Is Facial Recognition Dead in Canada?
Posted in Privacy

The Privacy Commissioners of Canada, Alberta and British Columbia issued a joint investigation report, finding that Cadillac Fairview did not obtain adequate consent for the collection of digital images of faces through facial recognition technology (Anonymous Video Analytics) installed in wayfinding directories in some of their Canadian shopping malls.

Is consent even required to collect images in a public place like a mall?

The findings in this case have significant implications regarding the notice and consent required for facial recognition technology in Canada. They will pose practical challenges for organizations using or considering facial recognition technology. The Commissioners made a number of important determinations, including:

  1. Express opt-in consent was required. The Commissioners found that individuals would not reasonably expect their image to be captured when they stepped up to a mall directory kiosk, and that image used to create a biometric representation used to guess approximate age and gender. The Commissioners recommended that express opt-in consent be obtained before using the technology in the future.
  2. People's faces are sensitive personal information. In this case, the images were quickly converted by the technology to numerical representations and the purpose was to collect aggregated demographic statistics only. Nevertheless, the Commissioners found that this type of information was still on the higher end of the range of sensitivity. This type of biometric information is not diminished by retaining the information only for a short period of time or for non-identification purposes.
  3. General language in the privacy policy was not accepted as supporting meaningful notice or consent. The Commissioners cited language from the policy describing the use of cameras to monitor foot traffic patterns and assisting in predicting demographic information as not being sufficient for mall visitors to understand that the facial recognition technology was being used.

Obtaining opt-in consent from each individual will probably not be practical for many of the purposes for which organizations wish to use facial recognition technology. While the Commissioners described an example of a process in which a message box display on the kiosk could be used to obtain opt-in consent in this particular case, we speculate that organizations would be concerned that such a process would significantly diminish the value of the data.

Is facial recognition a practical option anymore?

Despite the relatively clear findings in this case, the question of whether opt-in consent is required in all facial recognition cases is probably not closed. There are a few reasons for this. First, privacy legislation in Canada establishes a number of grounds on which consent is not required at all. Some use cases may fit these exceptions. Second, the Guidelines for Obtaining Meaningful Consent, cited numerous times by the Commissioners, is flexible and allows for innovative approaches. Third, there are other related technologies already in use without opt-in consent. Over the years, Canada has seen the significant growth of video security systems capturing personal information on the basis of less descriptive and less obvious notice or opt-out consent. There is reason to believe security purposes may be viewed differently than those in this case. Fourth, privacy is normative. As technology has evolved and been implemented, we get used to it. Like video surveillance, our expectations of new technologies will evolve as well.

  • Ryan  Berger

    Ryan Berger is a leading privacy and employment lawyer, with a primary focus on providing strategic advice to businesses and employers.

    Ryan leads the firm’s Privacy Group and routinely advises public and private sector ...

  • Cory  Sully

    Cory Sully is an associate in both the Labour, Employment and Human Rights Group and the Privacy and Data Management Group in Vancouver. Cory provides practical and strategic advice to clients regarding various issues relating to ...

About Us

Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.

Legal Disclaimer: The information made available on this webpage is for information purposes only. It does not constitute legal advice, and should not be relied on as such. Please contact our firm if you need legal advice or have questions about the content of this webpage. 




Recent Posts



Jump to Page