Who knew running to the mall to grab a new pair of Lululemons could result in a digital image of your face being taken and used by the shopping mall. The Privacy Commissioner of Canada, the Information and Privacy Commissioner of Alberta and the Information and Privacy Commissioner of British Columbia completed a joint investigation into the practice of Cadillac Fairview (“CF”), the owner of several shopping malls across the country, to determine if it was collecting and using personal information from patrons without obtaining valid consent.
CF used Anonymous Video Analytics (“AVA”) to gather temporary digital images of the faces of any individual within the field of a camera installed in the mall directory. Software was used to convert these images into biometrical numerical representations of the individual faces, and that information was used to assess the age range and gender of the shoppers. In Ontario, AVA technology was in use at the following shopping malls: CF Toronto Eaton Centre, CF Sherway Gardens, CF Lime Ridge, CF Fairview Mall, and CF Markville Mall.
The investigation disclosed that CF had collected and stored approximately 5 million numerical representations of shoppers. CF explained that the data was collected for the purpose of monitoring foot traffic patterns and predicting demographic information about mall patrons. The Commissioners found no evidence that CF had use the biometric information for identification purposes.
CF took the position that, to the extent it was required to obtain shoppers’ consent to collect digital images of their faces, such consent was obtained via its privacy policy. Decals on the doors directed shoppers to a copy of the privacy policy that could be obtained from guest services (however an actual request for the document led to confusion on the part of a guest services attendant). The privacy policy itself was overly broad, and mention of the AVA collected information was buried in a 5,000 word document. The Commissioners found that this was inadequate, and the meaningful consent of shoppers to collect and use their personal information had not been obtained. An express opt-in consent was required for CF to collect such sensitive personal information.
While CF expressly disagreed with the findings of the Commissioners, it advised it ceased use of the AVA technology in July 2018, and that there were no current plans to resume its use. The numerical representations that had been collected and were not required for legal purposes, were deleted. Of concern, CF refused to commit to obtaining express opt-in consent if it were to resume using AVA technology. It indicated it would obtain adequate consent “in accordance with the applicable privacy legislation and consistent with the Guidelines for obtaining meaningful consent”.
The Commissioners found that information collected from shoppers’ mobile devices (e.g. MAC address, geolocation information) was not personal information as it did not itself, or combined with other information, identify the individual. Therefore, consent was not required to collect that information. In addition to those mentioned above, geolocation technologies are used at the following shopping malls in Ontario: CF Shops at Don Mills, CF Fairview Park, CF Masonville Place, and CF Rideau Centre.
The full report of the Commissioners can be found here.
Before collecting information from clients, patrons or employees, especially without their express consent, a company must determine whether the information qualifies as “personal information” pursuant to the applicable privacy legislation. As well, when personal information is being collected by a company with consent, it is important to ensure that “meaningful consent” is being obtained.
The Lerners Privacy, Data and Information Security Group is able to assist companies in developing and implementing personal information collection policies and programs that will comply with the applicable privacy legislation.
