ARTICLE
20 August 2025

The OPC's Biometric Guidance: What Canadian Businesses Need To Know

ML
McMillan LLP

Contributor

McMillan LLP logo
McMillan is a leading business law firm serving public, private and not-for-profit clients across key industries in Canada, the United States and internationally. With recognized expertise and acknowledged leadership in major business sectors, we provide solutions-oriented legal advice through our offices in Vancouver, Calgary, Toronto, Ottawa and Montréal. Our firm values – respect, teamwork, commitment, client service and professional excellence – are at the heart of McMillan’s commitment to serve our clients, our local communities and the legal profession.
Explore Firm Details
Lexpert Firm Profile
On August 11, 2025, the Office of the Privacy Commissioner of Canada ("OPC") released its highly anticipated guidance for processing biometrics, both for federal institutions and businesses...
Canada Privacy
Amir Kashdaran and Robbie Grant
Your Author LinkedIn Connections

On August 11, 2025, the Office of the Privacy Commissioner of Canada ("OPC") released its highly anticipated guidance for processing biometrics, both for federal institutions and businesses in the private sector.1 This guidance comes as more organizations are turning to biometric technologies, such as facial recognition and fingerprint scanning, for identity verification and other purposes.

This bulletin will focus on the biometric guidance for businesses (the "Biometric Guidance"), which applies to private sector organizations subject to Canada's federal Personal Information Protection and Electronic Documents Act ("PIPEDA"). The Biometric Guidance is published following the OPC's public consultation on the Draft Guidance for processing biometrics – for organizations published in 2023. The Biometric Guidance has been updated to clarify terminology, outline the scope of what constitutes sensitive biometric information, and refine requirements and best practices provided for private sector organizations.

Overview of Biometric Terminology

The Biometric Guidance clarifies various terms used relating to biometrics and biometric information. Here is an overview of key terms:

  • Biometrics refers to the quantification of human characteristics, such as fingerprints, facial images, iris scans, or behavioral patterns such as keystroke dynamics, into measurable form.
  • Biometric technologies refer to technologies that allow for the capturing and analysis of an individual's biometric characteristics. The OPC refers to two main types of biometric technologies, in particular those that capture and analyze (i) physiological biometrics involving the shape or structure of a person's body, or their biological characteristics that are generally stable over time (for example, iris pattern, or DNA), and (ii) behavioural biometrics involving distinctive characteristics of an individual's movement, gesture, or motor skills (for example, eye movement or keystroke patterns).
  • Biometric samples (also referred to as "probe templates" in some cases) refer to raw and unprocessed biometric data, such as an image of a person's face, a person's fingerprint, voice recording, or DNA sample. Biometric samples contain personal information that can be processed and turned into biometric information using a biometric system.
  • Biometric information refers to information about biometric characteristics derived from a biometric sample (this information is generally considered personal information). Biometric information generally refers to the template, not the raw biometric sample, though both may require protection due to sensitivity.
  • Biometric templates refer to digital representations created when a biometric sample is inputted in a biometric system and analyzed. Typically, organizations will use sophisticated software to extract, analyze, and compare biometric templates.

Biometric Recognition Technology

Biometric technologies are often used for identity verification or recognition purposes. An organization is said to "identify" an individual when it uses an individual's biometric sample and compares it with multiple biometric templates to assess whether any of them match (this is commonly called a "one-to-many" matching). On the other hand, an organization is said to "verify" or "authenticate" an individual when it uses an individual's biometric sample and compares it with a single biometric template to determine if both relate to the same individual (this is commonly called a "one-to-one" matching).

The Biometric Guidance encourages organizations to favour verification processes over identification where possible, as the latter is more privacy intrusive. Notably, the OPC takes the position that PIPEDA applies to the collection of biometric information even if it is collected for milliseconds and deleted immediately thereafter (such as where a person's biometrics are scanned and converted instantly into anonymized demographic information).

Sensitivity of Biometric Information

The OPC notes that biometric information that can uniquely identify an individual is sensitive information. This is particularly the case as a person's biometric information remains stable over time, is intimately linked to an individual, and very difficult to change.

On the other hand, if the biometric information cannot uniquely identify an individual, it may or may not be considered sensitive information depending on the circumstances. Organizations must assess the nature of biometric information and the circumstances to determine whether the biometric information that does not uniquely identify an individual would be considered sensitive information.

As a general rule, organizations should treat any biometric information as sensitive information when (i) it could be easily combined with other information that would allow an individual to be uniquely identified, (ii) its misuse could pose a high risk of harm to the individuals concerned, or (iii) it would allow other sensitive information to be revealed about a person.

Notable Mandatory Obligations Under PIPEDA

The Biometric Guidance addresses how the principles of PIPEDA apply to biometrics, highlighting several mandatory obligations:

  • Appropriate Purpose: Organizations must collect and use biometric information only where a reasonable person would consider it appropriate, considering sensitivity and context. Consistent with past guidance, the OPC uses a multi-part test to assess appropriateness:
    • Does the organization have a legitimate need for processing biometric information? The OPC states that biometrics should generally not be used solely out of convenience.
    • Would the processing of biometrics be effective at meeting that need? In particular, the OPC calls for organizations to have a clear plan to measure effectiveness, taking into account scientific and technical validity, accuracy and error rates, and security risks.
    • Could the system be designed or deployed in a less intrusive manner at comparable costs and with comparable benefits?
    • Overall, is the use of biometric information proportionate to the level of intrusion?
  • Consent: Organizations must obtain valid consent before collection or use. Given the sensitivity of biometric information, consent will be express in nearly all cases. If the use of biometrics is non-essential or non-integral, alternatives must be provided.
  • Data Minimization: Organizations must limit the collection, use, disclosure, and retention of biometric information to only what is necessary for the stated purpose. For example, organizations should strive to use the minimum number of biometric characteristics (including the amount of single characteristics and possible combinations) for their purposes. The OPC also recommends distinguishing biometrics from other information in data retention plans, to ensure it is deleted as soon as it is no longer required.
  • Safeguards: Organizations must apply strong security measures proportionate to the sensitivity of biometric information, including encryption, access controls, and secure storage. Where biometric information is used as a safeguard in and of itself, organizations should stay up to date on potential vulnerabilities of different biometric systems (e.g., fingerprint lifting, voice spoofing, deepfakes to deceive facial recognition systems).
  • Accuracy: Organizations must ensure biometric data is as accurate and up-to-date as necessary; and test systems for accuracy and bias. In particular, organizations must take steps to minimize discrepancies across socio-demographic groups.2
  • Accountability: Organizations must maintain governance policies, assign responsibility, and ensure service providers meet equivalent standards. The OPC recommends incorporating human review where the biometric system could impact individuals' ability to access products and services.
  • Transparency: Organizations must clearly inform individuals of what biometric information is collected, a general account of its use, and to whom it may be disclosed. This information should be provided in a company privacy policy that is readily available to individuals.

Notable Best Practices

The OPC strongly recommends that organizations conduct privacy impact assessments before implementing biometric systems, evaluate less intrusive alternatives, and design solutions to minimize data collection and retention from the outset. The OPC encourages privacy by design, including use of cancellable templates, on-device storage, and encryption, to reduce privacy risks. Organizations should maintain transparency with individuals, provide alternatives where feasible, and monitor systems for accuracy, bias, and misuse. Regular audits, re-evaluation of necessity, and clear incident response plans for biometric data breaches are also recommended.

What About Québec?

Organization operating in Quebec should be aware that Quebec's privacy laws impose additional, and oftentimes stricter obligations with respect to the collection and processing of biometric information. For instance, Quebec organizations that establish a biometric database must notify the Commission d'accès à l'information du Québec ("CAI") in writing at least 60 days before it is brought into service.

The CAI issued two recent decisions on the use of biometrics, which we covered our bulletins below:

Conclusion

Private sector organizations considering or using biometric technologies should proceed with diligence and ensure their biometric information collection and processing activities meet both the legal requirements and the OPC's recommended safeguards. By embedding necessity, proportionality, and privacy by design into the development, deployment, and use of biometric systems, organizations can leverage these tools effectively while protecting individuals' rights and maintaining compliance with PIPEDA.

Footnotes

1 Office of the Privacy Commissioner of Canada, Privacy Commissioner of Canada Publishes Guidance on Biometric Technology (news release), 11 August 2025.

2 See for example, Thaddeus L. Johnson & Natasha N. Johnson, Police Facial Recognition Technology Can't Tell Black People Apart: AI-Powered Facial Recognition Will Lead to Increased Racial Profiling, Scientific American (online), 18 May 2023.

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2025

Authors
Photo of Amir Kashdaran
Amir Kashdaran
Photo of Robbie Grant
Robbie Grant
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More