[strawberrypuree]

>The company also argued shoppers were made aware of the activity through decals it had placed on shopping mall entry doors that referred to Cadillac Fairview's privacy policy.

Do what now? Physical spaces have privacy policies? We're really sleepwalking into a dystopia. If you don't like the privacy policy of your shopping mall, you're free to shop... online, where they get even more behavioral data on you. Yikes.

[lhorie]

> shoppers were made aware of the activity through decals

Indeed there's a huge glaring problem here: many of these malls have branded entrances (Shoppers Drug Mart, Best Buy, etc) through which a large portion of consumers walk into the mall, and these alleged decals are not present in those entrances. Here's an example [1]. Frankly I don't see said decals even in the non-branded entrances[2]

They're going to have a very hard time convincing the commissioner that people were in fact aware of these decals AND any "privay policy" therein. A simple survey would easily show that people are completely clueless about it (anecdote: I used to frequent CF malls quite a bit when I was in Toronto and never saw anything of the sort, even despite being the type of person that might actually read random stuff posted at entrances).

[1] https://www.google.com/maps/@43.7788812,-79.3447734,3a,75y,1...

[2] https://www.google.com/maps/@43.7789409,-79.3444783,3a,75y,1...

[black_puppydog]

Sorry but if you're taking their argument at face value that decals might be the way to go here and everything would be fine if only they were there, then they've basically won.

Don't get side tracked.

[lhorie]

My take is that the claim that "shoppers were made aware of the activity through decals" fails on multiple levels: whether said decals were actually there, whether they would be capable of capturing nuances of scope if they were (e.g. there's different expectations between a mall entrance, the Shoppers entrance and the LCBO entrance), whether people noticed the alleged decals if they were there, whether they could be reasonably expect to understand it (e.g. non-english speakers), whether people could infer that legalese existed if they did understand it, whether they were capable of understanding the actual terms (e.g. tech illiterates), whether it is reasonable to expect that people would consciously agree to whatever terms are laid out in the legalese, whether all people captured by face recognition necessarily were actually aware of the terms, etc. It just doesn't stick on so many levels.

[mynegation]

For non-Canadians here: Shoppers is pharmacies and LCBO is provincially-controlled liquor store that has near monopoly on hard liquor sales.

[koolba]

“Near monopoly”? Outside of duty free, where else can you buy booze (not beer) besides the LCBO?

[mynegation]

You can buy hard liquor in artisanal distilleries like Spirit of York or few in Niagara region. And talking about “not beer”, wine has been available in grocery stores for a while now.

[buildbot]

Doesn’t this vary by province? BC has quite a few non- bc liquor stores, at least in Vancouver.

[kortilla]

A bar

[buran77]

Any consent that isn't explicit should have no legal value. A "decal" on a door is about as useful as a size 2 font fine print, or an audio disclaimer played back at 5 times the speed.

This implicit agreement can be used to obtain quite literally anything without the other party ever knowing.

[black_puppydog]

In that case I think we're in agreement. :)

[smitty1110]

Disclaimer: IANAL, caveat lector.

Taking the argument at face value is probably not the right conclusion [1]. The linked court case establishes what we would call in American law Informed Consent. If you can't read disclaimer at the door until you are in camera range, is that really informed consent? And if the disclaimer does not actually list the policy in question, but refers you to a website to read it, can it be considered sufficient? A quote from the ruling is relevant here - "The more onerous the exclusion clause the more explicit the notice must be". Now, this case was related to legal liabilities related to injury in a ski resort, but it's the closet thing I've found. I suspect a judge won't take long to rule in favor of the plaintiff.

[1] - https://www.canlii.org/en/bc/bcca/doc/2020/2020bcca78/2020bc...

[zapdrive]

The decals might be installed on the inside doors that lead from shoppers drug Mart to the the mall.

[gruez]

The streetview images are dated may 2019, but the article says

>CF suspended its use of cameras back in 2018 [...]

[amelius]

Even if there were large signs, people would just not care.

