On August 11, 2025, the Office of the Privacy Commissioner of Canada ("OPC") issued two sets of guidance for processing of individual's biometric data: one for federal institutions and one for private businesses. Below we examine some of the requirements (and corresponding implications) of the business guidance and its effects on the use of biometric data in Canada.
Biometric technologies—such as fingerprint, facial recognition, and voice identification—are increasingly used by organizations to streamline access to goods and services and address security risks. While biometrics offer convenience and enhanced security, they also raise significant privacy concerns. Biometric data is unique, often immutable, and closely tied to an individual’s identity. If compromised, it can lead to identity theft, fraud, surveillance, and the exposure of sensitive personal information, including health, ethnicity, and other personal traits.
Types and Uses of Biometric Technologies
The guidance identifies two primary “categories” of biometric technologies:
- Physiological Biometrics: Data based on stable physical traits (e.g., fingerprints, iris patterns, facial geometry, DNA).
- Behavioral Biometrics: Data based on patterns of behavior (e.g., keystroke dynamics, gait, voice).
Certain identified biometric systems process raw data samples (like photos or voice recordings that do not inherently relate to “biometrics” as they cannot be correlated, independently, with any individual person) to extract features and create biometric templates for analysis, in which this information is paired with an individual and so can (or oftentimes is) used to identify that individual. These systems can be used for a variety of purposes, including:
- Recognition: Matching a biometric sample to one (verification) or many (identification) stored templates to confirm identity.
- Classification: Predicting attributes (e.g., age, gender, fatigue) from biometric data, which may not directly identify but can still be sensitive.
Sensitivity of Biometric Information
Biometric information is generally considered sensitive under relevant data privacy laws, such as Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), and--in turn--given extra protections (or, as limitations on processing). Even brief or transient use of biometric data can be sensitive, and organizations should treat such data with heightened care.
Key Privacy Principles and Guidance
1. Identifying an Appropriate Purpose
Organizations must clearly define and justify the purpose for collecting biometric data. The purpose must be legitimate, effective, minimally intrusive, and proportional to the privacy impact. Uses that are unfair, unethical, or discriminatory are inappropriate. The OPC has found some uses, such as mass surveillance or unnecessary fingerprinting, to be unjustified.
2. Consent
Valid, meaningful, and express consent is required for the collection, use, and disclosure of biometric data, especially when sensitive. Individuals must be clearly informed about what data is collected, why, who it is shared with, and potential risks. Consent must be renewed if the scope of use changes. If biometrics are not essential for service, alternatives must be provided. Publicly observable biometric data is not exempt from consent requirements.
3. Limiting Collection
Organizations should collect only the minimum biometric data necessary for the stated purpose. Prefer verification (one-to-one) over identification (one-to-many) where possible. Where feasible, store biometric templates under the individual’s control (e.g., on their device) rather than in centralized databases. Limit the technical capabilities of biometric systems to prevent unnecessary data collection.
4. Limiting Use, Disclosure, and Retention
Biometric data must only be used for the original purpose and retained only as long as necessary. Secondary information (e.g., health, ethnicity) should not be extracted or analyzed without consent. Data should be deleted upon request, subject to legal requirements, and sharing with third parties should be minimized and authorized.
5. Safeguards
Strong physical, organizational, and technical security measures must be implemented to protect biometric data. Privacy-protective system designs (e.g., cancellable biometrics, encryption) are recommended. Access to biometric data should be restricted to those who need it, and security measures should be regularly tested and updated. Breaches involving biometric data must be reported to the OPC and affected individuals if there is a real risk of significant harm.
6. Accuracy
Organizations must choose biometric technologies with suitable accuracy rates, especially where errors could have significant consequences. Systems should be tested for accuracy and bias, particularly across different demographic groups, and monitored regularly. Procedures should be in place to address false matches and provide alternatives.
7. Accountability and Openness
Organizations are responsible for complying with all privacy principles, appointing a privacy officer, and ensuring third-party service providers meet privacy standards. Employees handling biometric data must be trained, and robust governance, audit, and breach response mechanisms should be in place. Organizations must be transparent about their biometric data practices, including types of data collected, uses, retention, and third-party sharing. Privacy policies and contact information for responsible individuals must be easily accessible.
Conclusion
Private business, operating in compliance with PIPEDA requirements, must handle biometric information with heightened care, ensuring that its collection and use are justified, limited, secure, and transparent. The OPC guidance emphasizes strong privacy protections, meaningful consent, and ongoing accountability to protect individuals’ rights in the context of biometric technologies.
With the promise of biometrics . . . come serious concerns about privacy. Biometric information is intimately linked to an individual’s body and is often unique, unlikely to vary significantly over time, and difficult to change in its underlying features
www.priv.gc.ca/...
