Is your business compliant with Law 25? Learn more →
Blog Privacy & Law 25
Privacy Smart glasses Law 25 SMEs & municipalities

AI glasses: someone is watching you
— and you have no idea.

The Ray-Ban Meta scandal in Kenya, the 2024 Harvard demonstration with PimEyes, and the Name Tag project: what AI-powered smart glasses really expose, and what Law 25 already requires of Quebec organisations.

By Michel Monette, Privacy Officer — Synéra May 11, 2026 · 7 min read

An Instagram Reel that has been circulating for a few weeks shows a man on the New York subway wearing Ray-Ban glasses. On screen: "linked to their glasses — AI." Headline: "Meta's AI glasses scandal: Kenyan annotators exposed to intimate content." What this video sums up in 60 seconds is one of the most disturbing privacy revelations of 2026 in the age of AI — and it directly concerns Quebec organisations.

This article follows our analysis of shadow AI and Law 25 published last week. Where ChatGPT and Copilot raise the problem of data deliberately entered by your employees, smart glasses raise a more insidious problem: the passive capture of third-party data — passersby, citizens, colleagues, family members — who never consented to anything.

7 M
Pairs of Ray-Ban Meta sold in 2025
×3.5 vs 2024
1,108
Kenyan workers laid off after speaking to the media
0
Federal laws in Canada specifically targeting wearables with biometric AI

What happened in Kenya — and why it concerns you

In February 2026, the Swedish newspapers Svenska Dagbladet and Göteborgs-Posten published an investigation that landed like a bombshell. Workers at Sama, a Nairobi-based data annotation company under contract with Meta, described what they viewed at the office every day: footage captured by their users' Ray-Ban Meta glasses.

Testimony · data annotator, Nairobi, 2026

"I saw a video where a man sets his glasses down on the nightstand and leaves the room. Shortly after, his wife comes in and undresses. You understand that it's someone's private life you're watching, but at the same time you're expected to do the job. You're not supposed to ask questions. If you start asking them, you're fired."

Source: Futurism · Svenska Dagbladet · Göteborgs-Posten, February 2026.

The footage included sexual intercourse, trips to the toilet, undressing, and banking details displayed on screen. The people wearing the glasses had simply activated Meta's AI feature to ask for a recipe, identify a landmark, or film their day. They had no idea their videos would be watched by a human being thousands of kilometres away.

Meta's response · March–April 2026

Two months after the revelations, Meta terminated its entire contract with Sama, leaving 1,108 workers jobless with six days' notice. The Kenyan workers' organisation denounced this as direct retaliation. Meta claims that Sama "did not meet its standards." A class action, regulatory investigations in the United Kingdom and Kenya, and a warning from the EFF (Electronic Frontier Foundation) followed. Sources: The Next Web · Futurism.

How it works — and where your consent went

The Ray-Ban Meta glasses feature a 12-megapixel camera, a microphone and a permanent connection to Meta's AI. A capacitive button on the frame triggers recording. A small white LED is meant to signal that the glasses are filming — but it is easily missed on the street, in a café or in a meeting, and can be disabled or covered up.

When a user interacts with Meta AI — asking it a question about what they see — the images and videos are sent to Meta's servers. And there, in the terms of service, a clause that no one reads states that Meta may have this content reviewed by humans:

"We may review your interactions with the AIs, including the content of your conversations or messages directed to the AIs, and this review may be automated or manual (human)." — Meta AI Terms of Service, 2025 · Source: Futurism

In other words: you cannot use the AI features of the glasses without agreeing that your videos may potentially be seen by humans. This is not a configuration flaw. It is a deliberate architecture, buried in a legal document that the vast majority of users will never read.

The third-party consent problem

The people filmed by the glasses — passersby, colleagues, family members, citizens at a meeting — never signed Meta's terms of service. They consented to nothing. Yet it is their faces, their voices and their behaviours that feed the AI models. In Quebec, Law 25 considers these people to be the subjects of the personal information collected — and their consent is mandatory.

Harvard, October 2024: the demonstration that changed everything

Even before the Kenyan scandal, two Harvard students — AnhPhu Nguyen and Caine Ardayfio — had made the problem strikingly concrete. In October 2024, they paired Ray-Ban Meta glasses with the PimEyes facial recognition engine.

The result: within seconds, while walking through the Boston subway, they could identify total strangers and retrieve their name, phone number and address. No sophisticated hacking — only consumer tools available to anyone. Their demonstration video went viral. The goal: to alert the public to what these devices now make possible.

Real case · Harvard 2024

The Boston subway: identifying a stranger in 30 seconds

Nguyen and Ardayfio demonstrated that with smart glasses and an online facial recognition tool, anyone can identify a person in public and obtain their personal contact details — without the target ever suspecting it. Meta responded by pointing to the signalling LED. Privacy advocates retorted: a 2 mm LED in a crowded space is not consent. Source: KultureGeek.

Two years later, Meta is preparing to officially integrate a facial recognition feature called "Name Tag" directly into its Ray-Ban glasses. According to KultureGeek (February 2026), the project is personally backed by Mark Zuckerberg. The Harvard demonstration, which was a warning, could soon become an official feature.

Timeline of a surveillance that is settling in

Oct. 2024
Harvard and PimEyes

Two students prove that it is possible to identify anyone on the street by combining Ray-Ban Meta and consumer-grade facial recognition. The video travels around the world.

