Quick Hits

• The Office of the Privacy Commissioner of Canada (OPC) has published guidance on the processing of biometric information under the Personal Information Protection and Electronic Documents Act (PIPEDA).
• Biometric data is permitted for use in Canada, but is considered highly sensitive and subject to heightened privacy expectations.
• Organizations can consider conducting an internal Biometric Privacy Impact Assessment (B-PIA) to evaluate risks and demonstrate accountability.
• While the OPC guidance is advisory, Québec has established more prescriptive requirements under its privacy legislation. 

Application of the Federal Biometric Guidance

The federal biometric guidance issued by the Office of the Privacy Commissioner of Canada applies only to organizations that are subject to PIPEDA. That said, PIPEDA’s scope is broad, and many private-sector organizations across Canada will fall within it. In general, PIPEDA governs the collection, use, and disclosure of personal information in the course of commercial activities nationwide. However, there are key exceptions. In Alberta, British Columbia, and Québec, provincial private-sector privacy laws deemed “substantially similar” to PIPEDA apply in place of the federal statute for most consumer and employee information. Outside of those provinces, PIPEDA applies to consumer data, but not to employee data. An exception exists for federally regulated organizations, known as “federal works, undertakings, and businesses” (FWUBs), including industries such as airlines, banks, telecommunications, broadcasting, interprovincial or international transportation, and certain Crown corporations. For FWUBs, PIPEDA applies to both consumer and employee personal information.

Companies may want to evaluate carefully whether they are subject to PIPEDA, as the analysis can be fact-specific. While there are general rules of application, particular circumstances may lead to different outcomes, and in some cases both federal and provincial privacy laws may apply to the same organization.

As a quick reference:

• Companies located in Alberta, British Columbia, and Québec: Provincial laws may apply to both consumers and employees.
• Federal works, undertakings, or businesses (FWUBs): PIPEDA applies to both employees and consumers.
• Elsewhere in Canada, non-FWUBs: PIPEDA applies only to consumer information.

It is also worth noting that other legal regimes may govern certain categories of data, such as background check information or sector-specific requirements, which organizations may need to consider in parallel. Accordingly, organizations may want to confirm whether PIPEDA applies to their operations before assessing their obligations under the new federal biometric guidance.

Federal Guidance: Biometric Use Permitted, but With Caution

The OPC guidance notes that biometrics are not prohibited in the private sector, but their use ought to be approached with exceptional care. Key themes from the federal guidance include:

• Heightened Sensitivity: Because biometric identifiers are immutable, they are treated as particularly sensitive. Organizations may wish to consider handling them with the highest level of care.
• Biometric Privacy Impact Assessment (B-PIA): Before implementation, organizations may want to consider whether biometrics are truly necessary, whether less intrusive alternatives are available, and how risks can be addressed.
• Purpose Limitation: Collection may be limited to a clear, specific, and legitimate purpose, with attention paid to avoiding unintended secondary uses.
• Consent and Transparency: Express, informed consent is generally expected. Individuals may benefit from clear explanations of what is collected, how it will be used, and who will access it. Companies operating in Canada may also wish to establish an internal retention schedule and provide privacy notices. In provinces with comprehensive private-sector privacy legislation, namely Alberta, British Columbia, and Québec, as well as in federally regulated workplaces, these notices typically extend to employees and job applicants, and may need to reference any biometric data, but consent for biometric data may be required separately.
• Safeguards and Retention: Organizations may want to consider implementing robust safeguards such as encryption, access controls, and timely deletion when the data is no longer required.
• Individual Rights: Providing processes that allow individuals to access, correct, or request deletion of their data, and to withdraw consent, may help align with regulatory expectations.
• Ongoing Review: Organizations may benefit from reviewing biometric programs regularly and revisiting privacy assessments as technologies, vendors, or business needs evolve.

Taken together, the OPC’s guidance signals an expectation that organizations approach biometrics through a “privacy by design” lens, with companies expected to perform internal evaluations to determine it has taken an approach that prioritizes privacy.

Québec’s Higher Bar: The CAI’s Prescriptive Rules

While the OPC guidance is advisory, Québec has established more prescriptive requirements under its privacy legislation. Organizations in Québec will want to consider the following obligations:

• Completing a privacy impact assessment (PIA)
• Filing a declaration with the CAI at least sixty days before deploying a biometric system or database
• Obtaining express consent and offering a nonbiometric alternative for identification
• Applying strong minimization, confidentiality, and security measures
• Ensuring secure destruction once the data is no longer required
• Facilitating individuals’ rights to access, correct, or request deletion of their biometric data

These requirements reflect Québec’s restrictive approach to privacy protection and may set a higher bar for compliance compared with other Canadian jurisdictions.

Biometric Use Under Alberta and British Columbia Privacy Laws

In addition to federal guidance, organizations operating in Alberta and British Columbia will want to consider provincial requirements under their respective private-sector privacy laws. Both provinces emphasize the principle of data minimization, which means that organizations are expected to limit the collection, use, and disclosure of personal information to what is reasonable and necessary for the identified purpose. When it comes to biometric data, given its heightened sensitivity, the data minimization principle plays an important role in assessing whether biometrics are the least intrusive option and whether less privacy-invasive alternatives could achieve the same objective. While these provincial laws contain certain exceptions to consent in the employment context, for example, by allowing organizations to collect or use personal information without consent if it is reasonable for the purpose of managing the employment relationship, these exceptions are subject to interpretation. They may not be applicable in every scenario involving biometric data, particularly where the use of biometrics could be seen as outside of managing an employee.

Next Steps

As biometric adoption accelerates, Canadian regulators are signaling that innovation may need to be balanced with accountability. Organizations considering or already using biometric technologies may wish to:

1. Conduct a privacy impact assessment (B-PIA or PIA) early in the process.
2. Assess necessity and proportionality—determining whether biometrics are the least intrusive option or offer advantages that can greatly reduce risk.
3. Implement safeguards such as encryption, access restrictions, and limited retention periods.
4. Develop consent and transparency practices—including privacy notices for customers, employees, and applicants provide clear information.
5. Monitor legal developments—particularly in Québec, where the rules are more prescriptive and may influence other jurisdictions.

Biometric technologies offer efficiency and enhanced security, but they also carry unique privacy risks. The OPC’s guidance and Québec’s regulatory framework highlight the importance of caution, accountability, and transparency in their use. Organizations that take steps to align with these evolving expectations may reduce regulatory risk while fostering trust in the use of biometric tools in Canada’s digital economy.