Shufti-Sphere-Website-Banner
burger-menu cross-icon-2

Resources

us

216.73.217.31

Facial Recognition Laws in Canada: Compliance Guide Under PIPEDA

facial recognition Canada

TL;DR

  • PIPEDA applies to all private-sector FRT use in Canada and classifies biometric data as sensitive regardless of context
  • The OPC’s August 2025 guidance requires express consent, demonstrated necessity, and documented accountability, not just a consent checkbox
  • Quebec Law 25 requires 60-day advance notification to the Commission d’accès à l’information before any biometric database goes live
  • Alberta PIPA and BC PIPA substantially mirror PIPEDA; courts have upheld both against foreign firms collecting biometric data without consent
  • Bill C-27 did not pass; FRT sits outside any AI-specific statutory regulation as of May 2026
  • The OPC’s Clearview AI investigation established that scraping publicly available images constitutes mass surveillance under PIPEDA
  • Using a third-party facial recognition vendor does not transfer accountability; your organization remains the accountable party

On August 11, 2025, the Office of the Privacy Commissioner of Canada (OPC) published its first comprehensive biometric guidance for private-sector organizations since 2011. The guidance establishes an express consent standard, an “appropriate purpose” test, and explicit accountability obligations for any organization collecting facial biometric data in Canada.

It arrived without a new federal law to enforce it. Bill C-27, which proposed an overhaul of Canada’s digital privacy regime and new AI oversight rules, stalled when Parliament prorogued in early 2025 and has not been reintroduced as of May 2026.

For compliance teams deploying or evaluating facial recognition technology (FRT) today, biometric privacy concerns in Canada are real and immediate. This guide maps the federal framework under the Personal Information Protection and Electronic Documents Act (PIPEDA), the three major provincial frameworks layered on top of it, and the practical compliance steps every organization must complete before deployment.

What is facial recognition technology, and how is it used in Canada?

Facial recognition technology uses AI algorithms to identify or verify a person by analyzing the geometric features of their face. A sensor captures a facial image, the system converts it into a mathematical representation called a faceprint, and that faceprint is compared against a reference database or an enrollment image.

The match determination may involve identity verification, which is a one-to-one comparison, or identification, which is a one-to-many search. Both generate biometric data that Canadian regulators treat as inherently sensitive.

The Canadian facial recognition market is projected to reach USD 3.16 billion by 2035 at a compound annual growth rate of 15.08%, according to Market Research Future. Adoption spans commercial environments and public institutions.

Commercial and private-sector applications

Retailers have deployed FRT for loss prevention, using cameras to flag individuals on internal watchlists. Financial institutions use it to verify customer identity at account opening and re-authenticate users during high-risk transactions.

Employers have piloted it for physical access control and time-and-attendance tracking. The role of facial recognition in KYC fraud prevention has expanded as regulated businesses seek biometric binding between identity documents and live applicants.

Each of these applications involves collecting and processing biometric data on individuals who may not be aware that their faceprint is being captured, stored, or compared. That is the central compliance risk that PIPEDA and its provincial counterparts address.

Law enforcement and public-sector use

York Regional Police and Peel Regional Police in Ontario began using FRT in criminal investigations in 2024, accelerating suspect identification from surveillance footage. The Royal Canadian Mounted Police (RCMP) has voluntarily restricted its use to exigent circumstances, specifically victim identification in child sexual exploitation investigations and situations involving imminent threat to life, following the OPC’s findings on RCMP FRT use.

The OPC’s joint guidance for police agencies recommends judicial authorization, typically a warrant under section 487.01 of the Criminal Code, as the appropriate threshold for investigative FRT use. There is no mandatory federal law requiring warrants for police FRT as of May 2026.

How does PIPEDA govern facial recognition technology?

