China’s New Facial Recognition Rules: What Global Businesses Need to Know
Introduction
China has taken a bold step in regulating biometric surveillance. In March 2025, it introduced strict new rules governing facial recognition technology—prohibiting companies from forcing individuals to undergo facial scans without offering clear alternatives.
While these rules apply within China, they carry global weight. If your business sells smart devices, software, or services that use facial recognition—or processes biometric data in any region—this is your wake-up call.
Key Takeaways from China’s Regulation
- Individuals must be given a choice: facial scans can’t be mandatory
- Clear alternatives to facial recognition must be offered
- Use of facial data must be proportional, necessary, and consent-based
- Violations will face increased scrutiny and enforcement
This marks one of the strongest consumer protections globally in the biometric space—and it signals what may come in the EU, UK, and beyond.
Why It Matters for You (Even Outside China)
Even if you’re not based in China, this sets a privacy benchmark.
If you:
- Sell or integrate facial recognition in your product
- Use biometric logins (e.g. Face ID, access control)
- Collect facial data for marketing, attendance, or analytics
…you should reassess your privacy practices, consent flows, and risk exposure.
Regulators and consumers are watching.
Biometric Data Under GDPR and UK GDPR
Under both EU and UK GDPR, biometric data is classified as special category data — meaning it requires:
- Explicit, informed consent
- A clear purpose limitation
- Appropriate technical and organisational safeguards
Facial recognition is rarely considered strictly necessary, so alternative authentication options (e.g., PINs or passwords) should always be available.
Examples of Risky Use Cases
- Using facial recognition for store entry or in smart kiosks without consent
- Auto-enrolling users in face-based attendance systems
- Defaulting to facial login in apps without a clear opt-out
These practices could soon face legal challenges—even if they seem harmless or innovative.
How to Stay Ahead
If you work with biometric data, take these steps:
1. Conduct a Biometric Data Impact Assessment (DPIA)
Evaluate whether your use of facial data is necessary, proportional, and transparent.
2. Update Privacy Notices and Consent Forms
Be clear about what data you collect, why, and what users can choose.
3. Offer Real Alternatives
Don’t make facial recognition the only way to log in or access features.
4. Review Vendor Agreements
Ensure any third-party providers handling biometric data are GDPR-compliant.
FAQ: Biometrics and Compliance
❓ Can I use facial recognition in the EU/UK?
Yes, but only with explicit consent and where strictly necessary. Avoid making it the default.
❓ What about employees or internal systems?
You still need consent, and often must prove no less intrusive alternatives exist.
❓ Do I need a DPIA?
Yes — if you process biometric data at scale or in high-risk ways (like surveillance or access control).
✅ Compliance Checklist
- Do you offer a clear opt-out for targeted ads?
- Is your consent request freely given and granular?
- Can users easily change their preferences later?
- Do you have a consent log for auditing?
- Have you reviewed your third-party trackers?
How We Help
At DPO & Privacy Support, we help businesses navigate the fast-moving world of biometric privacy:
📘 Need a broader GDPR readiness check? See our guide: GDPR Compliance for Non-EU Companies →
🛠 We also help you draft or improve internal policies: Draft / Review Necessary Policies →
👤 Need dedicated compliance support? Explore our DPO-as-a-Service offering →
🔍 Want a full audit? Privacy audits / assessments (DPIA, PIA, LIA, DTIA) →
- Conduct DPIAs and risk assessments
- Draft policies and user consents
- Vet vendor contracts for GDPR compliance
- Advise on international use cases and regional risks
Whether you’re rolling out smart tech, expanding globally, or improving your consent UX — we’ll help you do it the right way.
Next Steps
- Audit any use of biometric/facial recognition tech
- Review legal bases and consent mechanisms
- Book a privacy strategy session with our team