China’s Tightened Facial Recognition Regulations: Key Business Takeaways

Posted by Written by Giulia Interesse Reading Time: 6 minutes
  • China’s facial recognition regulations introduce stricter rules to ensure responsible deployment and stronger data protection.
  • These rules, set to take effect on June 1, 2025, require businesses to justify the necessity of facial recognition, prohibit its use in sensitive locations, and mandate clear transparency on data collection and storage.
  • Companies handling large-scale biometric data must register with authorities and comply with strict security measures, including encryption and limited retention periods.

China’s rapid adoption of facial recognition technology has sparked both excitement and concern, as its applications expand across various sectors, from transportation and finance to consumer services.

In response to growing public concerns about privacy violations and data security, the Cyberspace Administration of China (CAC) and the Ministry of Public Security (MPS) have jointly introduced the Security Management Measures for the Application of Facial Recognition Technology (hereinafter, the “measures”), aimed at regulating the use of facial recognition technology.

These measures, set to take effect on June 1, 2025, are designed to safeguard personal information rights while ensuring that the technology is applied responsibly and lawfully.

As facial recognition continues to play an increasingly central role in everyday life, these measures reflect the government’s commitment to balancing innovation with the protection of individual privacy. In this article, we provide an overview of the new measures, as we explore key takeaways for businesses and consumers in China.

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

Purpose of China’s new facial recognition regulations

Find Business Support
Understand how to navigate Asia’s Industrial Landscape ⟶

China’s newly introduced regulations on facial recognition technology aim to strike a balance between technological progress and the protection of individual privacy. As facial recognition becomes increasingly integrated into daily life, concerns about data security and unauthorized surveillance have grown. The measures seek to address these concerns by ensuring that personal information is processed lawfully and ethically.

A key objective is to prevent the misuse of biometric data, particularly in cases where individuals may be compelled to provide facial information without sufficient justification. By implementing stricter oversight and restricting mandatory facial recognition for accessing services, the government is reinforcing its commitment to data security.

Additionally, the measures align with China’s broader efforts to regulate artificial intelligence (AI) and emerging technologies, aiming to mitigate risks associated with unchecked biometric data collection.

Key provisions

Necessity and purpose of use

Facial recognition technology should only be deployed when absolutely necessary and for a clearly defined purpose. Organizations must provide a clear justification for its use, demonstrating why it is essential for their operations. Additionally, they should adopt the least intrusive method available to minimize risks to personal privacy. When alternative solutions, such as ID cards, are available, facial recognition should not serve as the sole method for identity verification. Furthermore, to safeguard individual privacy, the use of facial recognition should be avoided in sensitive locations, including hotels, public restrooms, and other private spaces.

These restrictions aim to prevent unnecessary biometric data collection and mitigate the risks associated with mass surveillance.

Mandatory transparency requirements

Businesses utilizing facial recognition technology must provide clear and comprehensive information to individuals before collecting their biometric data. The disclosures must include:

  • The identity and contact details of the data processor;
  • The specific purpose of data collection and processing;
  • The storage duration of the collected biometric data;
  • The potential impact on individuals’ rights and interests; and
  • The procedures for individuals to exercise their rights, such as withdrawing consent or requesting data deletion.

These notifications must be prominently displayed and easily understandable. If any changes occur regarding data usage, businesses are legally required to inform affected individuals.

Restrictions on data storage and transfers

To mitigate the risks associated with biometric data breaches, strict limitations have been placed on the storage and transfer of facial recognition data. Storage restrictions include the following:

  • Facial recognition data must remain within the device or system where it is collected whenever possible;
  • It must not be transferred over the internet unless explicitly permitted by law or with user consent; and
  • The retention period must be limited to the shortest duration necessary to fulfill its intended purpose.

Large-scale data collection filing requirement include:

  • Businesses storing facial recognition records for over 100,000 individuals must register with the provincial-level cyberspace administration within 30 working days;
  • Companies must submit detailed reports on their data collection, storage, and security practices; and
  • If a company discontinues its use of facial recognition, it must formally cancel its registration and ensure that the stored biometric data is properly disposed of in compliance with regulations.

These measures are designed to prevent excessive biometric data collection and ensure proper regulatory oversight.

