What You Need to Know When Using Facial Recognition Technology in China?

Facial recognition technology has become increasingly prevalent among companies operating in China, used for everything from unlocking mobile devices to paying bills and accessing buildings. While this technology offers significant convenience and efficiency, it also raises important legal considerations.

On March 13, 2025, China issued the Security Management Measures for the Application of Facial Recognition Technology (the “Measures”), which will take effect on June 1, 2025. Compared to the draft version released in 2023, the official version of the Measures redefines the application scope, adjusts the threshold for filing with local authorities, and removes several detail-oriented provisions. These changes reflect the government's commitment to regulating this rapidly evolving technology without stifling its development.

How Does China Regulate Facial Recognition Technology?

Prior to the Measures, the law had not kept pace with the rapid development of facial recognition technology, and no specific legislation or administrative regulations had been officially released. Facial recognition information is considered personal information and falls under the category of sensitive personal information according to the Personal Information Protection Law and biometric information under the Administrative Regulation on Network Data Security. Consequently, facial recognition information is subject to the general requirements of legislation and administrative regulations on personal information, sensitive personal information, and biometric information. The security of facial recognition information is governed by the Data Security Law and Cybersecurity Law, where appliable. Additionally, the facial recognition information of consumers is protected by the Law on the Protection of Consumer Rights and Interests.

In response to the surge in disputes over facial recognition technology, China’s Supreme Court issued its opinions on the Application of Law in the Trial of Civil Cases involving the Processing of Personal Information Using Facial Recognition Technology in 2021, some key opinions of which have also been incorporated into the Measures.

With the introduction of the Measures, we aim to provide you with the essential information you need to know before implementing facial recognition technology in China.

When May You Use Facial Recognition Technology?

Facial recognition technology may be used when there is a specific purpose and sufficient necessity, provided that methods are adopted to minimize the impact on personal rights and interests and strict protective measures are implemented.

What Are Prohibited When Using Facial Recognition Technology?

• Do not install facial recognition devices in private areas within public spaces, such as hotel rooms, public bathrooms, changing rooms, and public toilets.
• Do not mislead, deceive, or coerce individuals into accepting facial recognition technology for identity verification under the guise of conducting business, improving service quality, or other reasons.
• Do not use facial recognition as the sole verification method if other non-facial recognition technologies are available to achieve the same purpose or meet equivalent business requirements. For example, courts have held that homeowners have the right to refuse facial recognition as the only verification method for entering and leaving their community.
• Store facial information within facial recognition devices and do not transmit it externally via the internet unless (a) otherwise stipulated by laws or administrative regulations, or (b) separate consent from the individual concerned is obtained.
• Do not store facial information for longer than necessary to achieve the purpose of processing unless otherwise stipulated by laws or administrative regulations.

What Must You Do Before Using Facial Recognition Technology?

• Personal Information Protection Impact Assessment (PIPIA): Conduct a PIPIA in advance and maintain processing records, covering the following aspects:

1. Whether the purpose or method of processing facial information is legal, legitimate, and necessary.
2. The impact on personal rights and interests and the effectiveness of measures to mitigate adverse effects.
3. The risk of facial information being leaked, tampered with, lost, damaged, illegally acquired, sold, or used, and the potential harm this may cause.
4. Whether the protective measures taken are legal, effective, and appropriate to the level of risk.

The PIPIA report and processing records shall be retained for at least three years. If the purpose or method of processing facial information changes, or if a major security incident occurs, a new PIPIA shall be conducted.

• Transparency: Truthfully, accurately, and fully inform individuals in a prominent manner and in clear and understandable language about the following matters unless exceptions apply:

1. The name or identity and contact information of the controller.
2. The purpose and method of processing facial recognition information, and the retention period of the processed  information.
3. The necessity of processing facial recognition information and its impact on personal rights and interests. In an enforcement case, the enforcement authority held that although a real estate company informed customers that their facial recognition information would be collected upon entering the site by posting signs and setting up display boards, it did not clearly state the true purpose, method, and scope of collecting and using the information, nor did it obtain the customer's consent, infringing on consumers' legally protected personal information rights.
4. The methods and procedures for individuals to legally exercise their rights.
5. Other matters that should be informed according to laws or administrative regulations.

In addition, it is required to establish designated processing rules for handling facial information of minors under the age of 14 (e.g., Children’s Privacy Policy). 

• Lawful Basis: Where facial recognition information is processed based on individual consent:

- Obtain separate consent that is voluntarily and explicitly given by the individual concerned, who has been fully informed. Failure to meet the transparency requirement may result in invalid consent. For instance, in a civil case, the court held that a zoo's failure to inform the individual that his photograph would be used for facial recognition, beyond the stated purpose of an annual card, did not constitute valid consent. 

- For minors under the age of 14, obtain consent from their parents or other guardians.

- Obtain written consent for processing facial recognition information when laws and administrative regulations require it.

• Security measures: Facial recognition technology application systems shall implement measures such as data encryption, security audits, access control, authorization management, intrusion detection, and defense mechanisms to safeguard facial recognition information security. Additionally, obligations under the multi-level protection scheme and/or critical information infrastructure shall be met when required.

In practice, companies may refer to the national standards on personal information, biometric information and facial recognition technology. Key standards on facial recognition technology include:

- GB/T 38671-2020 Information Security Technology – Technical Requirements for Remote Face Recognition System.

- GB/T 41819-2022 Information Security Technology – Security Requirements of Face Recognition Data.

 - GB/T 42981-2023 Information Security Technology – Biometrics – Test Methods for Face Recognition System.

- GB/T 44248-2024 Information Security Technology – Biometrics – Face Recognition System Application Requirements.

- Cybersecurity Standard Practice Guide - Personal Information Security Protection Requirements for Facial Recognition Payment Scenarios.

• Alternative(s): Provide other reasonable and convenient means for individuals who do not agree to use facial recognition for verifying their identities. Specifically, China’s Supreme Court has clarified that if a property service company or any other building manager uses facial recognition as the sole means of authentication for owners or users to enter or exit the property service area, a request for the provision of another reasonable means of authentication made by any owner or user who does not consent to such use shall be legally supported by the people's courts.

• Check for additional requirements in other laws or administrative regulations: For example, in the automobile industry, vehicle data controllers in China may collect facial and other biometric information only when it is necessary for enhancing driving safety. Furthermore, video or image data collected outside of a vehicle, including human facial information, is considered important data and is thus subject to stricter requirements, such as security assessments on exporting important data.

What Are the Post-Implementation Requirements for Facial Recognition Technology?

• Check the volume of stored facial information to determine if it has reached 100,000 individuals. If so, file with the local provincial-level or higher cyberspace authorities within 30 working days from that date. The following materials must be submitted for record-filing:

1. Basic information of the controller.
2. The purpose and method of processing facial information.
3. The amount of stored facial information and security protection measures.
4. The processing rules and operating procedures for facial information.
5. The personal information protection impact assessment report.

Conclusion

Navigating the regulatory landscape for facial recognition technology in China requires careful consideration of legal, ethical, and security measures. Facial recognition technology has attracted regulatory attention even in the absence of specific rules. With the introduction of the Measures, we anticipate enforcement cases to emerge once the Measures take effect this summer. By adhering to the Measures and consulting professionals for insights on other relevant laws and administrative regulations, companies can ensure compliance and protect individuals' rights while leveraging the benefits of facial recognition technology.