China Releases Laws to Regulate the Use of Facial Recognition Technology

On March 21, 2025, the Cyberspace Administration of China (CAC), in collaboration with the Ministry of Public Security, released the Administrative Measures for the Application Security of Facial Recognition Technology (Measures) to address the growing use of facial recognition technology, which will take effect on June 1, 2025. The Measures sets forth basic requirements and processing rules for the use of facial recognition technology in processing facial data, as well as security standards and the relevant responsibilities for the application of the technology.

Application

The Measures apply to the application of facial recognition technology to handle facial information within China, other than those for the research and development of facial recognition technology and algorithm training activities.

Key Points for Application of Facial Recognition Technology

• Specific Purpose and Sufficient Necessity: the Measures address that the facial recognition technology should be used (i) for the specific purpose and sufficient necessity, (ii) in the way that has the least impact on individual rights; and (iii) with strict protective measures implemented (Article 4).
• Requirements on Prior-notification Before using facial recognition technology, the personal information processor (PI Processor) must inform individuals of the following matters in a truthful, accurate and complete manner and using easy-to-understand language (Article 5):

1. name or contact information of the PI Processor.
2. purpose, method and the retention period of the processed facial information.
3. necessity of processing facial information and its impact on individual rights.
4. methods and procedures for individuals to exercise their legal rights.
5. Other matters that should be informed according to laws and administrative regulations.

• Voluntary and specific Consent with right to Withdrawal: Where the processing of facial information is based on an individual's consent, the voluntary and explicit separate consent of the individual should be obtained under the premise of full knowledge of the individual. The Individual shall also have right to withdraw such consent at any time. PI Processor should provide convenient approach for individuals to withdraw their consent (Article 6).

Disabled, Elderly and Minors

The Measures further provide special requirements on processing facial information of the disabled, elderly and minors:

• Processing facial information of disabled or elderly individuals shall also comply with the accessibility-related regulations (Article 6).
• Processing facial information of minors under the age of 14 requires consent from their parents or guardians. (Article 7).

Personal information protection impact assessment

Before using facial recognition technology to process facial information, PI Processors must conduct a personal information protection impact assessment and keep records of the processing activities, which shall include the following information (Article 9):

1. Whether the purpose and method of processing facial information are legal, legitimate, and necessary;
2. The impact on individual rights and the effectiveness of measures to mitigate adverse effects;
3. The risks and potential harms of facial information leakage, tampering, loss, damage, or illegal acquisition, sale, or use;
4. Whether the protective measures taken are legal, effective, and commensurate with the level of risk.

The personal information protection impact assessment report and records of processing activities must be kept for at least three years.

Alternative verification methods should be provided

Notably, regarding a facial recognition issue of wide concern which often occurs at hotel check-ins and residence area entrances, the Measures stipulates that:

• Facial recognition can't be the only option if other methods can achieve the same goal (Article 10).
• Individual must have other reasonable and convenient options if they don't agree to facial recognition (Article 10).
• Priority should be given to using national databases for identity verification (Article 11).
• It's prohibited to mislead, deceive, or force people into using facial recognition under the guise of business or service improvement (Article 12).
• Facial recognition equipment must be clearly marked in public places for security and must not be installed in private areas like hotel rooms, bathrooms, fitting rooms, and toilets to protect privacy (Article 13).

Facial recognition technology application systems must adopt measures such as data encryption, security audits, access control, authorization management and intrusion detection to protect the security of facial information. For systems involving network security level protection and critical information infrastructure, the obligations of network security level protection and critical information infrastructure protection must be fulfilled in accordance with national regulations (Article 14).

Filing for Storing facial information of more than 100,000 individuals

The PI Processor should go through the filing procedure with the provincial-level or higher cyberspace administration within 30 working days from the day when the number of stored facial information processed with application of facial recognition technology reaches 100,000 individuals. (Article 15).

Observations

Facial recognition data is highly sensitive personal information. If leaked, it can significantly compromise individuals' personal and property security.

The Personal Information Protection Law (PIPL), effective since November 2021, mandates that national cyberspace authorities develop specific rules for protecting personal information in new technologies and applications, including facial recognition (Article 62, PIPL). Additionally, laws and administrative regulations like the Cybersecurity Law, the Data Security Law, and the regulations on network data security management also include provisions for processing personal information.  The Measures represent a crucial step in enforcing these legal and regulatory provisions and many of its provisions, such as purpose and necessity, prior-notification, personal information protection impact assessment, are also in line with the requirements for the processing of sensitive personal information under these laws.

The Measures will take effect on June 1, 2025. We will keep an eye on the implementation of the Measures after they come into effect.