Canadian liquor and cannabis retailers’ biometrics use found inappropriate
The Office of the Information and Privacy Commissioner for British Columbia (B.C.) found via a review that some private sector licensed liquor and cannabis retailers have been collecting individual biometric data without adequate privacy management programs or document privacy policies despite obligations under B.C.’s private sector Personal Information Protection Act (PIPA).
The compliance review was conducted after several media stories and enquiries about the sector’s collection, use, and disclosure of personal information.
Retailers ought to be doing more to protect the biometric data privacy of customers and staff, says the OIPC, and sets out 18 recommendations for liquor and cannabis retailers to establish and maintain privacy management programs.
“In addition to finding that most retailers need to do more to comply with BC’s privacy laws, we also found that a small number of retailers collect biometric information from staff, customers, or both,” said B.C. Commissioner Michael McEvoy. “Thumbprint scanners to document staff signing in and out for the day and the use of facial recognition software as part of a surveillance system are just a few examples of this. Unless there are exceptional circumstances to consider, B.C. cannabis and liquor stores are not authorized to use facial recognition technology, and I have signaled that this practice should stop immediately.”
BC’s licensed private sector liquor and cannabis retailers are authorized to collect personal information via video surveillance with implied consent or as authorized by law, however must ensure that necessary safeguards and signage is in place to protect people.
One retailer’s payroll program was found to utilize a biometric thumbprint scanner for employees to clock in and out at the beginning and end of their shifts. While one liquor retailer reported use of the FRT software FaceFirst implemented by SilverPoint in at least one of their stores. The retailer cited the safety of their locations and property as the purpose(s) for collecting biometric information. Due to the immutable nature of facial biometrics and the sensitivity around facial vectors created via FRT, capturing individuals who are not involved in criminal offences is not proportional to the benefit gained from potentially assisting law enforcement to identify a select few, says the OIPC.
Using FRT, even ones which incorporate thermal temperature scanners or video surveillance systems should not be used to collect sensitive biometric information from every individual entering or walking by the store, in fact OIPC recommends that retailers stop using facial recognition technologies immediately.
The OIPC recommends that retailers designate someone to be responsible for ensuring the organization complies with PIPA; develop written policies; and monitor compliance and conduct risk assessments to know that security safeguards are effective. Retailers can further ensure they are protecting personal information by taking an inventory of personal information holdings because in most cases, collection of this sensitive personal information will not be authorized, says OIPC. Furthermore, requests for authorization to use biometric technologies should be scrutinized at a very high level, and uses should be reasonable.
Foundational data privacy management systems or policies should be implemented for private sector liquor and cannabis retailers in B.C. and any retailers considering the purchase of equipment that is capable of measuring biometrics must ensure appropriate legal authorization is gained to collect the information, the report says.