If you walked into a Canadian grocery store or mall in 2024, you were likely scanned. If you do it in 2026, the cameras might still be there, but the rules behind them have quietly shifted.
For three years, the federal government promised that Bill C-27 (The Artificial Intelligence and Data Act) would be the “shield” protecting Canadians from biometric surveillance. But in early 2025, that bill died on the order paper when Parliament prorogued.
So, is it the Wild West? Not quite. In the absence of legislation, the Office of the Privacy Commissioner (OPC) stepped in with new “August 2025 Guidance” that has effectively become the law of the land for retailers. Here is the technical breakdown of your privacy rights in 2026.
The “No-Go Zones”: What Retailers Can’t Do Anymore
The most critical shift in the 2025/2026 landscape is the definition of a “No-Go Zone.”
Under the new OPC Guidance released in August 2025, businesses can no longer use “loss prevention” as a blanket excuse to scan every face that walks through the door.
The “Necessity” Test: The regulator now enforces a strict proportionality test. A store cannot capture your biometric data (facial geometry) just to prevent shoplifting unless they can prove there is no less intrusive way to do it. Since security guards and traditional cameras exist, mass biometric scanning is increasingly being ruled as illegitimate.
The “Consent or Delete” Trap
If a business does use facial recognition (e.g., for “Pay with Face” kiosks or secure entry), the rules for 2026 are explicit:
- Express Consent is Mandatory: They cannot hide the consent in a 50-page Terms of Service. It must be a clear, standalone “Opt-In.”
- The “One-to-One” Rule: Retailers are being pushed to use Verification (matching your face to a template you carry, like on your phone) rather than Identification (matching your face to a massive central database of known faces).
The Quebec Precedent: This shift was cemented by a landmark decision from Quebec’s privacy regulator (CAI), which prohibited a major pharmacy chain from using facial recognition for loss prevention. While that was a provincial ruling, federal regulators in 2026 are adopting the same logic: You cannot trade customer privacy for inventory management.
The Scorecard: Bill C-27 vs. The 2026 Reality
For policy analysts and privacy advocates, understanding the gap between the failed law and the current rules is vital.
| Feature | Bill C-27 (AIDA) – Failed | OPC Guidance (Aug 2025) – Active |
|---|---|---|
| Legal Status | Dead (Prorogued Jan 2025) | Enforced (via PIPEDA) |
| Facial Recognition | Proposed “High Impact” regulation | Restricted. (Mass scanning deemed “disproportionate”) |
| Consent | Complex “Legitimate Interest” exceptions | Strict Opt-In. (Must offer non-biometric alternatives) |
| Enforcement | Proposed Tribunal fines | Naming & Shaming + Court Orders |
People Also Ask
Is facial recognition legal in Canada in 2026?
Yes, but it is heavily restricted. Under the 2025 OPC Guidance, businesses must prove that capturing your biometric data is “necessary” and “proportional.” Using it for general marketing or broad loss prevention without express consent is generally considered a violation of privacy laws (PIPEDA).
What happened to Bill C-27 (Digital Charter)?
Bill C-27 died on the order paper when Parliament was prorogued in early 2025. This means the proposed Artificial Intelligence and Data Act (AIDA) never became law, leaving a legislative gap that regulators are filling with updated guidance.
Can a store scan my face without my permission?
Generally, no. The new privacy guidance emphasizes that “implied consent” (just walking past a sign) is not sufficient for sensitive biometric data. Retailers must obtain express, informed consent, or they risk investigation.
What is the difference between Verification and Identification?
Verification matches your face to a specific template you provide (1-to-1), like unlocking your phone. Identification scans your face against a database of thousands of people (1-to-Many) to find out who you are. Regulators strongly prefer Verification over Identification.