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activity in federally regulated industries or across provincial borders. Biometric data, including facial geometry and faceprints, qualifies as personal information under PIPEDA. The OPC’s August 2025 biometric guidance elevated biometric data to the highest sensitivity tier, stating it is sensitive “regardless of context.” That classification generates three concrete compliance obligations every organization must meet before deploying face recognition tools in Canada.

Consent and PIPEDA biometric data sensitivity

Under PIPEDA, consent is required before collecting personal information. For PIPEDA biometric data, the OPC now treats express consent as the baseline standard in most circumstances, given the sensitivity of biometric identifiers. Express consent means the individual must be told, in plain language, what biometric information is being collected, why it is needed, with whom it may be shared, and what risks of harm may arise.

The consent requirement cannot be bypassed by invoking the “publicly available” exception under PIPEDA. The Clearview AI investigation in 2021 established definitively that images scraped from social media or professional profiles do not constitute publicly available information for biometric collection purposes, even when those profiles are publicly accessible.

The “appropriate purpose” test

Beyond consent, the OPC’s August 2025 guidance requires organizations to demonstrate that their FRT program serves a specific and legitimate purpose that a reasonable person would consider appropriate in the circumstances.

The OPC has identified categories it considers presumptively unreasonable: programs involving mass surveillance, programs likely to cause significant harm, and programs involving discriminatory treatment.

Appropriateness is not a checkbox. The OPC expects organizations to document why FRT is necessary rather than merely convenient and to evaluate less invasive alternatives before proceeding. Retail loss prevention FRT, for example, requires a substantially higher justification than using FRT for individual re-authentication in a financial services onboarding flow.

Accountability for biometric data

PIPEDA places accountability for compliance on the organization that collects biometric data. That accountability cannot be transferred to a third-party vendor. If your organization uses a facial recognition vendor in Canada, the vendor’s privacy practices do not insulate your organization from regulatory scrutiny. The OPC requires organizations to implement contractual safeguards, conduct due diligence on vendors, and retain oversight of how biometric data is processed on their behalf.

Organizations must also designate an individual or committee responsible for PIPEDA compliance, maintain internal policies aligned with the OPC’s guidance, and document data retention schedules that limit storage to what is necessary for the stated purpose.

Provincial privacy frameworks for facial recognition technology

Three provinces, Quebec, Alberta, and British Columbia, have private-sector privacy legislation that the federal government has recognized as substantially similar to PIPEDA. Organizations operating within those provinces are subject to provincial law rather than PIPEDA for intra-provincial transactions.

In practice, most organizations processing facial biometric data about customers across Canada face both the federal regime and at least one provincial framework. Each province adds obligations that go beyond the federal baseline, and the enforcement appetite in all three has grown significantly since 2021.

Quebec Law 25 and Facial Recognition

Quebec’s Act to modernize legislative provisions as regards the protection of personal information, commonly known as Quebec Law 25, introduced the most prescriptive FRT obligations in Canada. Under section 44 of the Act to establish a legal framework for information technology (AELFIT), organizations must obtain express consent before creating a biometric database.

Critically, the Commission d’accès à l’information (CAI), Quebec’s data protection authority, requires organizations to notify it at least 60 days before bringing a biometric database online, as documented in DLA Piper’s analysis of Quebec Law 25 implementation. This pre-notification requirement has no equivalent in PIPEDA or the other provincial statutes. The CAI treats all biometric data as inherently sensitive and has categorized it into three tiers: morphological, including facial geometry; behavioral, including gait and signature dynamics; and biological, including DNA. Facial recognition falls in the morphological category.

The CAI has enforced Quebec Law 25 compliance aggressively. In decisions published through 2024 and 2025, the regulator prohibited facial recognition deployed by retailers for loss prevention purposes, finding that the privacy impact of building a biometric database for commercial security did not justify the degree of intrusion. Organizations seeking a Quebec Law 25 compliance service must treat the CAI’s published decisions as binding interpretive guidance, not advisory opinions.

