By Esther Shainblum and Martin U. Wissmath

Canada’s federal privacy regulator has released new guidance on how private organizations should approach the collection and use of biometric information. On August 11, 2025, the Office of the Privacy Commissioner of Canada (OPC) published its “Guidance on processing biometrics – for businesses” (the “Guidance”), to advise private sector organizations on their privacy obligations when handling biometric information. The Guidance reviews a number of key privacy obligations that organizations must fulfill once they make the decision to utilize biometric information. These obligations largely reflect the fair information principles set out under Schedule 1 of the federal Personal Information Protection and Electronic Documents Act (PIPEDA). The Guidance signals how the OPC and the courts might assess an organization’s handling of biometric information and offers a framework that organizations, including charities and not-for-profits, may rely upon as best practices in Canada.

The Guidance first provides some technical background on biometric technologies and what they may be used for. Biometric technologies quantify human traits into measurable data, whether physiological (fingerprints, facial geometry, DNA) or behavioural (voice, gait, keystroke patterns). Biometric data can involve sensitive personal information, as certain biometric traits are unique, stable, and difficult to change. Other types of biometric information are not sensitive in themselves but may be combined with other information that would allow it to identify an individual. Biometric information could expose individuals to fraud, identity theft, or discrimination or could reveal sensitive information about a person’s life.

The first requirement set out in the Guidance is that any biometric program must serve an appropriate purpose. Organizations must demonstrate a legitimate business need, show that biometrics are effective in addressing that need, and establish that the approach is minimally intrusive and proportionate. The Guidance draws on earlier findings in which biometric programs were upheld only where less intrusive alternatives were not viable and privacy impacts were strictly limited. Conversely, large-scale identification and surveillance initiatives, such as indiscriminate scraping of online images, have been found inappropriate.

The second key principle is valid consent. The Guidance makes it clear that consent is a foundational issue and that express, informed consent will be required for the collection, use or disclosure of sensitive biometric data. Express consent means that biometric information will not be collected, used, or disclosed without an individual’s explicit knowledge and agreement. Informed consent means that individuals must be told explicitly if biometric information will be collected, the purpose for its collection, use or disclosure, any parties to whom the information may be disclosed and any meaningful risks of significant harm that remain after risk mitigation efforts have been made. For the consent to be valid or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner. Organizations must also provide alternatives where biometrics are not integral to a service, and they cannot treat consent as a one-time exercise if the scope of use expands.

The Guidance also addresses the requirements that organizations must limit the collection, use, disclosure and retention of biometric information. Organizations should gather the minimum information necessary to fulfil their stated purpose, not extract secondary biometric information without consent and retain biometric information only for as long as necessary to fulfil the stated purpose, after which the data must be securely and permanently destroyed from all locations. Biometric information should be retained differently from other personal information and separate retention schedules should be used. Biometric information should be deleted upon request of the affected individual and any third parties with who it has been shared should also be required to delete it.

The Guidance states that organizations must safeguard biometric data using physical, organizational and technical measures to prevent breaches, particularly since a beach of biometric information will likely create a real risk of significant harm to affected individuals. Biometric systems should have built in privacy protections and vulnerability assessments should be conducted to detect system weaknesses. Safeguards used should include encryption, privacy-enhancing technologies, and mechanisms for prompt breach reporting.

The obligation to ensure that personal information is accurate, complete and as up to date as possible means that organizations must choose technology with good accurate rates to use testing to detect and prevent inaccuracies. Finally, accountability requires governance processes, staff training, oversight of service providers, and transparency in public-facing policies.

Many charities and not-for-profits rely on third-party service providers for technology solutions. Where biometric systems are introduced, whether fingerprint scanners, facial recognition in security cameras, or voice authentication, organizations engaged in commercial activity must be prepared to justify the necessity of the technology, obtain valid express consent, and demonstrate privacy-protective design.

​Read the August 2025 Charity & NFP Law Update