Protection of minors’ facial data

Given the heightened privacy risks for children, additional safeguards apply when handling the facial recognition data of minors under the age of 14:

  • Businesses must obtain explicit parental or guardian consent before collecting a minor’s biometric data;
  • Companies must implement additional security measures to protect this data, including enhanced storage and handling protocols; and
  • Special rules must be followed regarding data usage, retention, and transfer to ensure minors’ biometric information is safeguarded against misuse.

These protections align with China’s broader focus on strengthening child data privacy laws.

Prohibition on misleading or coercive practices

Businesses are strictly prohibited from forcing, misleading, or deceiving individuals into using facial recognition technology. Specifically, it is illegal to:

  • Make facial recognition mandatory for accessing goods or services when other identification methods are available; and
  • Mislead individuals into believing that biometric authentication is required for service improvements when it is not necessary.

Consumers must always be provided with reasonable and convenient alternatives for identity verification.

Security and risk management requirements

Organizations implementing facial recognition technology must adopt rigorous security measures to prevent unauthorized access, data breaches, and misuse. These measures include:

  • Data encryption: Biometric data must be encrypted to protect it from unauthorized access.
  • Access controls: Only authorized personnel should be able to view or modify facial recognition records.
  • Regular security audits: Companies must periodically assess their systems to identify vulnerabilities.
  • Risk assessments: Before deploying or modifying facial recognition systems, businesses must evaluate potential risks and take preventive measures.
  • Incident response protocols: In the event of a security breach, businesses must promptly investigate and implement corrective actions.

If a major security incident occurs or there is a significant change in data collection practices, companies must conduct a new impact assessment and adjust their security measures accordingly.

Government oversight and compliance

Regulatory authorities, including the CAC and the Public Security Bureau, will be responsible for enforcing compliance with these measures. Their responsibilities include:

  • Conducting inspections of businesses that use facial recognition technology;
  • Investigating complaints from consumers regarding improper data collection or misuse of facial recognition technology; and
  • Issuing penalties for non-compliance, data breaches, or failure to follow transparency and security requirements.

Individuals also have the right to file complaints or report violations, and authorities are required to handle these cases promptly.

Implications of the China’s new facial recognition regulations on businesses and society

The newly introduced regulations on facial recognition technology carry significant implications for businesses, regulatory authorities, and the broader public. By tightening restrictions on biometric data collection, the measures are set to reshape how organizations deploy facial recognition and how individuals interact with these systems in everyday life.

Find Business Support
How we can help companies navigate the environment and cleantech industry in Asia

Companies that previously relied on facial recognition for access control, customer authentication, or service personalization will now need to reassess their strategies. The requirement to justify its necessity means businesses must provide clear reasons for its use, ensuring that alternatives such as ID cards remain available. Industries that integrated biometric authentication into routine operations—such as finance, retail, and hospitality—may face additional compliance costs and logistical challenges.

Meanwhile, the ban on mandatory facial recognition in sensitive areas, such as hotels and public restrooms, signifies a shift in how businesses can implement biometric security. Organizations will need to redesign authentication processes, potentially leading to increased reliance on conventional identity verification methods, which may slow down access and service efficiency.

Moreover, the requirement for organizations storing over 100,000 facial recognition records to register with provincial-level cyberspace authorities places a new layer of regulatory scrutiny on large-scale data collectors. Businesses need to ensure compliance with these regulations by implementing robust data management practices and regularly auditing their data storage and usage policies.

Last but not the least, the prohibition of misleading or coercive biometric verification practices is a direct response to rising concerns over privacy violations. By ensuring that individuals have a choice in whether to use facial recognition, the policy enhances consumer trust in digital services. However, companies that previously positioned facial recognition as a seamless, default authentication method may need to rethink their user engagement strategies.

Key takeaways

The implementation of these measures is expected to reshape how businesses and government institutions approach biometric security. By limiting compulsory facial recognition use and requiring strict justifications for its deployment, the policy aims to foster responsible adoption of the technology in sectors such as consumer services, financial transactions, and public security.

For consumers, the regulations provide stronger protections against unauthorized data collection and potential misuse of their facial information. The policy ensures that individuals retain the right to opt for alternative forms of identification, reducing the risk of biometric data being exploited for commercial or political purposes.

Find Business Support
Learn about our Location Analysis and Site Selection services ⟶

From an industry perspective, these regulations encourage greater accountability and adherence to ethical standards. Companies operating within China’s digital economy will need to align with these policies, potentially leading to a shift in global regulatory discussions. As other nations grapple with similar privacy concerns, China’s approach may serve as a model for shaping international biometric data protection frameworks.

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.