Alberta PIPA and facial recognition

Alberta’s Personal Information Protection Act (PIPA), enforced by the Office of the Information and Privacy Commissioner of Alberta (OIPC), governs private-sector data handling in the province. In the Clearview AI joint investigation, the OIPC confirmed that Clearview’s collection of facial images from the internet violated Alberta PIPA.

Alberta PIPA facial recognition obligations parallel those under PIPEDA: consent is required for collection, use, or disclosure of biometric data; the “publicly available” exception does not extend to social media profile images used for facial recognition; and collecting facial data constitutes the highest level of sensitivity under the OIPC’s interpretive framework. Alberta courts have upheld OIPC’s authority to enforce PIPA against organizations with no physical presence in the province, including foreign AI companies operating digital services accessible to Albertans.

BC biometric privacy rules

British Columbia’s Personal Information Protection Act (PIPA BC), enforced by the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC), operates on substantially similar principles to its Alberta counterpart. BC biometric privacy enforcement followed the same trajectory in the Clearview AI matter, with the BC OIPC co-signing the 2021 joint findings.

In early 2025, the BC courts upheld the OIPC BC’s order directing Clearview to delete all images and derived faceprints belonging to BC residents and to cease collection in the province. The court confirmed that BC PIPA applies to the processing of data belonging to BC residents regardless of where the organization is physically located. Organizations handling facial biometric data about BC residents through any channel, including cloud-processed data flows, are subject to BC PIPA’s consent and collection-purpose requirements.


Federal vs Provincial Frameworks

What did the OPC’s Clearview AI investigation establish?

The PIPEDA Report of Findings #2021-001 is the most consequential facial recognition enforcement action in Canadian history. Published in February 2021 as a joint investigation by the OPC, the CAI, the OIPC BC, and the OIPC Alberta, it examined a company’s practice of scraping billions of facial images from the internet and selling access to that database to law enforcement and commercial clients. The findings established a precedent that every organization deploying FRT in Canada must understand.

The mass surveillance finding

The four commissioners concluded that the company had built and maintained a database of more than three billion images scraped from internet sources without the knowledge or consent of the individuals depicted. The investigation found this violated PIPEDA, both provincial PIPA statutes, and the Quebec privacy regime. The commissioners characterized the outcome as placing individuals in “a de facto 24-hour police lineup,” concluding that this constituted mass surveillance and was a fundamentally inappropriate purpose under all applicable Canadian privacy law.

The ruling established a binding principle: the “publicly available” exception in PIPEDA and the provincial statutes does not extend to images posted on social media profiles. Posting a photograph publicly does not constitute consent for that image to be collected, converted into a faceprint, and stored in a searchable biometric database.

Implications for commercial FRT use

The Clearview AI findings apply directly to commercial FRT deployments. Three implications are particularly relevant for compliance teams. First, bulk or systematic collection of facial images without individual consent is a PIPEDA violation regardless of whether the source is publicly accessible. Second, offering FRT as a service does not insulate either the provider or the client organization from accountability. Third, Canadian privacy regulators will pursue extraterritorial enforcement: Clearview had no Canadian offices, yet all four regulators concluded it was subject to Canadian law because it processed data belonging to Canadian residents.

For organizations that have deployed FRT relying on the assumption that publicly accessible images create implied consent, the Clearview findings require an immediate review. The deepfake and biometric fraud compliance landscape has shifted considerably since 2021, and so has the regulatory risk profile for any organization that has not revisited its consent architecture.

Where does Bill C-27 stand on Canadian FRT regulation?

Bill C-27, the Digital Charter Implementation Act, was introduced in June 2022 with three components: the Consumer Privacy Protection Act (CPPA) to replace PIPEDA, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA).

AIDA proposed a risk-based oversight framework for high-impact AI systems. The OPC’s issue sheets on Bill C-27 confirmed that AIDA would have applied to FRT deployed in many commercial and enforcement contexts, requiring impact assessments, transparency obligations, and governance documentation.

