The Office of the Privacy Commissioner of Canada (“OPC”) has released its anticipated final “Guidance for Processing Biometrics – For Businesses” (the “Guidance”). This Guidance does not change the law under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), but clarifies the OPC’s interpretation and enforcement stance. Unlike Quebec, where the legislative requirements relating to biometrics expressly arise from applicable law, as a “principles-based” law, what is required by PIPEDA may change over time, requiring every business in Canada, particularly those in the tech and gaming sectors, to carefully consider the OPC’s new higher bar for compliance. Taking a deliberate, privacy-first approach is required before implementing any system implicating individuals’ biometric information, particularly because informed consent remains a cornerstone of Canada’s privacy law.
The Guidance defines “biometrics” as the quantification of human characteristics into measurable terms for use by two categories of technologies: “physiological biometrics”, which involve morphological (body shape or structure) or biological characteristics of an individual that are relatively stable over time (e.g., fingerprints, iris patterns, facial geometry, and DNA), and “behavioural biometrics”, which involve distinctive characteristics of individuals’ movements, gestures, or motor skills (e.g. keystroke patterns, gait, voice, and eye movement). Photographs, video recordings, and behaviour observations are not, on their own, necessarily biometric information unless they are quantified into measurable data. The Guidance acknowledges that organizations are using biometrics in multiple systems (which it defines as “biometric systems”) by inputting them manually or automatically, for purposes including for recognition (verification or identification of an individual) or classification (estimation of personal attributes based on biometrics).
Ten key takeaways
Biometrics are (almost) always sensitive: Treat biometric data uniquely identifying individuals as sensitive by default, raising the bar for consent, safeguards, and reporting—even if retained briefly. To determine sensitivity for non-identifying biometric data, one must assess the relevant context for risks of harm or whether the biometric data could reveal other types of information considered sensitive.
Avoid “no-go zones”: Uses like mass surveillance, discriminatory profiling, or unlawful collections that cause significant harm, even with consent, are generally inappropriate per OPC precedents.
Justification is non-negotiable: A four-part test (legitimate need, effectiveness, minimal intrusiveness, proportionality) must be passed before deployment. Do not rely on biometrics for convenience if alternatives exist.
Express consent is the default: Obtain explicit, informed consent specific to biometrics (in other words, consent to take a photo is not the same as consent to generate a face embedding), integrated into user flows, and renewable. Businesses must avoid vague policies, ensure opt-out options when practicable, and provide alternatives to biometrics, especially when biometrics aren’t essential to their product or service.
Minimize collection and retention: Limit to essential data (favour verification over identification), store templates under user control (e.g. on the user’s device) where possible, and destroy records promptly after purpose fulfillment. When designing a biometric system, businesses should not implement additional features that enable the broader collection of personal information than is required to fulfill their specific purposes.
Delete upon request: If an individual withdraws consent to the processing of biometric information, a business should delete all the biometric information it has collected or created about them; subject to legal or contractual restrictions. This requirement extends to third parties with whom biometric information has been shared.
Prioritize safeguards: Implement privacy protective by design features (e.g., encryption, cancellable templates), report breaches if they pose real harm risks, test and monitor systems access and vulnerability regularly.
Accuracy and bias: The OPC expects a business to choose technology with error rates suitable to the stakes, to test for biases and errors on operationally relevant data before launch and on an ongoing basis, and to ensure that the use of biometrics does not discriminate against human rights. Biometric systems need to have procedures for handling corrections and false matches and mitigating harm to individuals.
Embrace accountability and openness: Build governance with human oversight, regularly review and update privacy policies, audit third parties and formalize business relationships with them; develop robust breach response plans, and transparently detail the biometrics under a business’s control and program-level explanations about their use. Having a contractual right to audit service providers is essential.
Fact-specific application: Remember, nothing in PIPEDA has changed; this is interpretive guidance of principles-based legislation. So, tailor responses to context, but heed OPC expectations to avoid enforcement scrutiny.
