Québec’s privacy regulator prohibits retailer’s use of facial recognition for loss prevention

On February 18, 2025, the Commission d’accès à l’information du Québec (the CAI) issued a decision prohibiting a major grocery and pharmacy chain from deploying its proposed facial recognition pilot project, which was aimed at preventing shoplifting and fraud in its stores.

While the use of video surveillance is a common practice in retail settings in Québec, this decision is an important reminder that the extraction of biometric data from raw video surveillance images must comply with stringent obligations under Québec’s Act to establish a legal framework for information technology (the Québec IT Act) in addition to private sector privacy legislation.

The investigation specifically focused on assessing the company’s compliance with the requirements set out in the Québec IT Act regarding the use of biometric data to verify or confirm identity. As a result, the decision did not address broader compliance issues under the Act respecting the protection of personal information in the private sector (the Québec Privacy Act), including whether the collection of biometric data using facial recognition met the necessity criteria in the particular context of the case,^[1] and whether the collection would be for a “legitimate reason”.^[2] The necessity criteria was recently analyzed in another CAI decision involving the use of facial recognition technology to control employee access to the workplace (see our previous Osler Update: “Québec privacy commissioner continues to set high bar for biometric data processing: lessons for business” article for details).

You can read our article available on Osler’s website.

This content has been updated on March 26, 2025 at 17 h 32 min.