On June 11, Ontario’s Information and Privacy Commissioner (IPC) issued a privacy complaint report that found the camera-rigged vending machines on the UW campus to be a violation of the Freedom of Information and Protection of Privacy Act (FIPPA).

In February 2024, several vending machines were removed from the Modern Languages building and Hagey Hall after it was discovered they used undisclosed facial recognition technology.

The machines were originally installed in December 2023, after the university signed a deal with Adaria, the company responsible for maintenance and restocking. Adaria reportedly leased or purchased the vending machines from MARS, which contracted with software company Invenda to manufacture the machines. 

UW told the IPC they were unaware that the machines were using facial recognition technology to collect demographic data, and that Adaria was contracting with Invenda. 

The IPC report describes that the machines’ technology involved recording images of users and converting those images into grayscale maps, which were used to estimate the buyers gender and age range. Invenda and the university disputed that this violated the privacy act as the images were not stored and were deleted promptly after capture.

The report however made a series of key conclusions, as summarized:

1. The university’s use of face detection technology resulted in a collection of “personal information.” The non-permanence of the images does not negate this categorization.
2. The collection of personal information was not permissible on behalf of an institution under non-legal circumstances.
3. The university did not, and could not, provide notice of the collection of personal information despite the requirement that individuals be informed when this is occurring.
4. The university had reasonable contractual measures in place with its third-party service provider to ensure the privacy and security of personal information under its control.
5. However, the university was deficient in its overall procurement process by failing to identify that personal information would be collected as part of the vending machine services it was contracting. This failure resulted in an inability to properly evaluate the third-party service providers and their suppliers and make an appropriate selection. As such, the university fell short of its obligation to protect the personal information under its control.

Along with these conclusions, the IPC report listed two recommendations, which the university has agreed to implement:

1. The university should review its privacy policies to ensure that any future collection of personal information complies with FIPPA.
2. When planning to enter into agreements with third-party service providers, particularly those involving the use of new or “smart” technologies, the university should ensure that it carries out the necessary due diligence to identify, assess, and mitigate any potential risks to personal information throughout the entire procurement process, including during the planning, tendering, vendor selection, agreement management, and termination phases. 

To view the full text, the IPC report can be accessed here.