An investigation by the Office of the Information and Privacy Commissioner of British Columbia (OIPC) has found that 4 Canadian Tire stores in British Columbia, Canada, violated British Columbia's Protection of Personal Information Act (PIPA) by using facial recognition technology to collect customers' biometric information from 2018 to 2021. In fact, 12 stores were identified as using this technology but not all institutions were investigated. The remaining stores confirmed that they removed their facial recognition systems after the investigation began.
The Data Supervisory Authority considered that the stores did not properly inform the customers and did not obtain the consent of the customers when the facial recognition technology was used. Moreover, it was considered that the stores were not able to demonstrate that the use of the technology was proportionate to the purpose of the processing, which is to fight shoplifting. In other words, the use of this technology can be considered too intrusive to the rights and freedoms of individuals to achieve the purpose of the processing. The stores should have tried others more appropriate means.
While the stores acted quickly in removing the facial recognition systems and destroying the associated personal information, the Commissioner issued a recommendation that the stores create and maintain strong privacy programs.
Two recommendations were made to the British Columbia government to harmonize the Personal Information Protection Act (PIPA) with biometric legislation in other jurisdictions:
- Amend the Security Services Act or similar legislation to explicitly regulate the sale or installation of technologies that collect biometric information;
A amend the Personal Information Protection Act (PIPA) to create additional obligations for organizations that deploy biometric technologies, including the obligation to report to the supervisory authority any installation of such technology.
Finally, the Commissioner reiterates that retailers must consider the data protection rights of their customers before installing new technologies that collect sensitive personal data such as biometrics data.
For you, it is then appropriate to ask yourself several things:
If you want to protect your business, and ensure that your practices comply with privacy laws, contact us.