Hidden cameras may be in use at Dieppe shopping centre
Cameras used behind mall directories to count customers, says mall owner
The Office of the Privacy Commissioner of Canada announced Friday it has opened an investigation into the use of facial recognition technology in malls by Toronto-based real estate company Cadillac Fairview, which owns Champlain Place in Dieppe.
The federal agency initiated the investigation following multiple media reports questioning whether the company "is collecting and using personal information without consent," a release stated.
CBC News asked Cadillac Fairview, which owns the mall, whether it was using facial recognition software at the Dieppe Mall after the technology was discovered at a mall the company owns in Calgary on July 26.
In the company's response to CBC News, it suggests hidden cameras are already being used inside its mall directory boards to count people, and new software that can also detect age and gender is being piloted at an undisclosed number of test sites.
The company would not confirm whether Champlain Place was one of the test sites, or whether cameras are being used there now, but it implied that lesser directory camera technology has already been rolled out corporation-wide.
"The cameras in our directories are there to provide traffic analysis to help us understand usage patterns and continuously create a better shopper experience," Janine Ramparas, director of corporate communications for Cadillac Fairview, said in an email.
"These cameras do not record or store any photo or video content. The directory unit contains software that counts people using the directory via the camera."
The privacy commissioner's investigation will see if the company's actions are in compliance with federal private-sector privacy laws. The Alberta information and privacy commissioner has also opened an investigation into the matter.
To predict age, gender
Cadillac Fairview began testing software in June that tries to predict approximate age and gender, "to further understand the usage of our directories," she said.
"And with this still no video or photo feed is recorded or stored.
"But to clarify, the software that predicts age/gender was being tested, we have not rolled it out."
The company contends that since it is not capturing or storing images, it doesn't require shopper consent.
A law professor from the University of New Brunswick isn't so sure that's the case.
"As far as I can tell, it's a little bit unclear," said Hilary Young.
"I think it's close to the line. It's interesting that they seem to be emphasizing that they're not recording or storing anything, because that's not actually the legal requirement. This can be illegal even if they're not recording or storing anything."
Young said the company may just want to know how many of their shoppers are middle-aged women or teenagers, which doesn't seem very privacy-invasive, but the public reaction has been quite strong.
One reason for that is the lack of notice and consent, she said, and the other has to do with technology.
"The idea that it's facial recognition software and that's kind of creepy, in a way that, you know, everyone else in the mall could see whether there was a person there and could see their sex and age and that doesn't seem problematic from a privacy perspective.
"So, it's something about the fact that it's being gathered by computers, and also for a commercial purpose."
Getting easier to identify people
But in terms of legality, Young said the real question is whether the data, alone or in combination with other available information, can be used to identify a person, said Young.
"And if the answer is yes, then it's probably contrary to privacy law," she said.
Young said it's getting easier and easier to identify people based on less and less information.
That's just one of the reasons the Personal Information and Protection of Electronic Documents Act needs to be updated, she said.
Law hasn't been updated
There are also calls for better enforcement mechanisms, such as giving the privacy commissioner power to issue binding orders, as opposed to simple recommendations, or increasing the financial penalties to those who break the rules.
The federal act was drafted in the late 1990s, said Young, and is now out of sync with updated European rules, creating problems for businesses.
It has no requirements for companies to disclose when they've had data breaches.
And it's based on consent, even though people rarely read the fine print before they check a box to use any kind of electronic program or service.