What Bill C-27 proposed for facial recognition

Under AIDA, organizations deploying high-impact AI systems would have faced mandatory impact assessment obligations, transparency requirements around automated decision-making, and governance documentation requirements. Privacy advocates and civil society groups criticized the bill for failing to explicitly classify biometric identifiers as sensitive data and for omitting direct reference to facial recognition technology in the statutory text, leaving interpretation to delegated regulation. The concerns were substantive: the statutory protections proposed under the CPPA did not meaningfully strengthen consent requirements for biometric data beyond what PIPEDA already required.

What its failure means for FRT operators today

Parliament prorogued in January 2025, and Bill C-27 died on the order paper without receiving Royal Assent. No replacement bill addressing AI governance or FRT specifically has been introduced as of May 2026. Canadian FRT regulation remains governed exclusively by PIPEDA, the provincial privacy statutes, and the OPC’s non-binding guidance documents.

The regulatory gap has practical consequences for biometric data policy Canada-wide. The absence of an AI-specific law means that purpose limitation, impact assessment obligations, and governance requirements for FRT all derive from the OPC’s interpretive position under PIPEDA rather than from statutory mandate. That interpretation can shift with each new investigation finding or guidance update, creating a moving compliance target. Organizations cannot plan their FRT programs around legislation that does not yet exist. The operative standard is the OPC’s August 2025 guidance, and that guidance should be treated as the current compliance floor.

How to achieve biometric compliance under PIPEDA

Biometric compliance Canada-wide requires more than a privacy policy update. The OPC’s August 2025 guidance and the Clearview AI precedent together define a practical compliance floor that every organization using or considering FRT must clear before deployment. The steps below reflect that floor, incorporating both federal and provincial requirements.

Conduct a privacy impact assessment under PIPEDA

A privacy impact assessment (PIA) evaluates the risks a proposed FRT program poses to individuals’ privacy before deployment. Under the OPC’s guidance, a PIA is not optional for biometric programs; it is a prerequisite for demonstrating appropriate purpose. The assessment must document the specific need FRT is intended to serve, why less invasive alternatives are insufficient, what data will be collected, how it will be stored and retained, what the risks of harm are, and what mitigation measures will be applied.

A completed privacy impact assessment PIPEDA document becomes the evidentiary basis for demonstrating proportionality if the OPC or a provincial commissioner opens an investigation. Organizations without a PIA on file have no documented justification for their deployment decision and will struggle to demonstrate compliance retroactively.

Build a biometric data policy

Every organization collecting facial biometric data needs a standalone biometric data policy document, separate from a general privacy policy, that covers collection purposes, legal basis, retention schedule, deletion procedures, security safeguards, and individual rights. The policy must specify how consent is obtained, how individuals can withdraw consent, and how they can request deletion of their biometric data.

Quebec Law 25 adds the requirement that the policy be accessible and that individuals receive notice before their data enters any biometric database. The 60-day CAI pre-notification requirement means the biometric data policy must be finalized well before the technical deployment date. Treating the policy as a post-launch document is a compliance failure in Quebec.

Vendor due diligence for facial recognition vendors in Canada

If your organization is procuring a facial recognition vendor in Canada rather than building in-house, due diligence is a PIPEDA obligation, not an optional procurement step. The OPC’s guidance is explicit: accountability for biometric data processed by a vendor on your behalf remains with your organization. Vendor due diligence should include reviewing the vendor’s privacy documentation, assessing data residency and subprocessor arrangements, confirming the vendor’s approach to data retention and deletion, and embedding data processing agreements that impose obligations consistent with PIPEDA’s requirements.

Identity verification providers operating under internationally recognized compliance certifications, such as ISO 27001, SOC 2 Type 2, and iBeta liveness testing standards, provide an auditable evidence base that due diligence conversations can begin from. That does not substitute for a formal assessment, but it narrows the gap between vendor assurances and documented verification.


