From the office to the checkout line, biometric tools are everywhere: logging employees through fingerprint time clocks, authenticating customers by their voice, and monitoring retail floors with facial recognition. Yet, one question looms large: what rules guide their use?
On Aug. 11, 2025, the Office of the Privacy Commissioner of Canada (OPC) issued its final Guidance for processing biometrics – for businesses (Guidance) for private-sector organizations deploying biometric initiatives. It addresses key considerations for organizations on their privacy obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA) and best practices for handling biometric information.
New Guidance basics
The Guidance was developed for both the public and private sectors, and follows a public consultation by the OPC held from Nov. 2023 to Feb. 2024, during which the OPC received 34 written submissions and met with 31 organizations to discuss various stakeholders' views on the draft guidance (Draft).
The motive behind creating the new Guidance was that the previous one, published in 2011, did not reflect the growing number of organizations currently using biometric technologies such as facial recognition and fingerprint scanning. The OPC opined that, while biometrics can enhance security and help with service delivery, they can also raise privacy issues since biometric information is intimately linked to an individual's body, potentially revealing sensitive information. As such, the OPC felt the need to offer updated insight in helping organizations ensure that they use such technologies in a privacy-protective way.
Interestingly, although the Guidance is not by nature a legally binding document, its deliberate use of must and should throughout the document highlight its practical weight. In fact, even sections that contain the word should often imply a requirement which, if not followed, could result in a PIPEDA report. For instance, the fact that the OPC uses appropriateness criteria when conducting investigations implies that organizations must rather than should follow the Guidance's criteria.
Comparison with the Draft Guidance
The OPC's Guidance goes into considerably more depth than the Draft in explaining how biometric systems operate. It breaks down key terms, distinguishes between recognition and classification, and further clarifies what constitutes biometric information. We go over these definitions and distinctions in more detail below.
The updated Guidance also provides a more nuanced treatment of sensitivity: biometric information that uniquely identifies an individual is always considered sensitive, while non-identifying information may or may not be sensitive depending on the risks it poses, or what it reveals about that individual. In fact, in the Draft, sensitivity was embedded within the appropriateness test, effectively treating sensitivity as part of that threshold. The OPC's Guidance now treats sensitivity as an independent factor, while appropriateness is assessed through its own structured test, as delineated below.
The OPC's Guidance also reworks the approach to consent. Whereas the Draft stated that the use of biometrics would "almost always" require express consent, the OPC's Guidance instead speaks of requiring an "appropriate form of consent." This means that while express consent remains the general rule for biometric information, there may be limited contexts where implied consent could be sufficient for biometric information that is not deemed sensitive.
At the same time, the updated Guidance softens some of the categorical "musts" in the Draft while hardening others.
For example, the Draft required that organizations "must" use verification before identification, keep disclosure to a "tight circle," and always inform individuals about transfers to service providers. In the final version, these have been reframed as "should" obligations, leaving room for a risk-based application.
Conversely, other expectations have been strengthened: organizations "must" now use biometric systems that are privacy-protective by design, and they "must" ensure both technical accuracy and fairness, including minimizing performance discrepancies across socio-demographic groups.
The OPC's Guidance also reshapes how safeguards are framed. The Draft went into technical detail about specific attack types such as spoofing or hill climbing. The final Guidance removes much of this taxonomy and instead presents a more outcomes-based, operational checklist. It emphasizes requirements such as using cancellable templates, applying end-to-end encryption, and conducting regular vulnerability testing. This shift reflects the OPC's intent to guide organizations toward practical, measurable security outcomes, making the sections more accessible and implementation-focused for businesses.
Interplay with Québec
The OPC's updated Guidance generally aligns with Québec's Commission d'accès à l'information (CAI)'s guide on biometrics (available in French only), and follows recent decisions from the CAI considering organizations' processing of biometric information for the purposes of loss prevention and access control to business premises. These decisions highlight an increase in regulatory scrutiny regarding the use of biometrics, particularly in respect of the necessity and proportionality of these more privacy-invasive tools.
Note that while the OPC's Guidance is advisory, Québec has established more prescriptive requirements. Although the Act respecting the protection of personal information in the private sector (Québec Privacy Act) only regulates biometric information through the notion of sensitive personal information, the Act to establish a legal framework for information technology (Québec IT Act) specifically addresses organizations' obligations with respect to the collection and processing of biometric information.
For instance, Québec organizations must, in addition to obtaining the express consent of individuals for the collection of their biometric data, previously declare to the CAI the use of a biometric system for the verification or confirmation of a person's identity, even if no biometric data is stored in a database. Note that the notice must be made at least 60 days prior to the use of a database of biometric characteristics. The CAI also mandates organizations to conduct a privacy impact assessment (PIA) before deploying any biometric system, whereas it is not required — but strongly recommended — by the OPC.
