An investigation by the Office of the Information and Privacy Commissioner of British Columbia (OIPC) has found that 4 Canadian Tire stores in British Columbia, Canada, violated British Columbia's Protection of Personal Information Act (PIPA) by using facial recognition technology to collect customers' biometric information from 2018 to 2021. In fact, 12 stores were identified as using this technology but not all institutions were investigated. The remaining stores confirmed that they removed their facial recognition systems after the investigation began.

The Data Supervisory Authority considered that the stores did not properly inform the customers and did not obtain the consent of the customers when the facial recognition technology was used. Moreover, it was considered that the stores were not able to demonstrate that the use of the technology was proportionate to the purpose of the processing, which is to fight shoplifting. In other words, the use of this technology can be considered too intrusive to the rights and freedoms of individuals to achieve the purpose of the processing. The stores should have tried others more appropriate means.

While the stores acted quickly in removing the facial recognition systems and destroying the associated personal information, the Commissioner issued a recommendation that the stores create and maintain strong privacy programs. 

Two recommendations were made to the British Columbia government to harmonize the Personal Information Protection Act (PIPA) with biometric legislation in other jurisdictions:
- Amend the Security Services Act or similar legislation to explicitly regulate the sale or installation of technologies that collect biometric information;
A amend the Personal Information Protection Act (PIPA) to create additional obligations for organizations that deploy biometric technologies, including the obligation to report to the supervisory authority any installation of such technology.

Finally, the Commissioner reiterates that retailers must consider the data protection rights of their customers before installing new technologies that collect sensitive personal data such as biometrics data.

For you, it is then appropriate to ask yourself several things:

• Always identify whether the processing of sensitive personal information is proportional to the purpose and whether the purpose of the processing cannot be achieved in a way that is less ostentatious to the freedoms and rights of individuals.
• Question the feasibility of the project with respect to the laws on the protection of personal information, and the supervision of personal information that must be carried out prior to the implementation of the processing. In this case, Canadian Tire should have informed individuals and ensured that it had the consent of individuals to implement the processing of personal information.
• Have an internal or external resource available to advise you on the implementation of sensitive personal information processing.

If you want to protect your business, and ensure that your practices comply with privacy laws, contact us.