Detailed analysis
Sensitivity
One of the core messages of the Guidance is that organizations must justify not only how they use biometrics, but whether they should be using biometrics at all. In particular, the Guidance establishes a high standard for biometric data that is capable of uniquely identifying a person—like a fingerprint, faceprint, or voiceprint—as sensitive regardless of context, due to its intimate link to an individual’s body, its uniqueness, stability over time, and difficulty to alter.
For other biometric data that is not uniquely identifying, such as general age markers or eye color, sensitivity depends on context, including whether it could be combined with other data to identify someone, pose a high risk of harm if misused, or reveal sensitive details like health or medical conditions. Notably, per the Guidance, even brief retention does not diminish this sensitivity.
Appropriate purpose
The purpose for the collection of biometric information must always be appropriate. Organizations should avoid OPC-identified “no-go zones” where uses are generally inappropriate, such as otherwise unlawful collections, profiling leading to unfair or discriminatory treatment contrary to human rights law, or purposes likely to cause significant harm, or surveillance via an individual’s own device. Beyond these zones, businesses must demonstrate legitimacy through a four-part test: (i) assessing legitimate need (tied to a bona fide business interest, not speculation), (ii) effectiveness (with proven reliability and low error rates), (iii) minimal intrusiveness (favouring less invasive alternatives over convenience), and (iv) proportionality (ensuring privacy impacts align with benefits, preferring narrow scopes). To illustrate, the Guidance references past findings where a telecommunications company’s voiceprint authentication was deemed appropriate for addressing security needs with strong safeguards, while an internet-scraping operation creating a facial recognition database was rejected as mass surveillance posing undue harm, and where fingerprint use for exam security was found disproportionate to its benefits.
Valid consent
Once an appropriate purpose is established, obtaining valid consent becomes essential, as it is a cornerstone of PIPEDA for collecting, using, or disclosing biometric information, with limited exceptions, such as in the employment relationship. Consent must be meaningful, ensuring individuals reasonably understand the nature, purpose, and consequences of the processing. For sensitive biometrics, express consent is the default, requiring explicit agreement with clear explanations of the biometric type, purposes, third-party disclosures, and residual risks of harm. A description of a business’s practices in privacy policies will not suffice, and consent must be renewed when extending the use of the biometric information. Individuals must also be provided with alternative options to biometrics and clear and easy-to-effect opt-outs where practicable. If a business is taking the position that consenting to the collection and processing of biometric information is required for the use of its products or services, it must be prepared to demonstrate full compliance with the principles outlined in the Guidance.
Unless biometrics are integral to service delivery, they can’t be mandatory under PIPEDA, so organizations should also provide customers accessible non-biometric alternatives without barriers whenever possible. When collecting biometric information from third parties, organizations should verify lawful compliance at every stage, including obtaining consent. Public observability does not necessarily create an exemption from the consent requirements.
Limiting collection, use, disclosure, and retention
From there, the Guidance emphasizes limiting collection, use, disclosure, and retention to what’s strictly necessary, starting with minimizing collection by using only the essential biometric characteristics. This favours verification (one-to-one matching) over identification (one-to-many) to reduce data needs. For example, allowing gamers to opt out of optional behavioral biometrics and erase templates without gameplay disruption. This was the subject of an OPC investigation where an exam board agreed to limit fingerprint data to secure digital templates.
Businesses deploying technologies such as facial recognition for age verification, or voice analysis for authentication, should consider storing templates under user control (e.g., on personal devices) to avoid centralized databases and designing systems with constrained capabilities to prevent over-collection. The extraction and use of secondary information, such as that related to health, ethnicity, or biological relationships is prohibited, unless separate and specific consent is obtained that is consistent with the purposes of the collection.
