Cadillac Fairview has contravened Canadian privacy laws for collecting 5 million images of shoppers without their knowledge in 12 shopping malls across the country, according to an investigative report by the Office of the Privacy Commissioner of Canada (OPC).
The report said Cadillac Fairview collected shoppers’ images with embedded cameras in digital information kiosks and used the facial recognition software “Anonymous Video Analytics” (AVA) for its “wayfinding” directories.
“Such systems measure and analyze people’s physical and behavioral attributes, such as facial features, voice patterns, fingerprints, palm prints, finger and palm vein patterns, structures of the eye (iris or retina), or gait,” an OPC webpage resource says.
Cadillac Fairview said its purpose was to analyze the age and gender of shoppers and not to identify individuals. The company also insisted that it informed shoppers of the activity with decals placed on shopping mall entrances that referred to its privacy policy.
The Commission, however, determined such measures to be insufficient.
“Shoppers had no reason to expect their image was being collected by an inconspicuous camera, or that it would be used, with facial recognition technology, for analysis,” says Daniel Therrien, the Privacy Commissioner of Canada.
The privacy investigation was launched in December 2018 by the OPC, along with the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British Columbia.
The commissioners said that while shoppers’ images were deleted, the sensitive biometric information generated from the images was stored on the database of a third-party contractor called Mappedin.
The AVA technology was first installed by Mappedin on June 13, 2017, on a test basis, and was removed on Dec. 1, 2017. The AVA technology was then rolled out in May 2018 in 12 malls in major cities across Canada.
“When asked the purpose for such collection, Mappedin was unable to provide a response, indicating that the person responsible for programming the code no longer worked for the company,” the report reads.
Cadillac said that it was unaware that the biometric information database existed.
“This investigation exposes how opaque certain personal information business practices have become,” says Jill Clayton, the Information and Privacy Commissioner of Alberta.
