THEY COULD DO IT, SO THEY DID. Cadillac Fairview Corporation Limited (CFCL) could not, and did not, offer any other explanation for why they behaved like Big Brother and gathered masses of personal information on shoppers in 12 of the many malls they own in Canada.

A joint investigation by the Privacy Commissioner of Canada and the privacy commissioners in Alberta and British Columbia found CFCL was secretly collecting and using personal information of visitors, to certain Canadian malls, including sensitive biometric information, without valid consent.

Investigators found the corporation did this using Anonymous Video Analytics (AVA) technology installed in “wayfinding” directories; and mobile device geolocation tracking technologies.

So, whenever shoppers used the mall directories the AVA technology:

• took temporary digital images of the faces of any individual within the field of view of the camera in the directory;

• used facial recognition software to convert those images into sensitive personal information that could be used to identify individuals based on their unique facial features; and

• used that information to assess age range and gender.

Without reason or justification

The investigation revealed that the AVA service provider had collected and stored approximately five million numerical representations of faces on CFCL’s behalf—for no apparent purpose and with no justification.

CFCL also retained approximately 16 hours of video recordings, some including audio, which it had captured during a calibration (or testing) phase of the technology at two malls.

The investigators concluded that the CFCL privacy policy did not allow for either activity.

The investigators final report says that shoppers using a mall directory would not “reasonably expect” their image to be captured and used for facial recognition. Thus, CFCL should have obtained express opt-in consent to do that.

Investigators rejected the CFCL attempt to hide behind it’s privacy policy as sufficient to allow for such surveillance. They write that the privacy policy is “overly broad” in its claims. Not to mention the fact that the policy itself was not available to any directory user.

Stickers displayed at mall entrances direct shoppers to visit guest services to obtain a copy of CFCL’s privacy policy. When investigators tried that, they say they found the guest services employee “confused by the request”.

A little yes, a little no

As a result of these findings, the investigators recommended that CFCL either:

• obtain meaningful express opt-in consent and allow individuals to use its mall directories without having to submit to the collection and use of their sensitive biometric information; or

• cease use of its AVA technology.

CFCL expressly disagreed with the findings of the joint investigation.

However, CFCL ceased to use AVA technology in July 2018 and it has deleted the numerical representations of faces and audio/video recordings.

On the other hand, it refused to commit to obtaining express opt-in consent consistent with the recommendations of the privacy commissioners, should it want to use AVA technology in the future.

Equally troubling, CFCL refused to accept suggested limits on using its free Wi-Fi service to collect personal user data in the future.

- 30 -