Guidance from the Cadillac Fairview Decision

The use of facial recognition software by Cadillac Fairview Corporation Limited (CFCL) in its shopping malls was the subject of a joint investigation by the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British Columbia (collectively the Privacy Commissioners). In the decision released October 28, 2020, the Privacy Commissioners found that CFCL collected and used personal information without valid consent.

An overview of the key facts summarized by the Privacy Commissioners in their joint decision is as follows:

• CFCL contracted with a third-party company to provide software and support services for interactive digital wayfinding directors that CFCL installed in many of its retail properties across Canada.
• The wayfinding directories all contained cameras behind protective glass that were not easily noticeable.
• The technology implemented in the directories:
  • took temporary digital images of the faces of any individual within the field of view of the camera in the directories. These images were only retained for a few milliseconds;
  • used facial recognition software to convert those images into biometric numerical representations of the individual faces; and
  • used that information to assess age range and gender.
• Other than during the testing and calibration period, no persistent image of a face was retained.
• The numerical representation of the individual faces was retained.
• Decals had been in place on the entrance doors of the shopping malls that directed guests to CFCL's Privacy Policy should they want more information on CFCL's practices. The decal indicated that the premises were video recorded for "safety and security" and advised that the Privacy Policy was available at Guest Services.
• The Privacy Policy was 5000 words.

The Privacy Commissioners made the following findings (among others):

• Images of individual faces constitute personal information. By collecting temporary images of the faces, CFCL collected personal information.
• The use of the images to generate additional personal information, including age range and gender, constituted a use of personal information.
• The creation of a unique numerical representation of a particular face (which is biometric information) constituted its own unique collection and use of personal information.
• Biometric information is sensitive in almost all circumstances as it is intrinsically and in most instances, permanently, linked to the individual. Facial biometric information is particularly sensitive since possession of a facial recognition template can allow for identification of an individual thorough comparison against readily available images.
• Individuals would not have reasonably expected the collection of their images by an inconspicuous camera while searching a mall directory, or that the image would be used to create a biometric representation.
• CFCL could not rely on the decals as sufficient to ensure adequate consent under the privacy legislation because:
  • The decal only mentions video recordings for visitor "safety and security" and did not mention any other purposes.
  • The wayfinding directors are in physical locations and the privacy policy was available on the CFCL website or at Guest Services elsewhere in the mall. Thus, the Privacy Policy was not readily accessible to individuals while they were engaging with the wayfinding map.
  • Individuals would have no reason to seek out the Privacy Policy at the time they started interacting with the map.
  • In any event, while the Privacy Policy referenced use of cameras to predict demographic information, the statements would not have allowed mall visitors to reasonably understand that while they were using a mall directory:
    • close-range video and audio recordings were being taken of them during the testing and calibration period; and/or
    • that their faces were being detected, captured in the form of digital images and turned into numerical representations by facial recognition software for the purposes of predicting demographic information about them, such as their age range and gender.
• CFCL should have obtained express opt-in consent and that consent should have been obtained before the individual's image was captured.
• Individuals must be made aware of all purposes for which information is collected, used and disclosed. These purposes must be described in meaningful language and should not be buried in a Privacy Policy or terms of use.

CFCL disputes several findings of the Privacy Commissioners (summarized above) with respect to the issue of consent.

Key Takeaways

Based on the position of the Privacy Commissioners, organizations can expect to be held to the following standards:

• Biometric information is sensitive personal information.
• In order to have valid consent for the collection of personal information, organizations need to show that the individual reasonably understood that the information was being collected and the precise purposes for the collection.
• If the collection of the information is not essential in order for the organization to provide goods or services, and individuals would not reasonably understand that the information in question was being collected, individuals must be provided with the opportunity to opt-in to the collection and use of their information.
• Organizations cannot rely on a clause "buried" in a 5000 word privacy policy for consent. Organizations must highlight those terms that an individual would not reasonably expect.

We recommend that organizations constantly refresh their assessment of their practises involving the collection, use and disclosure of personal information. Organizations should consider their information practises in light of the decisions by the Privacy Commissioners and courts that continue to elucidate the scope of obligations imposed on organizations that collect, use and disclose personal information.