Key concepts
"Biometrics" is generally understood as the quantification of human characteristics into measurable terms. In the context of the OPC's Guidance, it typically refers to systems used to identify or verify the identity of individuals by using their biometric information, such as fingerprints, iris and retina prints, hand and face geometry, or voiceprints (that is, biometric recognition), but it can also encompass newer systems that analyze biometric information to predict attributes like age or gender (also known as biometric classification).
This is an important point given that biometric information — which is information about biometric characteristics that has been extracted from a biometric sample — is typically considered sensitive personal information and is, therefore, subject to private-sector data protection laws regardless of the purpose of its use. It is interesting to note that the OPC's definition of biometrics is broader than the CAI's, which allows for greater regulatory scope and a more flexible, risk-based approach to security.
Verification and identification are the two main functions of biometrics (also known as identification and authentication, respectively, in Québec). Their technical operation is different, which may lead to distinct legal implications and risks. While the notion of "verification" consists of verifying or confirming the identity of an individual (one-to-one matching), the notion of "identification" instead means to find an identity in a database to determine who the person is (one-to-many matching).
For example, verification allows someone to verify or confirm if an individual is who they claim to be, whereas identification may be used to authorize or deny access (that is, the captured biometric information was found in a database). The identification function will generally trigger more risks since a reference database must be implemented, which is not necessarily the case for the verification function.
What to do when planning a biometric initiative?
1. Identifying an appropriate purpose
Organizations must only process biometric information where circumstances provide an appropriate purpose and where consent has been obtained. In assessing appropriateness, the OPC uses a multi-part test:
- Legitimate need: Organizations must establish a reason to use biometric information that is clearly articulated and connected to the pursuit of a business interest.
- Effectiveness: Organizations must determine whether the biometric initiative is effective and reliable, and establish if there is a clear plan to measure it.
- Minimal intrusiveness: Organizations must demonstrate that there are no less intrusive means of achieving the purpose that does not involve the collection, use, or disclosure of biometric information.
- Proportionality: Organizations must establish that the gain in effectiveness, cost, or operational benefits is proportional to the increased level of intrusion over a non-biometric alternative.
The OPC's Guidance stresses that organizations should not use biometrics: (1) if the purpose falls within an identified no-go zone (for example, causes significant harm or involves profiling); (2) if there is uncertainty as to whether the purpose would be appropriate in the circumstances; and (3) if the organization is unable to explain how its processing of biometric information meets the aforementioned test.
⚜ Québec requirements
A similar, but more stringent test is used in Québec when assessing the level of privacy risk that arises from the processing of biometric information. As highlighted in the CAI's guide, the Québec Privacy Act provides that the collection of personal information must be for a serious and legitimate reason, and be limited to only the information necessary for such purpose. It is important to note that the CAI has repeatedly affirmed that this necessity requirement cannot be circumvented, even where the individual concerned has consented to the collection and use of their biometric information.
To assess compliance with these obligations, the CAI applies a two-pronged test that requires organizations to demonstrate that the collection of personal information meets the following criteria:
- Legitimate, important and real objective – Organizations must establish that the objective pursued by the collection is legitimate, important and real.
- Proportionality – Organizations must
establish that the invasion of privacy resulting from the
collection is proportionate to the objective pursued, which in turn
means demonstrating that
- the collection is rationally connected to the stated objective;
- the invasion of privacy is minimized; and
- the collection is clearly more useful to the organization than harmful to the individuals concerned.
Interestingly, the OPC's criteria allow for more flexibility than the CAI's, which establishes a legal framework that significantly complexifies the implementation of biometric initiatives by simultaneously mandating that organizations demonstrate necessity (as contrary to demonstrating effectiveness) and offer an alternative (which is not mandated by the OPC). This dual requirement creates a paradox for Québec organizations: they must prove that there are no other less intrusive means of achieving the purpose, while at the same time being able to offer a non-biometric option.
2. Obtaining consent
Once an appropriate purpose has been identified, organizations must obtain meaningful and valid consent for processing biometric information. Consent is a foundational element of Canadian privacy laws, and is required for the collection, use, and disclosure of personal information, including biometric information, subject to limited exceptions. While implied consent may be obtained in certain contexts, express consent must typically be sought.
In addition, under PIPEDA, organizations can only require consent as a condition of service when the processing of personal information is integral to the provision of that product or service; for instance, where an airport security program requires fingerprint scans to verify travellers before granting expedited passage. Otherwise, alternative options must be provided. A biometric initiative that is justified merely on the basis of being more convenient than alternatives is unlikely to satisfy this requirement.
⚜ Québec requirements
This requirement is quite similar in Québec, where the Québec IT Act requires organizations to obtain express consent before using biometrics and, according to the CAI's guide, a valid consent also presupposes that a non-biometric alternative be offered. Usefulness or convenience is not a justification.
