Skip to content
Join our Newsletter

Some B.C. Canadian Tire stores used facial recognition technology improperly

The collection of thousands of customers' biometric information for merchandise theft control was not warranted or explained, B.C.'s privacy commissioner has found.
Canadian Tire building
Canadian Tire implemented the technology to target repeat offenders.

A number of B.C. Canadian Tire stores used facial recognition technology (FRT) to engage in improper customer surveillance, B.C.’s information and privacy commissioner has found.

“The particulars of this case did not warrant collecting the facial biometrics of every individual (including minors) entering Canadian Tire stores in British Columbia,” said a report released April 20 by commissioner Michel McEvoy.

“The biometric information captured by FRT systems — the precise and unique mathematical rendering of your face — is highly sensitive. Retailers, like the ones in this case, would have to present a highly compelling case to demonstrate such collection would be reasonable,” McEvoy said. “The stores failed to do so in this case."

McEvoy said 12 stores across the province used the technology for about three years to target repeat offenders who stole merchandise. The privacy commissioner investigated four in the Lower Mainland, Vancouver Island and the Interior.

The report called the FRT usage a “marginal security advantage (that) is not proportionate to the substantial risk of data breaches, identity theft, and other abuses.”

Store managers reported facial recognition technology was rarely needed to identify a person of interest, and that staff generally knew such people.

"Arguably, the stores gained little by employing FRT on top of less-intrusive alternatives already in place,” McEvoy's report said. “At most, FRT might alert store staff to a known suspect a little more quickly than might otherwise be the case.”

The stores did post notices about surveillance but the notices varied. Variously, FRT was not explained, reasons for data collection were not detailed and implications for the public were vague.

“Understanding what is being collected, and how, allows individuals to make informed decisions about what they consent to, should they choose to enter an establishment that notifies them that the premises are monitored by video surveillance and details how their information will be used,” the report said.

The systems collected facial images or videos of customers entering the stores, created biometric templates from those faces, and compared them to a database of previously collected photos and biometric templates of persons of interest.

“The investigation showed that the stores did not adequately notify customers and did not obtain consent for the collection of personal information using FRT,” the report said.

Moreover, the report said even if the stores had obtained customer consent, they were still required to demonstrate a reasonable purpose for collection and use.

“The investigation found that they did not do so,” the report said.

The report said databases storing troves of sensitive biometric data become high-value targets for cybercrime.

“Whether accidental or intentional, biometric data breaches can exacerbate acts of stalking, identity theft, and financial fraud,” the report said. “The stakes are high because a person’s digital facial print, unlike a computer password, cannot be changed if it is hacked or stolen.

“Finally, a pervasive spread of biometric surveillance infringes on every citizen’s right of privacy and robs the public of its right to anonymity. It should not be the case in a free and democratic society that simply by walking in a public space, or through a given entrance way, a person hands over their highly detailed physical measurements.”

The privacy commissioner's investigation found information on hundreds of customers was collected each day.

Recommendations

McEvoy’s report made three recommendations:

  • stores should create and maintain robust privacy management programs that will better equip the them for current and future decisions around managing personal information;
     
  • the B.C. government should regulate the sale or installation of technologies that capture biometric information; and,
     
  • the B.C. government should amend the Personal Information Protection Act to create additional obligations for organizations that collect, use, or disclose biometric information, including requiring notification to the commissioner’s office.

Glacier Media has reached out to Canadian Tire for comment.

[email protected]

twitter.com/jhainswo