2025
7 million pairs sold

EssilorLuxottica announces it sold 7 million Ray-Ban Meta in 2025, a 250% increase in one year. Smart glasses go from gadget to mainstream consumer product.

Feb. 2026
The Kenyan scandal breaks

The Swedish press reveals that Sama annotators (Nairobi) were viewing intimate footage captured by Meta glasses. Investigations are opened in Kenya and the United Kingdom.

Apr. 2026
1,108 layoffs

Meta terminates its contract with Sama. The workers receive six days' notice. A class action is launched. The EFF and digital rights groups denounce an attempt at silencing.

2026 →
"Name Tag": built-in facial recognition on the horizon

Meta is working to natively integrate facial recognition into its glasses. The regulatory vacuum specifically targeting wearables (Canada, United States) makes this rollout legally possible — but Quebec's Law 25 already imposes clear obligations on organisations that use these tools.

Law 25: is your organisation exposed?

For Quebec municipalities, non-profits and SMEs, these glasses raise concrete and urgent questions — especially in light of Law 25.

Law 25 considers the images of an identifiable person to be personal information. Biometric data — such as a facial profile — is sensitive personal information, subject to enhanced protections (s. 12, 59). Collecting biometric data without explicit consent is a direct violation of Law 25.

A concrete scenario · your organisation

A municipal employee wears Ray-Ban Meta glasses during a public meeting to take hands-free notes. They activate Meta AI to transcribe the discussion. The faces of the citizens present are automatically recorded, sent to American servers, and potentially reviewed by human annotators. No citizen consented. Your organisation can be held liable — and face a fine of up to $25M CAD or 4% of worldwide turnover (s. 93 of Law 25).

And don't forget the American CLOUD Act: even if the data passes through servers physically located in Canada, if the provider is a company incorporated under American law (such as Meta), the U.S. government can access it. Law 25 and the CLOUD Act create a direct tension that your organisation cannot ignore — a point already covered in our article on shadow AI.

Five Law 25 obligations that apply to AI wearables right now

01
A connected-equipment use policy

Define whether and how wearable AI devices may be used in a professional context, during meetings, or in the presence of citizens or users. A written policy, signed and enforced.

02
A privacy impact assessment (PIA)

Before deploying any tool that captures third-party personal data (images, voice), a formal risk assessment is required (s. 3.3). It is your main documentary line of defence.

03
Explicit consent of the people filmed

Citizens, users or employees whose data is captured must be informed and must consent. A 2 mm LED does not constitute valid consent within the meaning of Law 25.

04
Confidentiality incident reporting

If an employee used smart glasses during an event involving personal data, there may be an obligation to report to the CAI and to notify the individuals concerned.

05
A designated officer (Privacy Officer) able to respond

Your Privacy Officer must be aware of these issues and able to answer questions from your users and employees. For SMEs, the Privacy Officer on demand is a fitting answer.

What this affair reveals about AI in general

The Meta glasses are not an isolated case. The affair illustrates a systemic problem: the training and improvement of AI models rely on an invisible, underpaid human infrastructure exposed to content that no one had anticipated.

It is not only Meta. OpenAI, Google, Microsoft — all of them rely on human annotation teams in low-labour-cost countries to label the data that trains their models. In most cases, these workers sign drastic confidentiality agreements and have no recourse if they are exposed to traumatic content.

"You'd think that if they knew the scale of the data collection, no one would dare use these glasses." — A Meta data annotator, quoted in the Swedish investigation · Futurism, 2026

The real question this issue raises is not technical. It is ethical and organisational: has your organisation considered what the AI tools it uses — or that its employees use — actually do with the data entrusted to them?

Action plan: what you can do this very week

Five concrete actions that any Quebec organisation — municipality, SME, non-profit — can put in place right now:

1
Inventory the connected equipment in use

Smart glasses, watches, AI headphones, recording badges. What you don't see can still create legal liability.

2
Add AI wearables to your use policy

If you have a policy on cellphones in meetings, it must be extended to smart glasses and other AI devices. Clear posting, uniform enforcement.

3
Train your employees and elected officials

Many wear these glasses without understanding what they capture or where the data goes. Awareness is your first line of defence.

4
Set clear rules for public spaces and official meetings

The data of your citizens and users enjoys the same protections as that of your clients. Reception areas and council chambers deserve explicit governance.

5
Consult a Law 25 compliance expert

To assess your specific risks linked to connected objects and wearable AI. This segment is evolving very quickly, and so is your exposure.

One to watch closely

Meta is preparing to integrate native facial recognition into its glasses under the name Name Tag. If this rollout goes ahead, the stakes for any Quebec organisation operating in semi-public spaces (reception halls, citizen meetings, events) will become critical. Learn more →

Law 25 & wearables governance — Synéra

Don't let technology decide for you

Synéra supports Quebec municipalities, SMEs and non-profits with their Law 25 assessment, their AI-tool use policy — including wearables — and the protection of the personal information of their users and employees.

Request a consultation See the Privacy Officer on demand

Further reading

Synéra packages mentioned in this article

Follow the author and Synéra

This article is written for general information and awareness purposes. It does not constitute legal advice. For any question relating to your specific situation, contact Synéra or your legal advisor.

Related articles

AI & Law 25
AI and personal data: what your organisation really risks
Read the article →
AI & governance
The post-Mythos era: why protecting personal data is becoming a governance issue
Read the article →
Law 25
Privacy Officer on demand: why this role is becoming essential for Quebec SMEs
Read the article →