[vel0city]

In Canada, do you even really have a right to privacy when in public spaces like a shopping mall? Is there even a legal expectation that there aren't cameras doing this kind of thing all the time? In most places in the US I know there isn't a right to privacy within a public space. If I as a shop owner put up security cameras in this same fashion in most of the US this wouldn't be against the law. There's no law preventing me from putting up cameras all along my home looking out into the street doing the same.

[dblohm7]

> In Canada, do you even really have a right to privacy when in public spaces like a shopping mall?

Yes, you do, because while a shopping mall might be considered a "public space," it is private property owned by a private organization. In Canada the PIPEDA [1] covers this federally, though the law is written such that it is a backstop, and provinces are free to enact their own "substantially similar" (or stricter) laws if they choose. For example, in Alberta the PIPA [2] covers these issues.

And as the article states, both federal and provincial privacy commissioners found CF in violation of those laws.

[1] https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-can...

[2] https://www.alberta.ca/personal-information-protection-act-o...

[vel0city]

Personal information under these laws are defined as:

    age, name, ID numbers, income, ethnic origin, or blood type;
    opinions, evaluations, comments, social status, or disciplinary actions; and
    employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

How does video of people passing by meet such a definition?

[jellicle]

Just to be clear (because the article isn't), what CF did was install a bunch of computerized kiosks to replace the information map kiosks, then when anyone used those kiosks (peering at screen from 2 feet away, tapping at it), a hidden camera (no external indication that there's a camera behind the black glass screen) recorded their face and what store they were looking for. This was intentional to collect and store info about individual mall users.

It wasn't some security camera overlooking the concourse from 30 feet up or anything like that.

[hibbelig]

They stopped a representation that allowed them to identify that the same person visited again. That’s an id number. They guessed age and gender.

[YetAnotherNick]

By ID, gp likely means government id, not identification by face. I can recognise my neighbours, but that doesn't mean I have their personal information.

[hibbelig]

In Europe, data that can be used to identify a person is also protected. For example, IP address plus timestamp is protected. Because you could obtain customer information from the ISP.

That's how I understand things.

[0xCMP]

The intent to buy things in the mall (or not) for one

[nitrogen]

Age and (to a limited extent) ethnic origin can also be inferred from video. So can income and social status, via apparel, posture, etc.

[8note]

A lack of a law preventing it doesn't make it good though. We can add new laws and regulations

[mynegation]

It is one thing to have cameras for security and store records for a limited amount of time for police investigation and what not. But applying facial recognition, biometric analysis, and storing it indefinitely is whole another ballgame.

[voisin]

It’s crazy that their lawyers think that merely referring to a privacy policy via a decal on the door is adequate acceptance of this kind of intrusion. I thought the laws required explicit acceptance online, via a check box on sign up, along with emailed updates when the policy changes. Merely walking through a door cannot possibly be construed to be explicit acceptance.

[gravitas]

> It’s crazy that their lawyers think that merely referring to a privacy policy via a decal on the door is adequate acceptance of this kind of intrusion

Very abstractly, legal precedent exists for the general implementation. Texas has what's called "the 30.07 sign" codified in the penal code (30.06 concealed, 30.07 open carry)[1] which prohibits firearm carry on that property with nothing more than a proper/legal sign. The responsibility lies on the entrant to notice and comply with the sign prior to entering the establishment, no explicit acknowledgement is required by that place of business for it to be enforced.

(not saying I agree with what's going on here, only that I can see lawyers using laws like this to support the action in the face of no laws saying it can't be done like this - a judge may throw the argument out, but it could be made as a good faith argument? My mind is thinking about how in the 90s "shrink wrap acceptance" was just a given - you opened he box so you accepted the license, but in 2020 many new laws have been developed to curtail that design and now require explicit acceptance by the end-user.)

[1] https://statutes.capitol.texas.gov/Docs/PE/htm/PE.30.htm

[texasbigdata]

Interesting example.

