New Federal Privacy Commissioner Guidance on Processing Biometric Data in the Private Sector

On August 11, 2025, the Office of the Privacy Commissioner of Canada (OPC) published guidance (Guidance) for private-sector organizations on their privacy obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA) when handling biometric information. The guidance stems from a consultation process on a draft version of the guidance launched by the OPC on October 11, 2023.

What Is Biometric Information?

As technological security risks evolve and computer processing power reaches new heights, biometric technologies promise unique solutions to a range of identity and verification problems. The Guidance describes “biometrics” as “the quantification of human characteristics into measurable terms,” including physiological biometrics or biological characteristics such as fingerprints and DNA, and even behavioural biometrics (distinctive characteristics of individuals’ movements or gestures, such as keystroke patterns or voice).

Biometric systems work by extracting biometric characteristics from biometric samples (such as a photograph or scan of an individual’s face, or a recording of their voice) and converting the extracted data into a format (often a biometric template) that can be analyzed and utilized for a specific purpose. The Guidance clarifies that, for its purposes, only the extracted data is considered biometric information. The underlying biometric samples (i.e., the photo used to generate a biometric template) are not considered biometric information.

How Is Biometric Data Used?

A common use of biometric technology is biometric recognition, which involves comparing a template from one biometric sample (often called a “probe” template) with one or more templates extracted from other biometric samples. If one unique individual is found when comparing the probe template with another template, that individual can be “verified” by biometrics. If a probe template is compared with multiple other templates to determine whether that probe template corresponds with any of the multiple other templates, an individual can be “identified” by biometrics. Biometric technology can also be used to estimate certain personal attributes of individuals (such as their age, gender or degree of fatigue) based on their biometric characteristics. This type of biometric processing is referred to as biometric classification.

Is Biometric Data Sensitive Personal Information?

The Guidance states biometric information that can uniquely identify an individual is considered sensitive information in all circumstances (including if it is only used or retained for a very brief periods of time), but biometric information that is not capable of uniquely identifying an individual (such as eye colour) may or may not be sensitive, depending on the circumstances. In general, biometric information will be considered to be sensitive if: (1) it is, or could readily be, combined with other information that would allow it to uniquely identify an individual, (2) its misuse could pose a high risk of harm to individuals, or (3) it could reveal other categories of information that are considered sensitive.

Overview of Guidance

Drawing on previous OPC investigation reports of findings, the Guidance sets out helpful dos and don’ts for working with biometric information in the private sector and is structured around the ten principles set out in Schedule 1 to PIPEDA:

