Use of Facial Recognition Software at Calgary Malls Raises Privacy Concerns

This article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.

It is a common occurrence to see people checking the directory in a mall to get the location of the most popular stores. But what is less well known is that some malls have begun using those directories to identify shoppers’ age and gender, and legal analysts are noting they are walking a tightrope in ensuring those scans are not violating people’s privacy.

Late last month, a steely-eyed shopper at Calgary’s Chinook Centre posted a photo to social networking site Reddit that showed facial-recognition software running in the background. At the time, mall owner Cadillac Fairview said the mall does not record or store any of the content and that getting consent is not required as they are not capturing or retaining images.

But on Aug. 3, the Office of the Privacy Commissioner of Canada and Alberta’s Information and Privacy Commissioner both announced they were opening investigations into Cadillac Fairview’s use of the technology. The federal investigation will examine whether the practices are in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), and the Alberta commissioner’s investigation will determine what types of personal information are being collected, whether the data is being shared with third parties and what safeguards or security measures are in place to protect personal information.

As a result of the investigations, Cadillac Fairview announced it was suspending use of the technology pending resolution of the matter. Janine Rampiras, director of corporate communications for Cadillac Fairview, said the company will co-operate with the investigations and will not provide further comment.

But no consensus has emerged on what the ultimate outcome of the investigations could be. Brian Vail, who practises technology and privacy law at Field Law in Edmonton, noted the provincial Personal Information and Privacy Act (PIPA) applies to all private enterprise in Alberta, and deals with the collection, use or disclosure of personal information, which is defined as information about an identifiable individual. He said, if the software makes an individual identifiable, then it is caught by PIPA and therefore would require people’s consent.

“But I tend think it’s not identifiable information as long as they are just using it in the way they say,” he said. “But if they store it, even for a short period of time, then I think they’re storing a personal record of information. Then if that’s the case the Act applies.”

Vail noted the mall representatives “aren’t even pretending to get any kind of consent.”

“So the issue then is whether a reasonable person would consider this appropriate in the circumstances,” he said. “The fact that somebody who saw it actually put it on social media would suggest somebody was unhappy about it.”

Vail’s Field Law colleague Marc Yu said the basic privacy principles associated with facial recognition software don’t differ from those applied to other security measures in a mall, such as surveillance cameras. But he noted malls have to put up signs that indicate surveillance is taking place and “there is no question the mall is recording that surveillance.”

“In this instance the mall is saying no, as users approach this camera on our mall directory we’re not capturing a single image from them. What we’re doing is this video looks at that image and quickly produces an estimated gender and age,” he said. “I don’t know how that works but if the technology actually has to capture that image for even a split second, then there’s an argument that that’s an actual collection of personal information.”

Pina D’Agostino, founder and director of the Intellectual Property Law and Technology Program at Osgoode Hall Law School (IP Osgoode), said PIPEDA would also be applicable in this case because the legislation looks at any type of organization which is collecting personal information during its commercial activities, which would apply to Cadillac Fairview.

“One thing I found interesting was that the mall’s argument was they are not doing anything wrong because they’re not storing or actually collecting information,” she said. “But if you actually look at the Act, it is very specific about this. It protects information that is collected, used or disclosed. Clearly there is use, so even your use of this information could trigger a violation of PIPEDA in this case.”

D’Agostino said, in order to run the analytics to get the age and gender from the facial recognition technology images will likely have to be stored, even if for a couple of seconds. She said the situation is similar to the concept of ephemeral recording in copyright law, where broadcasters are allowed to make a single recording of a copyrighted work for archival and logistics purposes.

“And if you look at the big picture and all the other information that they are collecting in the course of someone entering the mall, it is very reasonable to think you can identify a person by putting together the gender, the age, the security camera footage and all of that which the mall is privy to,” she said.

Whatever the outcome of the investigations, it is generally accepted that the pervasive use of technology is something that people will have to deal with, whether they view it as a utopian ideal oran Orwellian nightmare. Vail noted a colleague once said to him in 20 years’ time people will be saying, “privacy, what the hell is that?”

“Trends tend to show that privacy is a concept that is becoming less and less important in the minds of people,” he said. “My father would say [the mall tracking technology] is unacceptable and I would probably say I’m uncomfortable with it, but a millennial would probably say I don’t care. There is a trend towards people wanting to have less privacy as they use social media and other things — it just becomes part of their lifestyle and personal privacy becomes less important to them.”

 

Ian Burns is a Digital Report for The Lawyer’s Daily.

2 Comments
  1. This is a great post, Ian! Privacy and consumer protection are always at the forefront of IP debates when considering the increasing technological advancements in the retail space. Installing “smart mirrors,” for instance, is another tactical way for retailers to deal with e-commerce disrupting the industry. With consumers able to buy everything they need with the click of a button, it is no surprise that malls like the Calgary Chinook Centre are implementing creative solutions to bring consumers back into brick-and-mortar stores.

    International retailers like Bloomingdale’s have gone as far as testing technologies that allow shoppers to see how they look in an outfit without even trying it on. Unlike the Calgary Chinook Centre’s interactive directory, however, executives of these companies say that consumers are offered a choice as to whether to actually use all of the functions of the mirror.

    Assuming this technology is used in Ontario, does obtaining this consent really coincide with the regulations set forth in PIPEDA? My concern is whether consumers fully understand the extent of the data stored while utilizing these smart mirrors. If one of the reasons consumers are reverting to online shopping is due to its efficiency, it seems counterintuitive that companies believe these same consumers will take the time to read and understand the terms of utilizing the mirror, which now creates a contractual issue of whether there was proper consideration prior to use.

    Check out the smart mirrors and technologies I have discussed here:

    https://business.financialpost.com/executive/smart-shift/the-endless-retail-shelf-smart-mirror-senses-what-shoes-you-are-trying-on-and-serves-up-potential-looks

    https://www.ctvnews.ca/business/mirror-mirror-on-the-wall-stores-create-high-tech-fitting-rooms-with-smart-mirrors-1.2368630

  2. I doubt that in 20 years people will be saying “privacy, what the hell is that?” But I fully agree that “a millennial would probably say I don’t care.” Millennials should be educated to learn the consequences of losing privacy. They would say I don’t care that a mall knows my age and that I visited it, but this is shortsighted. Their perspective will change if they learn that such information can be hacked, or even worse, sold! This information can be a key to access medical records or bank accounts, or more importantly, for the millennials, their iPhones (sarcasm!).
    There is a rising industry that is based on biometrics, which is the finding of body measurements that are unique to each human, and the human face is one of them. Some of the other biometrics traits are fingerprint, voice, electrocardiogram signal, etc. Currently, biometrics is used as a password in different applications such as face to access some Android devices, fingerprint to access iPhone, or voice to verify identity when calling RBC bank. The main problem with these biometrics traits is that, unlike passwords, it is not changeable. Once stolen, the person who owns it will have the key to access more personal information. There is a continuous conflict between maintaining security, such as surveillance and collecting information; and privacy, which is not allowing access to such information. Security and privacy go together. Therefore, with the current advancement in technology, privacy will continue to be crucial.

Leave a reply

Your email address will not be published. Required fields are marked *