Biometric data, such as fingerprints, facial scans or voiceprints are a common reality in retail, banking, travel, workplace security and online authentication. But unlike passwords or other personal information that can be changed frequently, biometrics are uniquely personal and nearly irrevocable. That permanence raises significant privacy and ethical concerns.

In August 2025, the Office of the Privacy Commissioner of Canada (“OPC”) released new guidance clarifying how businesses under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) must handle biometric information.

This article distils the guidance into practical terms, contrasts Canada’s approach internationally, and outlines what Canadian businesses should do now to ensure legal compliance and protect public trust.

What the OPC guidance says about biometrics

The OPC’s position begins with a simple proposition: all biometric data, whether raw images or derived templates, is “sensitive personal information.” Because such data is inherently unique and largely permanent, its handling demands higher-than-average scrutiny.

OPC has provided guidance on the following topics:

1. Identifying an appropriate purpose:

The OPC requires organizations to clearly document the rationale for using biometrics, ensuring the purpose is specific, necessary, minimally intrusive, and proportionate to the privacy impact. Vague goals such as “improving security” are not sufficient.

In addition, if a less intrusive alternative to the proposed collection can reasonably achieve the same aim, that option should be selected. The OPC places the burden on organizations to justify why biometrics are necessary and proportionate compared to alternatives, and cautions against expanding a biometric system’s use beyond the original purpose.

2. Consent:

Under PIPEDA, consent must be informed (meaning the individual understands the nature, purpose and consequences of the collection), and voluntary. The appropriate form of consent should also be considered; if sensitive information is involved, express consent should be sought as opposed to relying on implied consent. Individuals should be told precisely what biometric information will be collected, why, for how long, where it will be stored, who will have access to the information, how they can withdraw consent or challenge its use, and any meaningful risks of significant harm. If the scope of the collection or use of the biometric data changes, new consent must be sought. Alternate systems should also be offered for non-integral collections, uses, or disclosures to allow those who do not wish to use the biometric system to still participate.

3. Limiting collection, use, disclosure and retention:

Data minimisation applies both to collection and retention. The OPC recommends favouring verification systems over identification systems and on-device storage over centralised databases to limit the amount of information collected and limit the risk of a large-scale privacy breach. Only the information required for the intended purposes should be collected and secondary information must not be collected if not necessary.

Similarly, retention periods must be limited to what the purpose demands, with secure, irreversible deletion (including from backups) once that period ends. If other personal information is linked to the biometric data, consider whether the biometric data needs to be retained for a shorter period of time than the linked personal information.

4. Safeguards:

Organizations must use up-to-date physical, organizational and technical measures to protect against potential breaches. Any breach involving biometric information has a high likelihood of creating a real risk of significant harm and therefore should be reported to the OPC.

5. Accuracy:

Organizations should measure and monitor false match and false non-match rates in their own deployment conditions, and track for any demographic bias in system performance. Where outcomes have material consequences such as denial of access or financial services, human review and appeal channels should be built in. Testing prior to launching a new biometric system as well as monitoring existing systems consistently is important to ensure the accuracy and consistency of your systems.

6. Accountability:

Under PIPEDA, organizations are responsible for all the personal information under their control. In order to properly protect it, organizations should ensure they comply with all the principles under PIPEDA, have an appointed privacy officer, have appropriate policies and procedures in place, and train employees.

Where vendors or service providers are involved in the handling of the information, the OPC reminds businesses that accountability remains with the original collecting organization. Contracts should mandate technical and organizational safeguards, limit use to the agreed purposes, include breach notification obligations, and permit oversight by the organization.

7. Openness:

Organizations should clearly outline to individuals how their personal information will be handled including by posting their detailed privacy policy, outlining retention and disclosure practices, and providing contact information for the organization’s privacy officer.  In cases where biometric systems are used to make automated decisions, organizations should be able to tell individuals what information was used to make the decision and the reasons for the final decision.

How Canada’s approach compares globally

The European Union’s GDPR

Although Canada’s PIPEDA framework is principle-based, the OPC’s guidance treats biometric data as highly sensitive, similar to the treatment of special categories of data under the European Union’s General Data Protection Regulation (“GDPR”). In the EU, biometrics used for uniquely identifying a person fall under Article 9, meaning their processing is prohibited unless specific legal bases are met, such as explicit consent or substantial public interest.

The GDPR goes further than PIPEDA by mandating data protection impact assessments for high-risk processing, including biometrics, and by imposing a strict breach-reporting timeline of 72 hours.

