Privacy Commissioners release findings on facial recognition in Clearview AI

On February 3, 2021, all four Canadian private sector privacy regulators (federal, B.C., Quebec and Alberta) released their joint findings in the Clearview AI facial recognition investigation.

The facial recognition use case in Clearview AI appears quite different from typical facial recognition use cases in retail, which include in-store theft deterrence (view retail examples). However, the findings still provide some guidance applicable to those retailers, anecdotally in the minority in Canada, who are either considering or actually implementing facial recognition on their premises and navigating regulatory uncertainty as a result. 

Clearview AI collected billions of facial images and associated data from individuals on the internet, including from many Canadians.  Law enforcement clients and private entities could and did search the Clearview database to identify people. Despite Clearview’s arguments to the contrary, the Canadian privacy Commissioners found the U.S.-based company had broken privacy law by collecting Canadians’ information without knowledge or consent and using it for inappropriate purposes.

Key takeaways for retailers 

1. Retailers considering software that processes Canadians’ facial biometrics, whether that software is described as facial recognition software or otherwise, should be aware that express, opt-in consent will likely be required. The Clearview findings specify that facial biometric information is a particularly sensitive form of biometric information. Clearview should have obtained express, opt-in consent before it collected online images of individuals in Canada (paragraph 41-42). In Quebec, express consent is required for using biometrics. Companies must disclose the creation or existence of biometrics systems to the Quebec privacy regulator (paragraph 104).

2. If you are a retailer considering using facial recognition in Canada, be aware that this has some risks in the current privacy climate. Assess your use cases thoroughly. Consider doing a privacy impact assessment and seeking expert advice to ensure that meaningful consent is obtained at the right threshold (see the OPC’s Guidelines for obtaining meaningful consent) and to future-proof your decisions in light of proposed legislative changes in privacy. For example, if consent for facial recognition is generally express and opt-in, simply providing notice to customers through store signage that you are using facial recognition may not be enough to satisfy your privacy obligations.  The Clearview findings also conclude that the purposes for which Clearview collected facial biometrics were inappropriate. Going forward, this raises the question of whether other purposes for collecting facial biometrics, such as for loss prevention, may also be deemed inappropriate by privacy regulators.  

3. The Clearview findings also address gathering and using personal information shared publicly by individuals on the internet, e.g. on a public website or publicly available social media profiles.  The findings say that information published on public websites and non-private social media is not included in exceptions to consent under existing regulations that apply to publicly available information (paragraphs 56 – 67). Anecdotally, some digital marketing services may utilize such information. Retailers may, again, wish to be careful here by conducting a privacy impact assessment or speaking with privacy experts before using such techniques, whether in-house or via service providers.  

High monetary penalties pending in Canadian privacy reform

The Clearview AI findings have been released during a period of significant reform in Canadian privacy law. Canada and Quebec have both released proposed Bills for comprehensive privacy reform.  Both include high monetary penalties and fines, to the tune of 4% or 5% of global turnover. 

In the federal privacy Bill C-11, violating some elements around consent requirements may potentially be grounds for administrative monetary penalties of up to $10M or 3% of global turnover, whichever is higher. There is also a private right of action. Although the federal Privacy Commissioner will be empowered to recommend AMPs, a new regulatory authority called the Data Tribunal will be empowered to actually administer them. Depending in part on how the Bill develops as it moves through Parliament, contraventions of consent (and other) rules could potentially risk significant financial as well as reputational consequences.

Disclaimer: none of the information here is legal advice. This is to inform readers of regulatory and legislative developments relevant to privacy and data governance and what they may mean for retail. For more information, contact Kate Skipton at kskipton@retailcouncil.org

More information:

• View legal overview of Clearview AI findings
• The Clearview findings, PIPEDA Report of Findings #2021-001
• For additional insight into facial image biometrics regulation in Canada, see Cadillac Fairview findings.
• See more RCC resources on Retail Privacy and Data.