Mall owner Cadillac Fairview has been slapped on the wrist for using facial recognition software and extracting "sensitive biometric information" from 5 million individuals at 12 malls across Canada in 2018.
Cadillac Fairview argued that the cameras, which were embedded in the malls' digital information kiosks, were merely used to analyze the approximate age and gender of shoppers for marketing purposes, and were not capable of identifying individuals' names. They thought that the images were then being completely deleted (although it turned out that a copy was actually being retained, unknown to the company, on a remote third party server). Furthermore, they argued that stickers on the mall doors were enough to notify shoppers that there may be cameras inside.
However, the Privacy Commissioners of Canada ruled that none of that was the case, and that Cadillac Fairview was guilty of using facial-recognition software to gather "personal information" about individuals, and that there was a "lack of meaningful consent" on the part of shoppers. "Pictures of individuals were taken and analyzed in a manner that required notice and consent", they concluded.
Cadillac Fairview has now taken out all the cameras in question, and undertaken not to attempt such a marketing exercise in the future without obtaining specific consent.
I don't really use malls, but the ruling seems harsh to me. If I walk into a mall, I would just assume that there are security cameras in operation, and how is that any different from what Cadillac Fairview were doing? How is a photo of someone "sensitive personal information" if it is not linked to the person's name, credit card record, etc? It seems to me that other marketing companies are obtaining much more sensitive personal information with complete impunity (just watch documetaries like The Great Hack and In Data We Trust, among many others).
No comments:
Post a Comment