Not super familiar but that’s a licensed activity right? As in there’s some training and/or test administered upon gun purchase? Sorry if that’s not the case. But that feels marginally different because if you had a handgun and you knew this door sign governed whether or not you could bring it into a premise, you would look out for it.

No one is staring at the door of the drug store, because we are not trained to do that.

[msla]

Yes, it's licensed. There's a class and a proficiency demonstration:

https://onlinetexasltc.com/texas-concealed-carry/

[gruez]

Not sure about the privacy laws in Canada, but are there any laws against video recording and/or facial recognition? AFAIK by default they're fair game because there's no expectation of privacy while in public.

[scotty79]

I don't see it any more crazy than that you can legally agree to something by clicking.

[gnrlbzik]

indeed, I almost fell off my chair : ) If we do not read it in comfort of our home, why would one do so walking into the mall.... and there is not even a precedent to do so....

[reaperducer]

Physical spaces have privacy policies?

I've seen TOSes on mall doors before. They've been white letters on clear glass at just about foot level written in letters about 1cm tall. They were usually about violence and guns and shoplifting being grounds to ejection and banning.

The only people who ever see them is the decal printing company, the guy who installs them, and mice.

[WWLink]

A lot of malls I've been in have a "terms of conduct" sign near the entrance when you walk in. Similarly bizarre are the signs at the parking lot entrance that act similarly.

I'll take that one further! Every street that enters the city I live in, has a sign with text that you'll only be able to read if you park your car, get out, and walk up to it. I've lived here 5 years and I still don't know what the heck those signs say lol. My guess is it's something about parking enforcement? Sigh. It's completely absurd lol.

[sellyme]

The ones here all say "No Roller-blading", which should be a good indicator as to how relevant they are.

[kevin_thibedeau]

The best defense against hackers.

[qppo]

When I was in college Fortinet pitched a capstone project for an automated doorman that tracked passersby, delivery people, residents, etc using cameras posted at doors.

We asked why they couldn't use other biometrics which were much more established at the time (eg fingerprint scanners at the doorway), they said because other biometrics required consent. They wanted to track people without their knowing or agreement.

When asked about the ethics they said something along the lines of "this is what our customers are asking for."

Point being you don't need a privacy policy when you don't have a reasonable expectation of privacy in the first place. They can take pictures of you, store them in a database, sell them if they want. You don't have a right to be forgotten. And there are people that don't see anything wrong with that.

[donmcronald]

The tech capabilities have changed so much that I'd say it's closer to being surveilled than observed in a public place. Compare it to security cameras where you're recorded almost everywhere, but the video is relatively transient and often only reviewed / saved if a crime or disturbance occurs.

That's a lot different than companies tracking me via facial recognition, storing the data in databases that never get deleted, and combining it with behavioral data. It's going to lead to all kind of abuse. We'll end up with many variants of redlining, but digital.

What happens when that type of data is collected for today's youth and 20 years from now employers start using it to screen job applicants? What if the machine learning algorithms can't distinguish between correlation and causality? Does the "profile" of a successful person become someone from a rich neighborhood as a result of naive correlation?

I'm sure it'll be amazing for wealthy people and terrible for poor people. If I'm rich and walk into a mall, I get treated like a VIP. If I'm poor, maybe the doors don't even open.

[rz2k]

About five years ago there was a decal on the glass beside the entrance to the Stanford Shopping Center Neiman Marcus notifying customers that they were tracked by their phones.

I wonder if they stopped in response to complaints, or decided the notification was unnecessary. At the time, I figured their system judged me for browsing $800 jeans and not making a purchase.

[OzzyB]

Hey, if you don't like what your local shopping mall is doing, build your own!

[dave5104]

Or even better, stop patronizing it and contribute to its crumbling real estate value.

[monkeybutton]

Though, the more malls decline, the more they will behave like this. Optimizing and squeezing more out of their shrinking value.

[a_imho]

We're really sleepwalking into a dystopia.

Maybe some, but most people are aware. They have very little to zero power to fight back the abuse.

[xwdv]

I have a privacy policy for people entering my dwelling or using my guest wifi.