Facial recognition

Practical Next Steps for Compliance Teams

The compliance work for FRT in Canada does not end with a PIA and a policy document. Three areas require ongoing attention that most organizations underestimate at the implementation stage. The questions every business should ask about online face recognition provide a useful audit starting point, but the operational discipline below is what sustains compliance over time.

Document your lawful basis and purposes

PIPEDA and the provincial privacy statutes require that the purpose for collecting biometric data be documented at the time of collection. Purpose creep using collected faceprints for secondary purposes not declared at enrollment is a standalone violation regardless of whether the original collection was lawful. Every new use case for existing biometric data requires a fresh consent cycle and updated documentation.

Compliance teams should maintain a purpose-linked data inventory that maps every faceprint dataset to the specific purpose for which it was collected, the date of collection, the consent mechanism used, and the scheduled deletion date. That inventory is among the first records regulators request in an investigation.

Audit your data retention practices

Biometric data may only be retained for as long as necessary to fulfill the purpose for which it was collected. The OPC’s August 2025 guidance identifies indefinite retention as a specific risk area. Organizations that retain faceprints without a defined deletion schedule are in violation even if the original collection was consensual. Retention schedules must be technically enforced rather than merely documented. An automated deletion workflow tied to purpose fulfillment is the standard the OPC expects.

Organizations subject to Quebec Law 25 face additional retention obligations aligned with the CAI’s published decisions, which have applied strict timelines to retail and commercial biometric deployments. Organizations operating in multiple provinces should audit retention practices against the most stringent applicable standard.

Monitor the regulatory pipeline

The FRT regulation landscape in Canada in 2025 is active and will continue to change. Even without Bill C-27, the OPC can update its guidance, the CAI can issue new enforcement decisions, and the courts can extend or limit the reach of provincial privacy statutes. Compliance teams should maintain a regulatory monitoring process that captures OPC announcements, CAI decisions, and OIPC publications from Alberta and BC on a rolling basis.

The Canadian Human Rights Commission has also published a position paper calling for mandatory regulation of FRT in policing contexts. That position has not produced legislation, but it signals the direction of federal policy conversation and should be factored into longer-term compliance planning for organizations operating in regulated industries.

How Shufti helps compliance teams meet PIPEDA biometric obligations

Compliance teams deploying FRT under PIPEDA typically run into two problems. Biometric systems that generate false matches at scale leave gaps in the audit trail that regulators notice immediately. Vendors whose data processing arrangements are too opaque to document make the OPC’s due diligence requirement nearly impossible to satisfy.

Shufti’s face verification platform runs on fully proprietary AI with no third-party biometric components, which simplifies the vendor accountability analysis that PIPEDA requires. Security governance documentation includes SOC 2 Type 2, ISO 27001, iBeta Level 1, Level 2, and Level 3 certifications, and DHS RIVR 2025 validation. These records translate directly into the evidence OPC due diligence conversations require. For organizations subject to Quebec Law 25 or provincial data residency requirements, on-premises and hybrid deployment options are available without custom infrastructure builds.

See how Shufti’s biometric verification meets PIPEDA’s accountability standards on your actual onboarding flows. Book a walkthrough.


Frequently Asked Questions

Is facial recognition legal in Canada?

Facial recognition is legal for private-sector use under PIPEDA, provided organizations obtain express consent, demonstrate a legitimate purpose, and meet the OPC's August 2025 biometric guidance standards. Quebec, Alberta, and BC add provincial requirements. Legality depends on compliance with every applicable framework.

What does PIPEDA say about facial recognition?

PIPEDA requires express consent for collecting biometric data, including faceprints. The OPC classifies biometric data as sensitive regardless of context. Organizations must demonstrate appropriate purpose, apply data minimization, retain data only as long as necessary, and maintain accountability even when using third-party vendors.

