On June 11, 2025, the Office of the Information and Privacy Commissioner of Ontario (the "IPC") issued Privacy Complaint Report PX24-00001 (the "Report"), which broadly deals with the question of whether "smart" vending machines installed on the University of Waterloo (the "University") campus violated its users' right to privacy.
The IPC received complaints from the University students who believed the "smart" vending machines were capturing facial images without their knowledge or consent. The students asserted they were not informed of the use of facial analytics technology by the vending machine, alleging its use was neither disclosed nor authorized concluding that the machines were collecting what they considered to be personal information
In response to these concerns, the University ultimately removed the vending machines. The IPC has since required further assurances that any personal or derivative information previously collected has been deleted or destroyed—and that such data will not be collected again in this manner.
Background Facts
In February 2024, reports surfaced that vending machines on the University's campus were capturing users' facial images without notice or consent.
The University entered into an agreement in October 2023 with Adaria, a company that specializes in providing vending machines, for the installation, maintenance, monitoring and stocking of 29 "smart" vending machines on its campus. Through an investigation conducted by the IPC, it was discovered that Adaria either purchased or leased the machines from a third party called MARS. MARS further contracted with Invenda, which supplied, manufactured and installed the "Invenda OS" software on the "smart" vending machines. The "Invenda OS" software collected data from the "smart" vending machines and transmitted over the internet to a cloud service. The University alleged that the "smart" vending machines used facial detection technology that collected demographic data without its knowledge.
Issues
The issues before the IPC were as follows:
- Did the use of facial detection technology result in a collection of personal information on the University's behalf under Freedom of Information and Protection of Privacy Act ("FIPPA")?
- Did the collection of personal information comply with sections 38 and 39 of FIPPA?
- Did the University have reasonable measures in place to protect personal information, as required under section 4(1) of Regulation 460 under FIPPA?
The IPC's Report
A. Did the use of facial
detection technology result in a collection of personal information
on the University's behalf under FIPPA?
The IPC found that the facial detection technology embedded in the vending machines did constitute a collection of personal information under FIPPA. The technology, developed by Quividi, captured a range of demographic and behavioural data, including:
- Time spent in the camera's field of view
- Time spent looking at the screen
- Estimated age and gender
- Mood
- Presence of facial features (e.g., beard, glasses)
- Distance from the camera
- Frequency of looking away from the screen
Although the University argued the machines' optical sensors lacked the resolution necessary to produce identifiable images, the IPC rejected this argument. It concluded that the feature maps derived from users' images still fell within the definition of "personal information" under Section 2(1) of FIPPA.
B. Did the collection of personal information comply with Sections 38 and 39 of FIPPA?
After its investigation, the IPC ultimately found the "smart" vending machines' capture of facial imaging constituted a collection of personal information from its users that did not comply with the University's obligations under Section 38(2) of FIPPA and amounted to a violation of FIPPA. Section 38(2) of FIPPA limits the circumstances in which personal information may be collected by the University. The IPC also found that the affected individuals were not provided with the requisite notice of the collection under Section 39(2) of FIPPA.
C. Did the University have reasonable measures in place to protect personal information, as required under section 4(1) of Regulation 460 under FIPPA?
While the University had general policies and safeguards in place for protecting personal information, the IPC found its procurement process deficient. Specifically, the University failed to conduct adequate due diligence regarding the privacy implications of its contract with Adaria. As a result, it did not meet its obligations under Section 4(1) of Regulation 460.
Lessons Learned
This Report serves as a clear warning to public institutions and other entities engaging third-party vendors. Before onboarding such vendors, organizations must:
- Conduct thorough due diligence
- Understand what data is being collected
- Ensure that data collection complies with applicable privacy laws
- Implement contractual and operational safeguards to protect personal information
Failure to do so can result in unintended privacy violations and regulatory scrutiny.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
