Toronto Eaton Centre owner collected millions of images of mall shoppers: report

A joint investigation by three privacy commissioners found Cadillac Fairview's use of facial recognition tech broke privacy laws

One of North America’s largest commercial real estate companies broke privacy laws by covertly collecting millions of images of shoppers, an investigation conducted by three Canadian privacy commissioners has revealed.

A joint investigation by the federal, Albertan and British Columbian privacy commissioners found that Toronto-based Cadillac Fairview Corporation Limited (CFCL) embedded cameras in digital information kiosks, or “wayfinding” directories, at 12 Canadian shopping malls. The list includes the Eaton Centre, Sherway Gardens and Fairview Malls in Toronto.

These small, inconspicuous cameras employed facial recognition technology without the knowledge or consent of shoppers to collect five million images. The company alleged that their use of this technology was to analyze the age and gender of shoppers, rather than to identify individuals.

“Pictures of individuals were taken and analyzed in a manner that required notice and consent,” B.C.’s information and privacy commissioner Michael McEvoy stated in a news release.

The Ontario Teachers’ Pension Plan completed its acquisition of CFCL in 2000.

While Cadillac Fairview insisted it had placed stickers at mall entrance doors about its privacy policy to make its customers aware of its practice, the commissioners deemed this measure “insufficient” and “inadequate.”

The commissioners added that the decals instruct shoppers to obtain the company’s privacy policy from guest services but when they asked one such employee at one of the malls, the staff member did not understand the request.

The report states that the company should have obtained “express opt-in consent” instead.

“Shoppers had no reason to expect their image was being collected by an inconspicuous camera, or that it would be used, with facial recognition technology, for analysis,” Canada’s privacy commissioner Daniel Therrien stated.

In addition, the report states that the language of the company’s privacy policy “was overly broad, and buried in the middle of a 5,000-word document, which would not be easily accessible to individuals while they are engaging with a mall directory.”

The company also claimed that it was not collecting personal information and that the images taken by camera were deleted after they were analyzed. Cadillac Fairview purported that it was “monitoring foot traffic patterns and predicting demographic information about mall visitors.”

However, the commissioners discovered that Cadillac Fairview did obtain personal information, which breached privacy laws by failing to obtain “meaningful consent.”

The company used video analytics to collect and analyze the biometric information of its customers. The facial recognition software generated additional personal information about individuals, including estimated age and gender.

“We found no evidence that CFCL had used the biometric information, including any of the retained numerical representations, for identification purposes,” the report states.

However, although the images were deleted, the biometric information generated from the images was stored in a centralized database, on a decommissioned server, by a third party.

Cadillac Fairview alleged that it was unaware of this database – this lack of awareness “compounded the risk of potential use by unauthorized parties or, in the case of a data breach, malicious actors.”

“This investigation exposes how opaque certain personal information business practices have become,” Alberta’s information and privacy commissioner Jill Clayton explained. “Not only must organizations be clear and up front when customers’ personal information is being collected, they must also have proper controls in place to know what their service providers are doing behind the scenes with that information.”

Although CFCL “expressly disagreed” with the investigation findings, Cadillac Fairview removed the cameras from its kiosks and has deleted all information associated with the video analytics technology that isn’t required for legal purposes. 

The company claimed that it stopped using the technology in July 2018, and is providing privacy-related training to employees.

The company has confirmed it won’t retain or use the data – which includes “more than five million biometric representations of individual shoppers’ faces, which it had retained for no discernible reason” – for any other purpose.

The report states that the company didn’t collect the location information of identifiable individuals from mobile-device-tracking technology in its malls, and there didn’t require consent for this practice.

“We found that the information collected from mobile devices of shoppers, who were not logged into Wi-Fi in CFCL malls, did not constitute personal information,” the report states.

Unfortunately, the three privacy commissioners remain concerned that the company “refused their request that it commit to ensuring express, meaningful consent is obtained from shoppers should it choose to redeploy the technology in the future.”

This story originally appeared in the Georgia Straight. 


Leave your opinion for the editor...We read everything!

Your email address will not be published. Required fields are marked *