BreachOfPrivacy
Menu
Register / Login

No account? Contact us

Decisions/Federal (Canada)/Personal Information Protection and Electronic Documents Act/PIPEDA Findings #2020-004: Joint investigation of the Cadillac Fairview Corporation Limited by the Privacy Commissioner of Canada, the Information and Privacy Commissioner of Alberta, and the Information and Privacy Commissioner for British Columbia
Federal (Canada)Office of the Privacy Commissioner of CanadaPersonal Information Protection and Electronic Documents ActPIPEDA Findings #2020-004Well-founded & resolved
Flag of Canada

PIPEDA Findings #2020-004: Joint investigation of the Cadillac Fairview Corporation Limited by the Privacy Commissioner of Canada, the Information and Privacy Commissioner of Alberta, and the Information and Privacy Commissioner for British Columbia

Organization: The Cadillac Fairview Corporation Limited
Decision: Oct 28, 2020Published: Oct 28, 2020
Official Decision ↗BookmarkView Governing Law
Plain-Language Summary

This joint investigation by federal, Alberta, and British Columbia privacy commissioners examined Cadillac Fairview's (CFCL) use of Anonymous Video Analytics (AVA) in mall directories and mobile device geolocation tracking. CFCL collected and used personal biometric information via AVA without valid consent, and improperly retained this data. While CFCL stated it had ceased using AVA, it disagreed with findings and refused to commit to express opt-in consent for future use. Regarding geolocation, CFCL's "Anonymous Shopper Journey" did not collect personal information, and while its "Logged In Shopper Journey" collected personal information, it did not combine it with geolocation data as initially suspected. Therefore, the geolocation aspect was found not well-founded.

Key Issues
  • Collection, use, and disclosure of personal information via AVA technology
  • Adequacy of consent and notice for AVA technology
  • Appropriate retention of personal information collected via AVA
  • Collection, use, and disclosure of personal information via geolocation tracking
Outcome

Complaint partly well-founded and resolved, partly not well-founded

Reasoning

CFCL collected and used sensitive biometric data via AVA without adequate consent and retained it improperly, constituting contraventions. However, the geolocation aspect did not lead to a finding of contravention based on the clarified practices.

AI-generated summary for reference only. Always verify against the official decision ↗

Decision Notes
Recommended action / remedy

CFCL was recommended to either obtain meaningful express opt-in consent for AVA or cease its use, and to delete improperly retained data. It was also recommended to train staff on providing the full privacy policy. CFCL had already ceased using AVA and deleted data, leading to the resolved finding for this part.

Statutory provisions cited
  • Principle 4.3 PIPEDA
  • Section 6.1 PIPEDA
  • Section 7(1) PIPA AB
  • Section 13(1) PIPA AB
  • Section 6 PIPA BC
  • Section 10(1) PIPA BC
  • Principle 4.5.3 PIPEDA
  • Section 35 PIPA AB
  • Section 35 PIPA BC

This summary is for informational purposes only and does not constitute legal advice.