How is Quebec's facial recognition law different from other provinces?

Quebec Law 25 requires organizations to notify the Commission d'accès à l'information at least 60 days before bringing a biometric database online. No other province imposes advance notification. Quebec also applies the strictest enforcement posture and has explicitly prohibited facial recognition for retail loss prevention through published CAI decisions.

What happened to Canada's Bill C-27 for facial recognition?

Bill C-27, which included the Artificial Intelligence and Data Act, died when Parliament prorogued in January 2025. No replacement has been introduced as of May 2026. Facial recognition in Canada remains governed by PIPEDA, provincial privacy statutes, and non-binding OPC guidance rather than any AI-specific law.

What is the Office of the Privacy Commissioner's stance on FRT?

The OPC treats biometric data as sensitive regardless of context. Its August 2025 guidance requires organizations to demonstrate necessity before deploying FRT, not merely consent. It has identified mass surveillance, discriminatory programs, and programs causing significant harm as presumptively inappropriate purposes under PIPEDA.



Related Posts

Shufti Blog

Facial Recognition Laws in Canada: Compliance Guide Under PIPEDA

Facial Recognition Laws in Canada: Compliance Guide Under PIPEDA

Explore More

Shufti Blog

Florida SB 757: Synthetic Media Law Covering Minors and NCII

Florida SB 757: Synthetic Media Law Covering Minors and NCII

Explore More

Shufti Blog

KYB For Germany: Navigating the Three Register Compliance Challenge

KYB For Germany: Navigating the Three Register Compliance Challenge

Explore More

Shufti Blog

Fraud Prevention Trends in the US: Scam Networks, Identity Theft, and ML

Fraud Prevention Trends in the US: Scam Networks, Identity Theft, and ML

Explore More

Shufti Blog

KYC and KYB Requirements in South Korea: A 2026 Compliance Guide

KYC and KYB Requirements in South Korea: A 2026 Compliance Guide

Explore More

Shufti Blog

Fraud Prevention in LATAM: High-Risk Markets & Identity Fraud Trends

Fraud Prevention in LATAM: High-Risk Markets & Identity Fraud Trends

Explore More

Shufti Blog

Closing the SCA Gap: How European PSPs Can Meet PSD2 and PSD3 Fraud Obligations

Closing the SCA Gap: How European PSPs Can Meet PSD2 and PSD3 Fraud Obligations

Explore More

Shufti Blog

Facial Recognition Laws in Canada: Compliance Guide Under PIPEDA

Facial Recognition Laws in Canada: Compliance Guide Under PIPEDA

Explore More

Shufti Blog

Florida SB 757: Synthetic Media Law Covering Minors and NCII

Florida SB 757: Synthetic Media Law Covering Minors and NCII

Explore More

Shufti Blog

KYB For Germany: Navigating the Three Register Compliance Challenge

KYB For Germany: Navigating the Three Register Compliance Challenge

Explore More

Shufti Blog

Fraud Prevention Trends in the US: Scam Networks, Identity Theft, and ML

Fraud Prevention Trends in the US: Scam Networks, Identity Theft, and ML

Explore More

Shufti Blog

KYC and KYB Requirements in South Korea: A 2026 Compliance Guide

KYC and KYB Requirements in South Korea: A 2026 Compliance Guide

Explore More

Shufti Blog

Fraud Prevention in LATAM: High-Risk Markets & Identity Fraud Trends

Fraud Prevention in LATAM: High-Risk Markets & Identity Fraud Trends

Explore More

Shufti Blog

Closing the SCA Gap: How European PSPs Can Meet PSD2 and PSD3 Fraud Obligations

Closing the SCA Gap: How European PSPs Can Meet PSD2 and PSD3 Fraud Obligations

Explore More

Take the next steps to better security.

Contact us

Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

Contact us

Request demo

Get free access to our platform and try our products today.

Get started