• Determine if the use of biometrics is for an appropriate purpose. The Guidance makes clear that businesses must not use biometrics if uncertain about whether it would be appropriate in the circumstances. If an organization cannot explain how processing meets the following criteria, the particular biometric initiative under consideration should not be implemented:
  • Legitimate need – Organizations must demonstrate that the biometric program is necessary to meet a specific and legitimate need. Personal information must not be collected for a speculative or prospective purpose to be determined at a later date.
  • Effectiveness – The program in place must be designed effectively to achieve its intended purpose. Organizations should consider any scientific or technical validity of the program, its accuracy and error rates, and any risk that the technology could be circumvented or compromised.
  • Minimal intrusiveness – Organizations must assess whether there are less intrusive alternatives to achieving the same goal and whether there are steps that can be taken to reduce privacy intrusion, either by using a less sensitive biometric or limiting the role of biometrics in the program.
  • Proportionality – Organizations should consider whether the biometric plan’s impact on privacy is proportional to the benefits gained.
• Obtain consent to process biometric information. Organizations must always obtain meaningful consent for the collection, use or disclosure of biometric information. While the Guidance suggests that the form of consent obtained could be implied in some instances, it is important to stress that in most cases, the form of this consent must be express because biometric information is likely to be considered sensitive information by the OPC. Further, the processing of biometrics may only be a condition of service under very specific conditions, and if biometric technology is used in a non-essential manner, organizations must provide alternatives to its collection. The Guidance also helpfully reminds organizations to be mindful when collecting biometric information from third parties (such as service providers or partners) and to ensure the disclosing party has established their legal authority to disclose. Organizations operating in Canada should also be aware that while an individual’s biometric information may be observable in public, the available exemptions from consent requirements under PIPEDA are quite limited.
• Limit the collection of biometric information. Organizations must limit the collection of personal information to what is necessary to achieve the purpose of collection. Organizations must use the minimum number of biometric characteristics required and should limit technical capabilities to those required to fulfil their specific purposes. The Guidance also suggests that organizations should prefer biometric systems that verify individuals (a one-to-one match) over identifying an individual (a one-to-many match), to limit collection of biometric information and to keep the biometric template utilized in the individual’s control avoiding large, centralized databases of templates (which, on its own, creates unique security risks).
• Limit use, disclosure and retention of biometric information. Barring a few exceptions, biometric information must only be used for the purpose for which it was collected. Organizations must not analyze biometric information to extract secondary information (e.g., characteristics) without consent and must only retain biometric information as long as necessary to fulfill the stated goal. Once the information is no longer needed, biometric information must be permanently destroyed from all locations, devices, cloud storages and back-ups. To achieve this, the Guidance recommends implementing processes to ensure biometric data is not disclosed to third parties and that systems do not link biometrics across different implementations of the system or to other personal information, such as an employee profile or user account.
• Securely safeguard biometric information. Organizations are required to protect the personal information they hold using security safeguards that are appropriate for the sensitivity of the information. These safeguards must be reviewed and updated regularly. The Guidance suggests several design features to meet this obligation, including “cancellable biometrics,” which distort data to prevent it from being converted back into the original biometric information and advanced encryption technologies. The Guidance also expects that organizations that deploy biometric systems will control and monitor system access and routinely conduct vulnerability assessments.
• Ensure biometric information is accurate. Organizations are required to ensure the biometric system meets relevant accuracy standards and to choose biometric systems with error rates that are appropriate and acceptable in the circumstances. This includes minimizing discrepancies in accuracy and effectiveness across socio-demographic groups. The Guidance suggests organizations test systems before launching and developing procedures to handle false matches.
• Establish biometric system governance and accountability. Organizations are responsible for all personal information under their control, including information processed by third parties. The Guidance makes clear that organizations are permitted to use third parties to administer their biometric program; however, contractual mechanisms must be in place to ensure privacy is protected to the degree required for biometric information. Organizations must also provide employees with proper training, guidance and supervision in relation to the processing of biometric information and should integrate accountability for their use of biometrics into their broader governance structure. Given the sensitivity of biometric information, governance structures for biometric systems should be robust, set conditions for pausing use, incorporate human review, include breach response plans and integrate the ability to audit contractors.
• Establish openness and transparency around use of biometrics. Organizations must be transparent with individuals regarding how they manage personal information. Privacy policies and practices must be readily available to individuals, in an understandable form, and must be provided to individuals before they are enrolled in the biometric system. The specific use of the biometric information and what information is made available to third parties (if any) must be explained. Where possible, organizations should specifically identify the service providers to which any biometric data is transferred. Organizations must provide contact information of the person accountable for the organization’s privacy policies and to whom inquiries or complaints can be made.

Previous Developments in Quebec

In Quebec, the collection and use of biometric information to verify or confirm identity is strictly regulated by Quebec’s Act to establish a legal framework for technology (Quebec IT Act) in addition to applicable privacy laws. The Quebec IT Act requires that organizations obtain an individual’s express consent to use their biometric information and that the use of biometric information be limited to what is necessary in the context of verifying or confirming their identity. The Quebec IT Act also states that biometric information cannot be used for any other purpose and must be destroyed as soon as the purpose of verification or confirmation of identity has been met or the reason for the verification or confirmation no longer exists. Further, organizations that collect biometric information to confirm or verify identity are required to notify the Commission d’accès à l’information du Québec (CAI), and the notice must be made at least 60 days in advance if a database of biometric characteristics will be created.

The CAI has published guidance (available in French only) on these requirements, which generally aligns with the guidance issued by the OPC. The CAI’s guidance emphasizes the importance of obtaining the consent of the individual concerned and stresses that individuals must be free to refuse to have their biometric information collected. The use of biometric systems has also been the subject of two recent CAI decisions (see e.g., Commission d’accès a l’information du Québec -Metro Inc.), highlighting an increase in regulatory scrutiny regarding the use of biometrics, particularly in respect of the necessity and proportionality of these more privacy-invasive tools.

For further information please contact the authors or any member of our Privacy & Data Protection group.