China: Sets new limits on facial recognition to protect personal privacy

Written By Jerry Sin

Starting 1 June, 2025, China will enforce a strict new law to regulate how facial recognition is used. The government now requires businesses and organizations to:

  • Only use facial recognition when truly necessary, and provide clear reasons for doing so.

  • Get clear, informed consent from individuals—especially from parents if minors are involved.

  • Offer alternatives to facial recognition, such as passwords or ID cards, for those who don’t want to use it.

  • Not install facial recognition devices in private places like hotel rooms or bathrooms.

  • Store and protect data securely, and report to authorities if handling over 100,000 facial records.

  • Avoid misleading or forcing people to accept facial scans in exchange for services.

The law encourages use of national systems for ID checks, limits data retention, and requires companies to perform privacy impact assessments. Violations can lead to legal consequences or even criminal charges.

Purpose:

The regulation governs how facial recognition technology (FRT) is applied in mainland China, especially to protect individual privacy rights.

Who must follow:

Any organization or person using FRT to process facial data within China, except for R&D or algorithm training purposes.

The regulation shows China’s PIPL moving from principles to operational enforcement, especially for high-risk processing like facial recognition. It echoes global privacy practices like:

  • Privacy by design

  • Data minimization

  • Informed consent with alternatives

  • Accountability through assessments and documentation

The official notice is published on the Chinese government website - here

Consultancy Analysis and Application:

The new Administrative Measures on the Security of Facial Recognition Technology Application reflect a practical implementation of several key principles and obligations already established under China's Personal Information Protection Law (PIPL), as well as the Data Security Law (DSL) and Cybersecurity Law (CSL).

PIPL Articles 38–42

  • Requires strict control over cross-border transfers

  • FRT regulation prohibits external internet transmission unless otherwise legally allowed

PIPL Article 6 & 13

  • Processing must have a clear and reasonable purpose, and be limited to the minimum necessary.

  • The FRT regulation requires necessity and proportionality, including using least intrusive methods.

PIPL Articles 14–17

  • Must obtain informed, voluntary, and explicit consent, and separate consent for sensitive data.

  • The FRT regulation requires separate, clear consent, especially for sensitive group.

PIPL Article 28

  • Facial data is classified as sensitive personal information.

  • Requires specific necessity, additional protection, and risk impact assessments.

PIPL Article 17

  • Clear notification must be provided before processing.

  • Individuals must be informed of purpose, methods, retention, rights, etc.

PIPL Articles 44–47

  • Right to know, consent, withdraw consent, and refuse automated decision-making

  • FRT regulation supports the right to refuse facial recognition and requires alternatives.

If you’d like to know more about how AI can assist you with the regulatory advise, feel free to reach out. - here

We will have a new tool for this topic, learn more - here

Jerry Sin
Next

Australia: ASD reminds Geo-Blocking isn’t a Silver Bullet for Cybersecurity