Retention must end promptly after the purpose or legal needs are met, with permanent destruction across all systems. To meet this obligation, organizations should maintain tight disclosure circles, de-link data across systems, and use separate retention schedules for biometrics versus other personal information the biometrics may be linked to. They must also deploy systems to promptly delete data upon consent withdrawal, subject only to legal or contractual restrictions. Organizations must ensure that such practices extend to relevant third parties as well.
Safeguards
Given biometrics’ high-risk nature, robust safeguards to prevent data breaches, theft, or unauthorized access are non-negotiable, and must be proportional to the level of sensitivity. This includes deploying and routinely testing, auditing and improving physical, organizational, and technical measures against breaches or spoofing (e.g., via deepfakes).
Organizations are encouraged to adopt privacy-by-design, such as cancellable templates for revocability, homomorphic encryption for secure matching, and end-to-end encryption.
As the capstone of PIPEDA compliance, organizations remain fully responsible for biometric information under their control, including when outsourced to third parties, which must be contractually bound to equivalent protections regardless of location. Businesses should control and monitor access strictly, granting it only to essential personnel and logging activities for anomaly detection. Regular testing, including annual penetration assessments by independent experts, is advised for systems handling large volumes of biometrics, as seen in OPC recommendations for government entities. For tech firms integrating biometrics into apps or hardware, this means building in audit trails and opting for systems that cannot be repurposed beyond the intended use, ensuring compliance even as threats evolve.
Regular reviews should address evolving threats, such as spoofing via deepfakes or voice synthesis, which could compromise systems like those used for secure logins. Any breaches should be promptly reported to the OPC and the affected individuals in accordance with PIPEDA or other applicable law; such as provincial privacy laws.
Accuracy and bias
When designing and deploying biometric systems that are used to make decisions about an individual, organizations must take steps to ensure that such systems are accurate and free of bias. Errors by this technology can result in serious harm to individuals and severe consequences for organizations, for example, when it is used to determine who is selected for an interview, review loan or lease applications, or determine insurance coverage. Faulty and inaccurate biometric systems can not only breach privacy laws, but human rights and consumer laws. Therefore, it is essential to ensure that biometric systems do not discriminate on the basis of protected grounds such as race, gender, or age.
In order to comply with Principle 6 of PIPEDA, organizations must ensure that personal information is maintained with a level of accuracy, completeness, and currency commensurate with the purposes for which it is used in order to reduce the risk offlawed or inappropriate information influencing their decisions. rOrganizations must also test and monitor their biometric systems before deployment and during use to ensure that they are accurate and free of bias and develop a procedure for responding to and correcting inaccurate results.
Accountability
Accountability is a key principle of PIPEDA. Organizations remain responsible for all processing of biometric data, including by third-party service providers. Any contracts should ensure third parties provide protections equivalent to those of the principal organization. For global tech companies, audit rights over contractors are crucial, ensuring biometric data in cloud-based gaming services is not mishandled abroad.
A robust governance structure, integrated into a privacy management program, supports compliance through internal audits, and defined pause conditions for underperforming systems.
The Guidance requires organizations to provide adequate training and supervision to employees responsible for managing biometric data, to develop robust mechanisms for reporting and remedying privacy violations, and to be prepared to demonstrate compliance with privacy legislation to regulators. When using biometric systems to assist in making important decisions about an individual, organizations should ensure that they are manually reviewing and approving these decisions. Businesses need to be able to explain and support all decisions in the event they are challenged under privacy, human rights, consumer protection, or other laws.
Openness
Finally, transparency builds trust and is required by PIPEDA and other privacy laws. Organizations are required to make privacy policies on biometrics readily accessible, detailing data types, uses, and related entities like subsidiaries. Organizations must provide contact details for the officer or organization representative responsible for privacy compliance. Transparent organizations go further by explaining retention practices, legal deletion limits, service provider involvements (including foreign transfers and associated risks like law enforcement access), and the mechanics of any automated biometric decisions.
In the fast-paced world of video games and tech, this openness not only complies with PIPEDA but signals to users that their biometric data is handled with the care its sensitivity demands.