On August 11, 2025, the Office of the Privacy Commissioner of Canada ("OPC") issued two sets of guidance for processing of individual's biometric data: one for federal institutions and one for private businesses. Below we examine some of the requirements (and corresponding implications) of the business guidance and its effects on the use of biometric data in Canada.
Biometric technologies—such as fingerprint, facial recognition, and voice identification—are increasingly used by organizations to streamline access to goods and services and address security risks. While biometrics offer convenience and enhanced security, they also raise significant privacy concerns. Biometric data is unique, often immutable, and closely tied to an individual's identity. If compromised, it can lead to identity theft, fraud, surveillance, and the exposure of sensitive personal information, including health, ethnicity, and other personal traits.
Types and Uses of Biometric Technologies
The guidance identifies two primary "categories" of
biometric technologies:
- Physiological Biometrics: Data based on stable physical traits (e.g., fingerprints, iris patterns, facial geometry, DNA).
- Behavioral Biometrics: Data based on patterns of behavior (e.g., keystroke dynamics, gait, voice).
Certain identified biometric systems process raw data samples (like photos or voice recordings that do not inherently relate to "biometrics" as they cannot be correlated, independently, with any individual person) to extract features and create biometric templates for analysis, in which this information is paired with an individual and so can (or oftentimes is) used to identify that individual. These systems can be used for a variety of purposes, including:
- Recognition: Matching a biometric sample to one (verification) or many (identification) stored templates to confirm identity.
- Classification: Predicting attributes (e.g., age, gender, fatigue) from biometric data, which may not directly identify but can still be sensitive.
Sensitivity of Biometric Information
Biometric information is generally considered sensitive under
relevant data privacy laws, such as Canada's Personal
Information Protection and Electronic Documents Act
("PIPEDA"), and--in turn--given extra protections (or, as
limitations on processing). Even brief or transient use of
biometric data can be sensitive, and organizations should treat
such data with heightened care.
Key Privacy Principles and Guidance
1. Identifying an Appropriate Purpose
Organizations must clearly define and justify the purpose for
collecting biometric data. The purpose must be legitimate,
effective, minimally intrusive, and proportional to the privacy
impact. Uses that are unfair, unethical, or discriminatory are
inappropriate. The OPC has found some uses, such as mass
surveillance or unnecessary fingerprinting, to be unjustified.
2. Consent
Valid, meaningful, and express consent is required for the
collection, use, and disclosure of biometric data, especially when
sensitive. Individuals must be clearly informed about what data is
collected, why, who it is shared with, and potential risks. Consent
must be renewed if the scope of use changes. If biometrics are not
essential for service, alternatives must be provided. Publicly
observable biometric data is not exempt from consent
requirements.
3. Limiting Collection
Organizations should collect only the minimum biometric data
necessary for the stated purpose. Prefer verification (one-to-one)
over identification (one-to-many) where possible. Where feasible,
store biometric templates under the individual's control (e.g.,
on their device) rather than in centralized databases. Limit the
technical capabilities of biometric systems to prevent unnecessary
data collection.
4. Limiting Use, Disclosure, and
Retention
Biometric data must only be used for the original purpose and
retained only as long as necessary. Secondary information (e.g.,
health, ethnicity) should not be extracted or analyzed without
consent. Data should be deleted upon request, subject to legal
requirements, and sharing with third parties should be minimized
and authorized.
5. Safeguards
Strong physical, organizational, and technical security measures
must be implemented to protect biometric data. Privacy-protective
system designs (e.g., cancellable biometrics, encryption) are
recommended. Access to biometric data should be restricted to those
who need it, and security measures should be regularly tested and
updated. Breaches involving biometric data must be reported to the
OPC and affected individuals if there is a real risk of significant
harm.
6. Accuracy
Organizations must choose biometric technologies with suitable
accuracy rates, especially where errors could have significant
consequences. Systems should be tested for accuracy and bias,
particularly across different demographic groups, and monitored
regularly. Procedures should be in place to address false matches
and provide alternatives.
7. Accountability and Openness
Organizations are responsible for complying with all privacy
principles, appointing a privacy officer, and ensuring third-party
service providers meet privacy standards. Employees handling
biometric data must be trained, and robust governance, audit, and
breach response mechanisms should be in place. Organizations must
be transparent about their biometric data practices, including
types of data collected, uses, retention, and third-party sharing.
Privacy policies and contact information for responsible
individuals must be easily accessible.
Conclusion
Private business, operating in compliance with PIPEDA requirements,
must handle biometric information with heightened care, ensuring
that its collection and use are justified, limited, secure, and
transparent. The OPC guidance emphasizes strong privacy
protections, meaningful consent, and ongoing accountability to
protect individuals' rights in the context of biometric
technologies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