GDPR fines are potentially significant, reaching up to €20,000,000 or 4% of global annual turnover. European data protection authorities continue to enforce the GDPR, including monetary penalties for compliance breaches. While PIPEDA does not currently grant the OPC order-making power to levy fines, Canadian organizations may face regulatory investigation, reputational harm, and potential Federal Court proceedings for non-compliance.

Québec approach

Québec’s private-sector privacy law follows a similar trajectory to that of GDPR. Québec private-sector organizations must:

  • conduct a privacy impact assessment before deploying biometric systems;
  • notify the Commission d’accès à l’information in advance of setting up a biometric database;
  • obtain express consent and offer an alternative to biometric identification; and
  • adhere to strict rules around retention and destruction of biometric data.

Québec has also introduced significant administrative monetary penalties.

The U.S. contrast

By contrast, the United States lacks a comprehensive federal law on biometric privacy. Regulation is fragmented across states. Illinois’ Biometric Information Privacy Act (“BIPA”) is among the most stringent and requires informed written consent, sets retention and destruction policies, and significantly, allows private lawsuits for statutory damages. Other states, such as Texas and Washington, have enacted similar laws, though without BIPA’s private right of action.

What Canadian businesses should do now

For organizations operating in Canada, compliance begins with recognizing that biometric projects cannot be bolted onto existing operations without deliberate design. Here are four actionable steps for business owners:

1. Determine your purpose:

The starting point is a documented purpose statement that can withstand regulatory scrutiny. Organizations should state:

    • why the biometric data is needed;
    • how it is proportionate to the risk it addresses; and
    • why no less intrusive alternative suffices.

Consider the difference between a compliant and a non-compliant approach:

  • A compliant example might be a financial institution introducing palm-vein authentication for high-value transactions after determining that this method materially reduces fraud compared to existing controls, offering customers an alternative PIN option, and retaining the template only for the life of the account.
  • A non-compliant example would be a retail chain installing facial recognition cameras in all stores “for general security,” without assessing necessity, failing to notify customers, storing raw images indefinitely, and later using the database for targeted marketing.

2. Review your consent procedures:

Consent processes should be revisited in light of the OPC’s emphasis on clarity and voluntariness. That means presenting individuals with straightforward explanations of what will happen with their biometric information, ensuring they have a genuine choice, and accommodating those who decline by offering non-biometric alternatives. For instance, a compliant employer deploying fingerprint-based time clocks might allow employees to instead use a key card, without penalty.

3. Design for protection:

On the technical side, systems should be architected for minimisation. Where possible, use one-to-one verification as opposed to identification systems and store only encrypted templates locally on the user’s device. Incorporate regular testing to measure accuracy and check for demographic biases in system performance. Security controls should be multi-layered, combining encryption, strong authentication, detailed audit logging, and physical safeguards. As the organization is responsible for all biometric data under their control, vendor contracts should be tightened to reflect PIPEDA’s requirements, with clear clauses on permitted uses, data localisation or transfer, breach notification, and post-termination deletion.

4. Plan for the worst:

Organizations should treat any breach involving biometric data as serious, with pre-established steps for containment, communication, and regulatory engagement. Training staff, running breach simulations, and periodically reviewing governance documents will help ensure readiness. A company that has rehearsed a biometric breach response – revoking templates, suspending affected services, notifying the OPC – will be in a far stronger position than one scrambling to act after the fact.

Key takeaways for businesses

  • Biometric data is treated as sensitive personal information under PIPEDA and requires heightened safeguards.
  • Consent must be express, informed, and voluntary, with non-biometric alternatives offered.
  • Minimize collection and retention: prefer on-device storage and verification systems.
  • Vendor contracts must reflect accountability under PIPEDA, with clear safeguards and breach obligations.
  • Breaches of biometric data are high-risk and must be treated as serious reportable incidents.

Conclusion

The OPC’s guidance aligns with how biometric data is treated in other jurisdictions, emphasizing that such data is highly sensitive and, if mishandled, can expose individuals to fraud, identity theft and other harms. For businesses, the keys to compliance are as follows: use biometric data only when truly necessary and collect the minimal amount of personal information required. Customers must provide clear, informed consent, and the organization’s privacy policy should transparently outline the collection, use, disclosure, security measures, and retention of biometric data. Failure by organizations to incorporate the above steps in their business practices may expose them to both reputational damage and regulatory scrutiny.

Our Privacy & Cybersecurity team can help review your biometric initiatives, update consent and governance processes, and ensure compliance with the OPC’s guidance under PIPEDA.