Balancing Facial Recognition Technology and Privacy Laws: The Retail Dilemma

In April 2023, British Columbia’s privacy commissioner held that 12 Canadian Tire stores breached the province’s privacy laws by using facial recognition technology (“FRT”) without first obtaining their customers’ consent. Obtaining valid consent from data subjects is the cornerstone of Canadian privacy laws, including British Columbia’s Personal Information Protection Act (“PIPA”), legislation deemed substantially similar to the federal privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Following the finding of breach of PIPA, B.C.’s privacy commissioner recommended that the province amend PIPA to create additional obligations for organizations that collect, use or disclose biometric information, including requiring notice to the province’s privacy commissioner.

Thefts in retail stores have been a rising scourge in recent times, triggered by an increasingly high cost of living and a growing online resale market for stolen goods. As a result, retailers have been deploying measures like shopping cart locks, receipt-checking and increased surveillance at self-checkout machines. While potentially more effective than these measures, FRT is not as prevalently used, possibly due to recent run-ins with privacy regulators. This is not so much an indictment of the technology per se, as it is of the potential consequences of non-compliance with privacy laws.

This article examines the chief considerations under privacy laws for retail companies in the deployment of FRT in their stores.

Clearview AI Case

The case of Clearview AI is a textbook example of how not to deploy FRT in Canada. Clearview AI is a U.S.-based FRT company that provides software to law enforcement, investigation and government agencies to aid in their functions. The company’s FRT software scrapes images and related data from publicly accessible online sources, including social media pages, and stores such data in its database. It then creates biometric identifiers for each image, which can be used later to match with images uploaded by users. The Clearview software can then direct users to the original source page of the image. By 2021, the company had amassed more than 3 billion images of faces and corresponding biometric identifiers, among them Canadian individuals and children.

A joint investigation by the federal privacy commissioner and the privacy commissioners of British Columbia, Quebec and Alberta found that Clearview AI did not obtain consent (never attempted to) for collection, use and disclosure of personal information through its software. The company erred in its interpretation that no consent is required to collect information that is “publicly available” or “public under the law.”

The findings highlight that biometric information is sensitive in all circumstances because of its intrinsic and permanent link to the individual, and for being distinctive and invariable. There are degrees of sensitivity within categories of biometric information, but facial biometric information is particularly sensitive. Accordingly, Canadian law mandates obtaining the express opt-in consent of individuals.

In December 2021, Clearview AI was ordered to stop its data collection, use and storage activities, as well as to cease offering services to clients in Canada, and to delete the images and biometric facial arrays of Canadian individuals.

What Retail Companies Should Be Mindful Of

The Clearview AI case does not leave much to speculation of the disfavour with which privacy regulators regard FRT. FRT can be effective in containing loss prevention and crime at retail stores so long as retailers are in compliance with the law. From a privacy perspective, both retailers and FRT providers have to comply with PIPEDA and/or the provincial privacy statutes in Alberta, British Columbia and Quebec. Equally critical to bear in mind are the legislative changes on the horizon that will merit a more nuanced and thorough approach to compliance.

The following is a non-exhaustive list of considerations for retailers to err on the side of caution. Other considerations around retention, accuracy and transparency could arise, depending on the specifics of the case.

1. Express opt-in consent of customers who visit a store cannot be obtained by an inconspicuous notice at the store entry. Under PIPEDA, as well as the provincial statutes, organizations are generally required to inform individuals of the purposes for which their personal information is collected, used or disclosed.
2. Both PIPEDA and the Consumer Privacy Protection Act in Bill C-27 (“CPPA” will replace PIPEDA once passed, and is currently in its second reading at the House of Commons) stipulate that consent of the individual is required for the collection, use and disclosure of personal information unless an exception applies. The type of consent varies according to the circumstances and category of the information being collected. Facial biometric data is sensitive information of the highest kind that requires express opt-in consent.
3. The CPPA will broaden the requirements to obtain consent and will codify the exceptions to it. For valid consent, the retailer must, at or before seeking consent, provide to the individual: the purpose and manner of collection, use or disclosure of information; reasonably foreseeable consequences of the same; the specific type of personal information that is collected, used or disclosed; and the names or types of FRT providers to which the retailer may disclose customers’ information. Such information should be in plain language that customers are reasonably expected to understand. Organizations must also identify the third parties – potentially FRT providers – to whom personal information will be disclosed, the services of the FRT providers and the purpose of the disclosure.
4. The CPPA introduces new exceptions to consent – business activities and legitimate interest. A business may collect or use an individual’s personal information without their knowledge or consent if, among other things, it is “necessary for the safety of a product or service that the organization provides” or if it “has a legitimate interest that outweighs any potential adverse effect on the individual.” However, currently there is no guidance from regulators or legislators that deploying FRT to curtail theft would qualify as one of these exceptions.
5. The CPPA is more prescriptive than PIPEDA in the diligence and protection of minors’ personal information, aligning Canadian law with international frameworks. What constitutes sensitive information under PIPEDA is contextual, but the CPPA expressly designates minors’ personal information as “sensitive information.”
6. Under PIPEDA, a retailer that is in control of its customers’ personal information is responsible when it is transferred to a FRT provider for processing. The retailer should use contractual or other means to ensure a “comparable level of protection” while the FRT provider processes such information. If the latter’s use of such information is for a purpose different from that for which the retailer originally collected it, additional consent for that additional purpose is required from the individual data subjects. Appropriate clauses to this effect can be drafted into the retailer’s agreement with the FRT provider.
7. The CPPA defines “service provider” as an organization “that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes.” Assuming FRT providers fall within this definition and the purpose does not change, as per the CPPA, a retailer does not need the customers’ consent or knowledge to transfer their personal information to FRT providers – a position that was interpreted but not codified in PIPEDA. The transferring retailer, however, is still responsible for such information, including contractual or other protections “equivalent” to that which the retailer is required to provide under the CPPA.

Conclusion

If relying on law enforcement agencies does not abate retail theft, FRT may become an inevitable solution in the future – perhaps even a regulated “business activity” or a “legitimate interest” under the CPPA. The CPPA also leaves it to future governor-in-council regulation to prescribe other business activities that would serve as exceptions to obtaining consent. As of now, however, the regulatory guidance is a far cry from this possibility.