technology would also assign a new random unique identifier if a user exited the field of view and subsequently returned.
CF repeatedly stressed that at no time was the AVA technology capturing images or any other personal information since the gender and age range outputs were anonymous. CF also said that Mappedin simply analyzed demographic information to provide CF with anonymous, aggregate insights into traffic patterns and directory usage.
However, in reality the AVA technology was collecting and/or generating considerably more information when it scanned faces, including (i) a unique identifier for the wayfinding directory in which the collection occurred; (ii) a unique identifier for the camera used for the collection; (iii) a unique identifier for tracking and differentiating faces in the field of view; (iv) a numerical representation of individual faces; (v) the property in which the camera is located; and (vi) a timestamp. During the time the AVA technology was operating, CF, via the AVA technology, collected, used and retained 5,061,324 numerical representations of faces from an unknown number of individuals.
Before it deployed the AVA technology, CF engaged in a testing and calibration exercise at the CF Toronto Eaton Centre and CF Sherway Gardens on April 29, May 12 and May 13, 2018. During this period the technology generated sixteen one-hour videos, which Mappedin then retained on behalf of CF for no discernable reason. In three of the sixteen videos, the audio function had also been enabled, which resulted in the additional collection and storage of audio recordings.
CF steadfastly maintained that it was not collecting personal information other than during the testing/calibration period, and was thus not required to provide notice to mall customers and visitors regarding the practice. To the extent any personal information was collected during the testing phase, CF argued that this disclosure was clearly set out in CF’s Privacy Policy, last updated in July 2016. The company also posted decals on the entrance doors of all shopping malls directing guests to CF’s Privacy Policy should they desire more information on CF’s privacy practices.
The Regulators were not favourably impressed by any of this, finding that CF clearly did collect and use, via the AVA technology, personal information, as defined in the Acts.
While it was true the AVA technology kept facial images for a very limited period of time, images/photographs of individuals are personal information under the Acts. Images captured by the technology were used to generate personal information including numerical representations and the age range and gender of the individuals, which was then retained for a much longer time period. The creation of a unique numerical representation of a particular face also constitutes biometric information, because that information is uniquely derived from a particular identifiable individual, and could be used to distinguish between different individuals. The creation of such biometric information from facial images represented an additional collection and use of personal information regardless of the fact that the original images were not retained.
While the Regulators acknowledged that the demographic output generated by the AVA technology would not, on their own, be personal information, combining it with other information (including unique biometric information, location, and a timestamp) raised the stakes that the individual could be identified and thus becoming personal information. The video and audio recordings surreptitiously collected and kept by Mappedin during the calibration and testing period demonstrated additional collection of personal information.
Based on the facts, CF failed to obtain valid consent and notice for its collection and use of personal information via the AVA software. All three Acts, and the recent Guidelines for obtaining meaningful consent jointly issued by the Regulators state that organizations must generally obtain express consent when: (i) the information being collected, used or disclosed is sensitive; (ii) the collection, use or disclosure is outside of the reasonable expectations of the individual; and/or (iii) the collection, use or disclosure creates a meaningful residual risk of significant harm. In the Regulators’ view, biometric information (especially facial biometric information) is almost always considered “sensitive” since it is permanently linked to an individual. Very few mall visitors would reasonably expect CF to be routinely collecting and using their biometric information, via hidden cameras, while searching a mall directory. Accordingly, CF should have obtained express opt-in consent at the time of the visitor’s engagement with the map, before CF captured and processed their images via the AVA technology.
The Regulators also failed to accept CF’s feeble efforts to direct individuals to their Privacy Policy as sufficient to support “meaningful consent” under the various Acts. While CF’s Privacy Policy stated that some of its properties are equipped with cameras that it used to “monitor foot traffic patterns and [that may] assist [CF] in predicting demographic information” about mall visitors, and that personal information could be collected for the purpose of “researching, developing new products and techniques to improve its services,” nothing in these statements would have allowed average shoppers to understand that, while they were using a mall directory, close-range video and audio recordings were being taken of them during the testing and calibration period, and/or that their faces were being detected, captured in the form of digital images, and turned into numerical representations by facial recognition software for the purposes of predicting demographic information.
The decals installed on mall entrances were also found to be insufficient to ensure adequate consent, since they mentioned only that video recordings were for visitor “safety and security,” and ignoring the AVA technology. Moreover, since the wayfinding directories were physically located in malls, referencing an online privacy policy in a decal that is not readily accessible to individuals while they are engaging with a wayfinding map was plainly not helpful. Amusingly, when the Regulators attempted to obtain a copy of CF’s actual privacy policy at its Toronto Eaton Centre’s guest service desk, the befuddled employee admitted that they did not have one. Only following a second visit did the guest services desk provide a short-form “privacy statement” rather than the entire CF Privacy Policy. Oops.
Not surprisingly, the Regulators found that CF’s deployment of the AVA technology without ensuring the mall visitors’ knowledge, consent or notice, violated the Acts in myriad ways. As a result of these findings, the Regulators made several recommendations. CF should have either: (i) obtained meaningful express opt-in consent and allowed individuals to use its mall directories without having to submit to the collection and use of their sensitive biometric information; or (ii) ceased use of the AVA technology.
CF expressly disagreed with the Regulators’ findings and analysis. However, likely mindful of the negative publicity arising from this investigation, the company advised that it had ceased use of the AVA technology in July 2018, and that it had no current plans to resume that use. Additionally, CF has also largely deleted the numerical representations of faces and audio-video recordings in its possession, confirming that what information has been retained will not be used for any other purposes outside of those required for compliance with the law. Lastly, CF also provided privacy-related training to guest services employees and committed to repeat such training annually.
Significantly, CF refused to commit to the Regulators’ recommendations regarding the use of express opt-in consent if they were to resume use of AVA technology in the future. CF waffled, stating that if it did resume use of the AVA technology it would obtain adequate consent, “in accordance with the applicable privacy legislation and consistent with the Guidelines for obtaining meaningful consent.” While the Regulators acknowledged that they found this position “concerning” — especially given that CF continued to deny, contrary to their findings, that it was collecting personal information via the AVA technology — there is very little that the Regulators can do at present given the limitations of our existing Acts. Let’s hope that any future reformed versions of the Acts allow the Regulators greater leeway to take more meaningful action, should CF or any other retailer similarly misuse biometric information.