Cadillac Fairview's use of facial-recognition tech at malls, including in Metro Vancouver, violated privacy laws: report

One of North America's largest commercial real estate companies broke privacy laws at its malls, including in Metro Vancouver, according to an investigation conducted by Canadian privacy commissioners.

The Office of the Information and Privacy Commissioner for British Columbia stated that a report released today (October 29) revealed the results of an investigation conducted by federal, Albertan, and British Columbian privacy commissioners that had been prompted by news reports questioning the practices of a Canadian company in shopping malls across the nation. 

The investigation found that Toronto-based Cadillac Fairview Corporation Limited (CFCL) embedded cameras in its digital information kiosks, or “wayfinding” directories, at 12 Canadian shopping malls, including at Vancouver’s CF Pacific Centre and CF Richmond Centre. (The Ontario Teachers’ Pension Plan completed its acquisition of CFCL in 2000.) 

These small, inconspicuous cameras employed facial recognition technology without the knowledge or consent of shoppers and collected five million images. The company alleged that their use of this technology was to analyze the age and gender of shoppers, rather than to identify individuals.

“Pictures of individuals were taken and analyzed in a manner that required notice and consent,” B.C.’s information and privacy commissioner Michael McEvoy stated in a news release.

While Cadillac Fairview insisted that it had placed stickers at mall entrance doors about its privacy policy to make its customers aware of its practice, the commissioners deemed this measure “insufficient” and “inadequate”.

The commissioners added that the decals instruct shoppers to obtain the company’s privacy policy from guest services but when they asked one such employee at one of the malls, the staff member did not understand the request.

The report states that the company should have obtained “express opt-in consent” instead.

"Shoppers had no reason to expect their image was being collected by an inconspicuous camera, or that it would be used, with facial recognition technology, for analysis,” Canada’s privacy commissioner Daniel Therrien stated.

In addition, the report states that the language of the company’s privacy policy “was overly broad, and buried in the middle of a 5,000 word document, which would not be easily accessible to individuals while they are engaging with a mall directory”.

The company also claimed that it was not collecting personal information and that the images taken by camera were deleted after they were analyzed. Cadillac Fairview purported that it was “monitoring foot traffic patterns and predicting demographic information about mall visitors”.

However, the commissioners discovered that Cadillac Fairview did obtain personal information, which breached privacy laws by failing to obtain “meaningful consent”.

The company used video analytics to collect and analyze the biometric information of its customers. The facial recognition software generated additional personal information about individuals, including estimated age and gender.

“We found no evidence that CFCL had used the biometric information, including any of the retained numerical representations, for identification purposes,” the report states.

However, although the images were deleted, the biometric information generated from the images was stored in a centralized database, on a decommissioned server, by a third party. Cadillac Fairview alleged that it was unaware of this database—this lack of awareness “compounded the risk of potential use by unauthorized parties or, in the case of a data breach, malicious actors”.

"This investigation exposes how opaque certain personal information business practices have become,” Alberta’s information and privacy commissioner Jill Clayton explained. ”Not only must organizations be clear and up front when customers' personal information is being collected, they must also have proper controls in place to know what their service providers are doing behind the scenes with that information."

Although CFCL “expressly disagreed” with the investigation findings, the company removed the cameras from its kiosks and has deleted all information associated with the video analytics technology that isn’t required for legal purposes. 

The company also claimed that it stopped using the technology in July 2018, and is providing privacy-related training to employees.

CFCL has confirmed it won’t retain or use the data—which includes “more than five million biometric representations of individual shoppers' faces, which it had retained for no discernible reason”—for any other purpose.

The report states that the company didn’t collect the location information of identifiable individuals from mobile-device-tracking technology in its malls, and thus didn’t require consent for this practice.

“We found that the information collected from mobile devices of shoppers, who were not logged into Wi-Fi in CFCL malls, did not constitute personal information,” the report states.

Unfortunately, the three privacy commissioners remain concerned that the company “refused their request that it commit to ensuring express, meaningful consent is obtained from shoppers should it choose to redeploy the technology in the future”.