Canadian shopping mall operator disables biometrics after data protection regulator report
Shopping mall operator Cadillac Fairview used digital information kiosks at 12 malls across Canada to surreptitiously collect and use facial recognition on images of 5 million people without their consent, the country’s data regulator has declared.
The Office of the Privacy Commissioner of Canada, joined by data protection regulators in multiple provinces, made the announcement following an investigation into the Toronto-based company spurred by media reports.
The OPC found that biometrics were used to gather personal information, such as age and gender, and that while the images themselves were deleted, sensitive biometric data (templates) generated from them was stored in a third party’s centralized database. Further, Cadillac Fairview claimed ignorance of the database, which the regulators say compounds the risk of potential misuse by unauthorized entities, or malicious actors in the case of a data breach.
“Shoppers had no reason to expect their image was being collected by an inconspicuous camera, or that it would be used, with facial recognition technology, for analysis,” says Privacy Commissioner of Canada Daniel Therrien. “The lack of meaningful consent was particularly concerning given the sensitivity of biometric data, which is a unique and permanent characteristic of our body and a key to our identity.”
Cadillac Fairview has disabled the cameras in the displays, and has no plans to relaunch the technology, according to the announcement, but the company did not commit to ensuring express meaningful consent is obtained should it do so in the future, prompting concern from the Commissioners.