On October 29, 2020, the Office of the Privacy Commissioner of Canada announced the findings of a joint investigation by Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner of Alberta, and the Office of the Information and Privacy Commissioner for British Columbia that examined whether the Cadillac Fairview Corporation Limited (Cadillac Fairview) was collecting and using personal information of visitors to its Canadian malls without valid consent using Anonymous Video Analytics technology (AVA technology) installed in wayfinding directories and mobile device geolocation tracking technologies.
The reason that the Commissioners examined whether Cadillac Fairview complied with the federal Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta’s’ Personal Information Protection Act (AB PIPA), and British Columbia’s Personal Information Protection Act (BC PIPA) was because there were several media reports that raised questions and concerns about whether Cadillac Fairview was collecting, using and/or disclosing personal information using facial analytics technology via in-mall directories without adequate consent. The AVA technology was installed on digital wayfinding directories (touch screen digital map systems that allowed visitors to locate stores and find their way through Cadillac Fairview’s shopping malls).
Further revelations during the preliminary stages of the investigation into the deployment of the AVA technology led to the scope of the joint investigation to be expanded to determine whether Cadillac Fairview obtained adequate consent for its collection, use, and disclosure of mall visitors’ personal information, including geolocation and Media Access Control (MAC) address, through mobile device geolocation technologies. Also, new information led to an added consideration of the retention of personal information obtained through the AVA technology. Additionally, the Commissioners decided to collaborate with the Commission d’accès à l’information du Québec, since the Commission was also looking into this issue of AVA technology installed in Cadillac Fairview shopping malls located in the Province of Quebec.
These were the main findings:
1. Cadillac Fairview collected and used personal information, including sensitive biometric information, using the AVA technology without valid consent
The Commissioners found that the AVA technology took temporary digital images of the faces of any individual within the field of view of the camera in the directory (with brief retention in memory when processing), used facial recognition software to convert those images into biometric numerical representations of the individual faces (this was sensitive personal information that could be used to identify individuals based on unique facial features), and used the information to assess age range and gender.
In fact, the Commissioners confirmed that Cadillac Fairview’s AVA service provider collected and stored approximately five million numerical representations of faces on Cadillac Fairview’s behalf, on a decommissioned server—”for no apparent purpose and with no justification.”
Cadillac Fairview was attempting to monitor foot traffic patterns and predict demographic information about mall visitors, and the Commissioners did not find that it used the biometric information (including any of the retained numerical representations) for identification purposes.
That said, it did retain about 16 hours of video recordings (including some audio) during a calibration/testing phase of the technology at two malls.
In response, the Commissioners recommended that Cadillac Fairview either obtain meaningful express opt-in consent and allow individuals to use its mall directories without having to submit to the collection and use of their sensitive biometric information, or cease use of its AVA technology. Although Cadillac Fairview disagreed with the findings, it actually did cease use of the technology in July 2018, and it had no plans to resume that use. It also complied with additional recommendations and deleted the numerical representations of faces and audio/video recordings it had that were not required for legal purposes. Cadillac Fairview confirmed that the information that it did retain would not be used for any other purposes except when required for compliance with the law. Additionally, it provided privacy-related training to its employees.
Therefore, the Commissioners concluded that the matter was well-founded and resolved. However, it is important to note that while Cadillac Fairview agreed that it would obtain adequate consent in accordance with the applicable privacy legislation and consistent with the Guidelines for obtaining meaningful consent, it refused to commit to obtaining express opt-in consent consistent with the recommendations; the Commissioners found this to be concerning, especially since it insisted that it was not collecting personal information via the AVA technology.
2. Cadillac Fairview did not collect the location information of identifiable individuals using mobile device tracking technology in its malls and did not require consent for the practice
The Commissioners found that the information that was collected from shoppers’ mobile devices when the shoppers were not logged into Wi-Fi in Cadillac Fairview’s malls did not constitute personal information. That is, the hashed and randomized MAC address (a device identifier), coupled with non-granular zone geolocation information collected using Wi-Fi triangulation, did not constitute personal information since there was not a serious possibility that this information could be linked, either alone or with other available information, with the mobile device holder.
There was some concern about the use of Cadillac Fairview’s free Wi-Fi service and whether Cadillac Fairview was collecting triangulated device geolocation information and linking it with identifiable device users’ Wi-Fi accounts. However, Cadillac Fairview explained that the geolocation information could not in any practical manner be associated with, or linked to, logged-in Wi-Fi accounts. Thus, it did not constitute personal information and the matter was confirmed to be not well-founded.
What can organizations take from this?
When attempting to collect, use, or disclose personal information of individuals using technologies, organizations are recommended to review the Privacy Commissioner’s Guidelines for obtaining meaningful consent, to ensure that they are using best practices and remaining in compliance. It is especially important to pay careful attention to the sensitivity of the personal information; one example of sensitive personal information is information that can be used to identify individuals based on their unique facial features.