Mall real estate company collected 5 million images of shoppers, say privacy watchdogs
'Shoppers had no reason to expect their image was being collected,' says federal privacy commissioner
The real estate company behind some of Canada's most popular shopping centres embedded cameras inside its digital information kiosks at 12 shopping malls in major Canadian cities to collect millions of images — and used facial recognition technology without customers' knowledge or consent — according to a new investigation by the federal, Alberta and B.C. privacy commissioners.
"Shoppers had no reason to expect their image was being collected by an inconspicuous camera, or that it would be used, with facial recognition technology, for analysis," said federal Privacy Commissioner Daniel Therrien in a statement.
"The lack of meaningful consent was particularly concerning given the sensitivity of biometric data, which is a unique and permanent characteristic of our body and a key to our identity."
According to the report, the technology Cadillac Fairview used — known as "anonymous video analytics" or AVA— took temporary digital images of the faces of individuals within the field of view of the camera in the directory.
WATCH: Shoppers' privacy violated at major Canadian malls: Privacy commissioners:
It then used facial recognition software to convert those images into biometric numerical representations of individual faces, about five million images in total.
That sensitive personal information could be used to identify individuals based on their unique facial features, said the commissioners.
The report said the company also kept about 16 hours of video recordings, including some audio, which it had captured during a testing phase at two malls.
Cadillac Fairview said it used AVA technology to assess foot traffic and track shoppers' ages and genders — but not to identify individuals.
But the commissioners said that wasn't good enough and did not meet the standard for meaningful consent.
"An individual would not, while using a mall directory, reasonably expect their image to be captured and used to create a biometric representation of their face, which is sensitive personal information, or for that biometric information to be used to guess their approximate age and gender," they wrote.
The privacy watchdogs also took issue with the way the five million images were stored.
Cadillac Fairview said the images taken by camera were briefly analyzed then deleted — but investigators found that the sensitive biometric information generated from the images was being stored in a centralized database by a third-party company,
"Our investigation revealed that [Cadillac Fairview Corporation Limited's] AVA service provider had collected and stored approximately five million numerical representations of faces on CFCL's behalf, on a decommissioned server, for no apparent purpose and with no justification," notes the investigation.
"Cadillac Fairview stated that it was unaware that the database of biometric information existed, which compounded the risk of potential use by unauthorized parties or, in the case of a data breach, by malicious actors."
Company says technology couldn't identify people
The company said the technology was used to detect the presence of a human face and assign it "within milliseconds" to an approximate age and gender category and maintains it did not store any images during the pilot program and was not capable of recognizing anyone.
"The five million representations referenced in the [Office of the Privacy Commissioner] report are not faces. These are sequences of numbers the software uses to anonymously categorize the age range and gender of shoppers in the camera's view," Cadillac Fairview spokesperson Jess Savage said in a statement to CBC News.
"The OPC report concludes there is no evidence that CF was using any technology for the purpose of identifying individuals."
CF suspended its use of cameras back in 2018 when provincial and federal privacy commissioners launched their probe following a CBC investigation.
In a statement to CBC News on Thursday, the company said it has deleted the data.
"We subsequently deactivated directory cameras and the numerical representations and associated data have since been deleted," said Savage.
"We take the concerns of our visitors seriously and wanted to ensure they were acknowledged and addressed."
However, the three commissioners said they have concerns about the company's plans going forward.
"The commissioners remain concerned that Cadillac Fairview refused their request that it commit to ensuring express, meaningful consent is obtained from shoppers should it choose to redeploy the technology in the future," said the commissioners' statement.
No fines under Canadian law
Savage said Cadillac Fairview accepted and implemented all the recommendations "with the exception of those that speculate about hypothetical future uses of similar technology."
The investigation found the technology was used in five provinces at the following malls:
- CF Market Mall (Calgary)
- CF Chinook Centre (Calgary)
- CF Richmond Centre (Richmond, B.C.)
- CF Pacific Centre (Vancouver)
- CF Polo Park (Winnipeg)
- CF Toronto Eaton Centre (Toronto)
- CF Sherway Gardens (Toronto)
- CF Fairview Mall (Toronto)
- CF Lime Ridge (Hamilton, Ont.)
- CF Markville Mall (Markham, Ont.)
- CF Galeries d'Anjou (Montreal)
- CF Carrefour Laval (Laval, Que.)
Ann Cavoukian, executive director at the Global Privacy and Security by Design Centre, said a case like this would lead to millions of dollars in fines if it had happened in the United States.
"The commissioners are doing the best they can with the limited resources they have," she said.
"What we have to insist upon is that private sector entities like Cadillac Fairview step up and protect their customers' privacy. Otherwise, why are the customers going to continue shopping there?"
B.C. Information and Privacy Commissioner Michael McEvoy said the fact he and his counterparts can't issue a fine in a case like this should make the case for stronger powers at both the federal and provincial levels.
"Fines in a case like this would have been a consideration. It is an incredible shortcoming of Canadian law," he said.
"We as privacy regulators don't have any authority to levy fines on companies that violate peoples' personal information and that should really change."
With files from Thomas Daigle