3. Data minimization
Organizations must limit the collection, use, disclosure, and retention of personal information to that which is necessary for achieving its stated purpose. To that effect, both the OPC's Guidance and the CAI's guide highlight the requirement for organizations to only collect and use the minimum number of biometric characteristics needed to prove or verify a person's identity.
This means favouring verification (one-to-one matching) over identification (one-to-many matching) to reduce data needs, limiting the technical capabilities of the system to minimize overcollection and ensuring not to extract secondary information (such as health and ethnicity) without an individual's consent. Organizations should also seek to keep the biometric template as much in the individual's control as possible — as is the case with Apple's Face ID — to avoid the creation of centralized databases which are vulnerable to a wider privacy impact in the event of a breach.
Finally, organizations mustlimit the retention of such information to that which is necessary to fulfill its stated purpose, after which it must be destroyed. To do so, organizations should not disclose biometric information to third parties unless required, and ensure that their data is not linked across different systems.
4. Implementing safeguards
Biometric technology is often used as a safeguard in and of itself (that is, the biometric identifier is the access key) and is, therefore, vulnerable to potential attacks.
As such, organizations mustuse physical, organizational, and technological measures to safeguard against the different ways in which a breach could occur, and report such a breach immediately to the OPC and individuals concerned. For instance, organizations should use biometric systems that are privacy-protective by design, control and monitor system access, and conduct testing and vulnerability assessments.
⚜ Québec requirements
The CAI guide goes one step further by focusing on the data's format (for example, giving preference to systems that irreversibly convert images or prints into code), the storage medium (such as a decentralized database), and the server's location (for instance, a local server with exclusive control).
5. Accuracy
Given the fact that biometric systems are often used to make decisions about individuals, and that false positives and negatives can have significant consequences, organizations must ensure that personal information is accurate, complete, and up to date.
To do so, the OPC's Guidance stresses that organizations mustchoose a technology with suitable accuracy rates and minimize performance discrepancies across socio-demographic groups – for instance, by conducting a thorough vendor due diligence. Additionally, organizations shouldtest a system's accuracy on operationally relevant data before deploying an initiative, monitor the system's accuracy consistently, and develop a procedure for handling false matches.
⚜ Québec requirements
While the OPC's Guidance stresses the importance of ensuring that biometric systems meet relevant accuracy standards, the CAI's guide directs its attention to rights of access and rectification with regards to accuracy, placing that responsibility on individuals.
6. Accountability
Since organizations are responsible for the personal information under their control, including personal information processed by third parties, organizations should implement robust governance policies, provide training, assign responsibility, conduct audits, and implement contractual mechanisms with service providers emphasizing all applicable security measures.
The OPC also recommends incorporating human review where the biometric system could impact individuals' ability to access products and services. Although not prescribed as it is in Québec, the OPC encourages organizations to conduct a PIA to demonstrate compliance with PIPEDA.
⚜ Québec requirements
Organizations operating in Québec must also implement these policies and practices under the Québec Privacy Act, as well as include them in their declaration to the CAI and their PIAs to further demonstrate compliance with the Québec Privacy Act.
7. Openness
Organizations must make their policies and practices governing biometric information readily available to individuals in an understandable form, which includes providing the name, title, and contact information of the person accountable for the initiative.
Organizations should also be transparent about their retention practices, be specific about their use of service providers, and be prepared to provide key details about automated decisions.
⚜ Québec requirements
Although the CAI's guide does not touch upon this requirement, the abovementioned obligations are also mandated under the Québec Privacy Act.
Key takeaways
The Guidance addresses key considerations for organizations when planning and implementing biometrics initiatives:
A. Before collecting biometric information
- Identify the appropriate purpose;
- No requirement to conduct a PIA at the beginning of the initiative, although recommended by the OPC and mandated in Québec;
- No reporting/notification requirement to disclose the use of biometric systems to the regulator (in contrast with Québec's requirements).
B. When collecting biometric information
- Limit collection of biometric information to what is necessary;
- Obtain express consent, as a general rule.
C. After collecting biometric information
- Limit use, disclosure, and retention of biometric information to what is necessary;
- Implement security safeguards;
- Ensure the accuracy of the system and of the information;
- Be accountable and open.
In all, to mitigate legal risks, organizations should consider establishing guidelines for the use of biometric systems providing for the above obligations and other applicable principles governing the protection of biometric information.
Although not mandatory, organizations should also consider conducting a PIA prior to deploying a biometric system. This will help identify legal risks, as well as controls that should be implemented to mitigate these risks. Such controls may include reducing the amount of information being collected, providing a more prominent notice to individuals concerned, encrypting data in transit and at rest, or limiting the retention period, for instance. In this sense, a PIA is an organization's roadmap for implementing a privacy-protective solution and can help demonstrate to privacy regulators that the organization has done its homework.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
