Investigation finds Cadillac Fairview collected images of five million shoppers

Oct 29 2020, 12:46 pm

An investigation has revealed that Cadillac Fairview (CF), one of North America’s largest commercial real estate companies, collected images of five million shoppers without their knowledge or consent.

A joint investigation was conducted by federal, Alberta, and British Columbia privacy commissioners and found that cameras were imbedded inside CF’s digital information kiosks at 12 shopping malls across Canada.

According to a statement from the privacy commissioners, facial recognition software was “used to generate additional personal information about individual shoppers,” such as the estimated age and sex of each customer.

The affected malls are as follows:

Property Province
CF Market Mall Alberta
CF Chinook Centre Alberta
CF Richmond Centre British Columbia
CF Pacific Centre British Columbia
CF Polo Park Manitoba
CF Toronto Eaton Centre Ontario
CF Sherway Gardens Ontario
CF Lime Ridge Ontario
CF Fairview Mall Ontario
CF Markville Mall Ontario
CF Galeries d’Anjou Quebec
CF Carrefour Laval Quebec

Once the images were deleted, biometric information extracted from the images were stored in “a centralized database by a third party.”

When asked about the database of biometric information, CF said that it was “unaware” that such a database existed, which commissioners say compounds “the risk of potential use by unauthorized parties” or malicious actors in the event of a data breach.

“Shoppers had no reason to expect their image was being collected by an inconspicuous camera, or that it would be used, with facial recognition technology, for analysis,” says Daniel Therrien, Privacy Commissioner of Canada.

“The lack of meaningful consent was particularly concerning given the sensitivity of biometric data, which is a unique and permanent characteristic of our body and a key to our identity.”

In an official statement, CF said that the anonymous video analytics (AVA) technology was “briefly conducted” at select malls in July 2018. The company stresses that it was not collecting personal information, since “the images taken by camera were briefly analyzed, then deleted.”

“The AVA beta test software was designed to assess the amount of foot traffic at a given site and categorize the general demographics of visitors anonymously,” says CF.

The statement also explains that shoppers “were made aware” of this practice through decals that had been placed on shopping mall entry doors that referred to its privacy policy. Privacy commissioners, however, said that this measure was “insufficient.”

“Cadillac Fairview disabled and removed the AVA pilot software more than two years ago when privacy concerns were first raised by the public,” says the company.

“We subsequently deactivated directory cameras and the numerical representations and associated data have since been deleted. We take the concerns of our visitors seriously and wanted to ensure they were acknowledged and addressed.”

The privacy commissioners say they “remain concerned,” however, that CF “refused their request” to commit to ensuring that meaningful consent is obtained from shoppers should it choose to redeploy the technology in the future.

ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT