Updated OPC guidance on biometrics: What businesses need to know

On August 11, 2025, the Office of the Privacy Commissioner of Canada (OPC) released its updated guidance on using biometric information (the Guidance). Biometric systems use measurable and unique human characteristics, such as fingerprints or keystroke patterns, to identify or authenticate individuals. These technologies are attractive as a means for authentication as they are considered secure and reduce reliance on passwords.

The OPC’s guidance is provided in two documents − one for private-sector organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), and another for federal institutions subject to the Privacy Act. Both documents are organized around several of PIPEDA’s fair information principles, with increased emphasis on the purpose behind the processing of biometric data and the consent of individuals about whom this data is collected and generated. Where available, they also use previous OPC decisions on biometric information to support these best practices.

What are the requirements outlined in the Guidance?

Treat Biometric Information as Sensitive Personal Information

Biometric information should be treated as sensitive personal information, especially if:

• It can be combined with other data to uniquely identify an individual.
• Its misuse could result in significant harm to the individual it was sourced from.
• It reveals other sensitive categories of information (e.g., medical data from a fitness tracker).

In the Guidance, the OPC states that even short-term use, such as a facial detection system that deletes the data within milliseconds, can involve sensitive biometric information processing and must be treated with care.

Identify A Purpose That Is Proportional and Minimally Intrusive 

Prior to collecting biometric information, organizations must establish the practice will serve an appropriate purpose. The Guidance recommends that appropriateness be evaluated based on the legitimacy of the need, effectiveness, proportionality, and minimal intrusiveness. This includes considering industry norms and the threat landscape. 

For example, the telecommunications sector is recognized as operating within a high-risk threat landscape, as service providers are frequent targets of cyberattacks. These companies can act as gateways to other sensitive systems, such as email platforms and banking services, meaning a breach can have cascading effects (e.g., identify theft, reputational harm, and financial fraud resulting from unauthorized disclosure or loss of sensitive personal information). Given these elevated risks, using voice biometric information to verify account holders over the phone is generally considered a justified and proportionate measure in the telecommunications sector.

In comparison, the OPC considers fingerprinting to authenticate individuals for standardized testing disproportionate because the privacy risks outweigh the limited benefits. Unlike voice prints, the OPC’s position is fingerprints carry a stronger stigma due to their association with criminal procedures, making them more intrusive. The practice also offers minimal added value because less invasive alternatives are already considered effective in preventing impersonation. In this context, the invasion of privacy caused by collecting and retaining fingerprints is neither necessary nor proportional, from the OPC’s perspective.

For federal institutions subject to the Privacy Act, this contextual evaluation is formalized through the mandatory completion of a Privacy Impact Assessment (PIA) for any collection of biometric information. While PIAs are not required for private-sector organizations under PIPEDA, they can still be a valuable tool to help organizations evaluate the appropriateness, necessity, and proportionality of a proposed biometric system.

Obtain Express and Valid Consent 

Prior to using a biometric system, express and valid consent from the individuals must be obtained. Valid consent means that reasonable persons would understand what they are consenting to, including the nature and purpose of the collection of their biometric information. To ensure the validity of consent being obtained, organizations should refer to the OPC’s Guidelines for obtaining meaningful consent.

To help inform individuals, a pre-consent disclosure should include, but not be limited to the following:

• The type of biometric information collected.
• The purpose of collection, use, or disclosure.
• The parties to whom the data will be disclosed.
• Any residual risks of harm.

If using biometric information is not a condition of service, the organization must offer a reasonable alternative to collecting biometric information. If the scope of the use of the biometric information changes in the future, consent must also be renewed.

Other PIPEDA Principles

The Guidance also applies other principles found in PIPEDA, highlighting their importance when implementing a biometric system:

• Accountability: Organizations should designate an individual or committee tasked with ensuring PIPEDA compliance with biometric information. Internal policies should be implemented to be aligned with privacy requirements and equip employees with the necessary resources to manage biometric information in performing their duties.
• Limiting Collection: Organizations should only collect biometric information necessary to achieve the specified purpose(s). This includes proper consideration of alternative methods that do not require biometric information.
• Limiting Use, Disclosure, and Retention: Organizations must only retain biometric information for as long as necessary and not extract secondary information without express and valid consent.
• Accuracy: Biometric systems should be tested before deployment and continuously monitored to ensure proper performance.
• Safeguards: Organizations must implement protections proportional to the sensitivity of the biometric information collected. Regular testing and monitoring of system access can ensure protection of the information.
• Openness: Organizations should make their privacy policies transparent and accessible to the public and their employees. 

How do these guidelines compare to provincial privacy laws?

Of the three Canadian provinces with private-sector privacy laws deemed substantially similar to federal privacy laws, Quebec is the only province that has enacted legal requirements specifically targeting biometric information. 

In 2022, the Commission d’accès à l’information (CAI) published a guidance document (available in French only) outlining how these rules should be interpreted. Under this framework, any project involving biometric information must be shown to be necessary and proportionate. To assess this, organizations must complete a PIA for any system or service that collects or uses biometric information. The PIA helps determine whether the project serves a legitimate and serious interest, addresses a real issue, minimizes privacy risks, and provides benefits that outweigh potential harm to individuals.

Although the CAI’s criteria resemble those outlined by the OPC, Quebec’s enforcement has been notably stricter. In addition to obtaining express consent from individuals, organizations must notify the CAI whenever biometric information is used to identify or authenticate individuals. This is required regardless of whether the data is stored in a database or deleted immediately after authentication. 

Upon notification, the CAI can review the project and determine for themselves whether it complies with Quebec’s privacy laws. For example, in one case, an organization used facial recognition to control employee access to the workplace. The organization claimed these precautions were intended to ensure the safety of its employees and the premises. It also obtained express consent from its employees before implementing the project. Ultimately, the CAI still found that using the biometric system was neither necessary nor proportionate. Specifically, it found that a lack of reported security issues meant collecting biometric information for security purposes was not justified. The CAI ordered the use of the system be discontinued.

Conclusion

The OPC’s updated Guidance offers an opportunity for organizations to reassess how they handle biometric information. This means taking concrete steps to ensure compliance:

• Start by reviewing any existing use of biometric technologies across your organization, including employee authentication systems and customer-facing tools.
• Implement a formal process for evaluating new biometric tools before rollout, including PIAs (where necessary) and consent protocols tailored to each relevant jurisdiction. 
• Pay attention to operations in Quebec, where enforcement is stricter and notification obligations apply. 
• Finally, ensure your privacy policies reflect current legal standards and are adaptable to evolving regulatory expectations. 

The authors would like to thank Carolyn Moore, student, for her contribution to preparing this legal update.