Guidance from the Cadillac Fairview Decision
Written by Ruth Promislow and Stephen Burns
The use of facial recognition software by Cadillac Fairview Corporation Limited (CFCL) in its shopping malls was the subject of a joint investigation by the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British Columbia (collectively the Privacy Commissioners). In the decision released October 28, 2020, the Privacy Commissioners found that CFCL collected and used personal information without valid consent.
An overview of the key facts summarized by the Privacy Commissioners in their joint decision is as follows:
- CFCL contracted with a third-party company to provide software and support services for interactive digital wayfinding directors that CFCL installed in many of its retail properties across Canada.
- The wayfinding directories all contained cameras behind protective glass that were not easily noticeable.
- The technology implemented in the directories:
- took temporary digital images of the faces of any individual within the field of view of the camera in the directories. These images were only retained for a few milliseconds;
- used facial recognition software to convert those images into biometric numerical representations of the individual faces; and
- used that information to assess age range and gender.
- Other than during the testing and calibration period, no persistent image of a face was retained.
- The numerical representation of the individual faces was retained.
The Privacy Commissioners made the following findings (among others):
- Images of individual faces constitute personal information. By collecting temporary images of the faces, CFCL collected personal information.
- The use of the images to generate additional personal information, including age range and gender, constituted a use of personal information.
- The creation of a unique numerical representation of a particular face (which is biometric information) constituted its own unique collection and use of personal information.
- Biometric information is sensitive in almost all circumstances as it is intrinsically and in most instances, permanently, linked to the individual. Facial biometric information is particularly sensitive since possession of a facial recognition template can allow for identification of an individual thorough comparison against readily available images.
- Individuals would not have reasonably expected the collection of their images by an inconspicuous camera while searching a mall directory, or that the image would be used to create a biometric representation.
- CFCL could not rely on the decals as sufficient to ensure adequate consent under the privacy legislation because:
- The decal only mentions video recordings for visitor "safety and security" and did not mention any other purposes.
- close-range video and audio recordings were being taken of them during the testing and calibration period; and/or
- that their faces were being detected, captured in the form of digital images and turned into numerical representations by facial recognition software for the purposes of predicting demographic information about them, such as their age range and gender.
- CFCL should have obtained express opt-in consent and that consent should have been obtained before the individual's image was captured.
CFCL disputes several findings of the Privacy Commissioners (summarized above) with respect to the issue of consent.
Based on the position of the Privacy Commissioners, organizations can expect to be held to the following standards:
- Biometric information is sensitive personal information.
- In order to have valid consent for the collection of personal information, organizations need to show that the individual reasonably understood that the information was being collected and the precise purposes for the collection.
- If the collection of the information is not essential in order for the organization to provide goods or services, and individuals would not reasonably understand that the information in question was being collected, individuals must be provided with the opportunity to opt-in to the collection and use of their information.
We recommend that organizations constantly refresh their assessment of their practises involving the collection, use and disclosure of personal information. Organizations should consider their information practises in light of the decisions by the Privacy Commissioners and courts that continue to elucidate the scope of obligations imposed on organizations that collect, use and disclose personal information. For more information on regulatory compliance with privacy legislation, please contact the Bennett Jones Privacy and Data Protection group.