On August 11, 2025, the Office of the Privacy Commissioner of Canada (OPC) published guidance for both the public and private sectors on protecting privacy in biometric initiatives. The OPC’s guidance addresses key considerations for organizations when planning and implementing initiatives involving biometric technology, such as appropriate purposes for collecting, using, and disclosing biometric data, the proportionality of potential privacy impacts, and consent requirements.
The OPC’s guidance describes “biometrics” as the quantification of human characteristics into measurable terms, often for purposes of recognition or classification. This includes physiological biometrics, such as fingerprints, iris patterns, and DNA, as well as behavioural biometrics, such as voice patterns, gait, and eye movements. In general, biometric information is personal information.
The guidance for the public sector highlights the provisions of the Privacy Act that are engaged when institutions implement biometric initiatives. Government institutions must ensure there is lawful authority for the collection, use, and disclosure of biometric information as well as proportionality to privacy impacts. Institutions must also ensure that biometric data is accurate because administrative decisions, such as whether to deliver a service to an individual, are often decided upon this data and false positives and negatives can have significant consequences. Procedures should also be in place to address variation in system performance across different demographic groups to minimize the risk of bias and ensure that errors do not result in the perpetuation of systemic biases.
The guidance for the private sector highlights the provisions of the Personal Information Protection and Electronic Documents Act that are engaged when organizations adopt biometric technology. This guidance specifically warns private organizations not to adopt biometric technologies if they are uncertain whether there is a legitimate need, sufficient efficacy, minimal intrusiveness, and proportionality to the impact on privacy. Private organizations should also ensure they collect appropriate and valid consent, especially if sensitive information is involved.
Overall, the OPC’s guidance emphasizes the need for organizations to approach the use of biometric information in a privacy-protective way, establish openness and transparency in their practices, and build in privacy considerations at the beginning of any new initiative.
Summary By: Amy Ariganello
E-TIPS® ISSUE
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.
