Contents
Requiring Facial Recognition Prohibited
Government Platform Service Encouraged
Local Face Data Storage Requirements
Introduction
Facial recognition technology is a standard tool used in software across a range of industries, and in China is subject to complex laws. Chinese policymakers believe that facial biometrics’ unique characteristics, lifelong permanence, and immutability, create a major risk to their citizens especially as to data breach or illegal use. In recent years, the government has grown concerned about abuse of facial recognition technology, data breaches, and requiring Chinese users to use facial recognition have threatened data security. China has a specific law governing how facial recognition data may be used, that being the Face Scan Technology Security Administrative Procedures (June 1, 2025), which covers security, personal privacy, and technical standards.
The Procedures seek to balance technological innovation with data protection and establish a responsible environment for facial recognition. They impose restrictions on facial scanning, requiring compliance with the minimization principles, limits on requiring facial scans, data processing rules, and scans in public places.
The Procedures § 4 expresses an intent that data minimization restrictions be imposed in order reduce security risks when organizations use facial recognition. It further encourages businesses to use alternatives to facial recognition where possible and encourage using the Chinese Government Internet Identification Verification Service and offline facial recognition service, to mitigate risks associated with collection, transmission, and storage of facial images.
Requiring Facial Recognition Prohibited
Under the Face Scan Technology Security Administrative Procedures § 10,” facial recognition may not be the sole verification option if other verification methods than facial recognition are adequate for that process.” The option to choose from among several different verification methods effectively means the individual, not data controller, chooses whether facial scanning is used. For example, a grocery store that wants to tell if shoppers in China are their club members can do so either by using facial recognition or having staff manually verify their membership. Therefore, members cannot be required to use facial recognition in order to use the services.
The Information Security Technology – Facial Recognition Data Security Requirements GB/T 41819-2022 has additional requirements: you may not deny other services if the user in China declines, and you may prompt for facial recognition consent at most once every 48 hours. Whether the alternative “serves the same or similar business purpose” is often disputed as between individuals and data controllers, because if this condition precedent is not met, the data controller can require the individual to use facial recognition.
Many Chinese companies inappropriately induce individuals to use facial recognition for the purpose of streamlining processes and cost cutting. They will show the facial recognition box checked by default, hide options for alternatives, or log the user out of the app if they reject facial recognition. In these cases, the applicable rule is the Procedures § 12, which states “organizations may not mislead, deceive, or coerce individuals into accepting facial recognition technology for identify verification, for operational needs or to improve quality of service.”
Required facial recognition is permissible under Procedures § 12 if it’s the only possible verification method that could achieve the business purpose, i.e. alternatives are not viable. Under the Security Requirements GB/T 41819-2022, facial recognition is only permitted for identity verification if it is more secure or easier than alternative methods.
Government Platform Service Encouraged
The Face Scan Technology Security Administrative Procedures § 11(a)(1) “encourage the use of the government Internet identity authentication service” where the user has selected facial recognition or there is no alternative to its use. The purpose of the regulation is to implement a single real ID service, thereby reducing the number of Internet platforms that collect and use Chinese citizen facial scans for real ID checks.
Businesses using the government identity verification service must rely on its results and cannot otherwise process identity information unless (a) otherwise required by law, or (b) the user provides express consent. This means users can rely on the government service to verify their identity using facial recognition, and the platform will not receive their facial recognition data, just the authentication result.
These rules are only encouraged actions, not mandates, so users are not required to use the Chinese government option.
Additionally, users are entitled to choose other trusted verification services such as WeChat and Alipay for facial recognition; these third party services directly process facial scans and send back only results, to reduce the number of platforms retaining copies of given individuals’ information. Data controllers can proactively comply with the rules by:
- Conspicuously displaying an option to use the government facial recognition option;
- Enhancing government service integrations in each product iteration;
- Educate users about the security advantages of using the government option.
Doing so will help align you with regulatory expectations and improve trust among users.
Local Face Data Storage Requirements
Procedures § 8 provides, “Facial recognition data must be stored locally on the facial recognition device; any transfer to the external Internet is prohibited, except as otherwise provided by law or where separate consent has been obtained from the individual.” This section makes local processing the default method and allows processing in the cloud only as an exception.
The legislative intent is to limit cloud data transfer risks by directing organizations and individuals to store facial data locally whenever possible. This requirement can be implemented by using offline facial recognition technology that verifies Chinese users’ identity by comparing images of a person’s face with their ID card or saved facial recognition data.
Observe that if the data controller wants to access data on the facial recognition device with a data transfer feature, they must have authorization under “applicable law or by separate user consent.” The statute and regulations contain confusing overlapping rules.
China Personal Information Protection Act: processing facial information requires separate consent.
Face Scan Technology Security Administrative Procedures: online facial recognition transfers require separate consent.
This raises the question as to whether in addition to the general consent under the Act, a separate consent for facial information transfer is required. The answer depends on whether the facial recognition functionality requires making external data transfers. Under the Face Scan Information Processing Rules, separate consent is not required if external transfer is needed to make comparisons with authorized databases, but separate consent is required for non-essential operations such as being able to respond to complaints.
Additional requirements apply under GB/T 41819-2022 Information Security Technology Facial Recognition Data Security Requirements. A controller must:
- Physically or programmatically segregate facial and personal identity data.
- Secure stored facial information such as by encryption.
- A user must be able to use a feature that deletes facial recognition data stored locally on facial recognition devices such as a cellular phone or computer.
Notice & Consent Rules
The Procedures § 5 provides rules to specify exactly how the Act and the Internet Data Administrative Regulations should be implemented in facial recognition use cases without otherwise adding to existing law.
General notice must be provided to a first-time user of products or services using facial recognition technology. The notice must be true, accurate, and conspicuous such as through bold fonts, distinctive colors, and large fonts written in easily understandable language. It must contain required by the Face Scan Information Processing Rules:
- Processor’s name and contact information;
- Processing purpose, method, and retention period;
- The necessity and impact of the processing;
- How users in China can exercise their legal rights;
- Any other noticed required by law.
Consent is required under the Procedures § 6 reiterates the Act and Internet Data Regulations rules governing facial recognition.
Separate consent is sometimes required under Procedures § 6, which provides “Processing facial recognition data requires voluntary, fully informed, definite separate consent.” The Internet Data Regulations includes a relevant definition for this provision, “Separate consent refers to specific, definite consent specifically directed towards certain personal information.”
Data Controller Obligations
Security Measures are required under Procedures § 14, which provides, “Personal data controllers using facial recognition technology must protect facial information with data encryption, security audits, access control, user management, intrusion detection, and defensive measures.”
The China Personal Information Protection Act § 51 and the Information Security Technology – Facial Recognition Data Security Requirements impose additional rules. Data controllers must implement measures to prevent unauthorized access, data breach, data manipulation, or loss of data, by setting up the following
- Internal management policy and program;
- Security measures (such as encryption and deidentification)
- Appropriate data access permissions;
- Employee security training;
- Data breach incident response plan;
Data Protection Impact Assessments are required under the Act prior to processing sensitive personal data. Procedures § 9 requires businesses use a DPIA for facial recognition, since it deems that data to be sensitive by default. The Act § 56 and Procedures § 9(a) govern these issues, providing that businesses should reduce any adverse effects found. There is a distinction between the concepts used in the rules;
“Mitigation: covers the processing purpose decisions such as moving facial recognition devices away from personal workspaces in an office and to the entrance only to reduce impact on employee privacy;
Protection: specifically covers management and technical measures.
Filing Requirements
The Procedures § 15 provides, “a data controller must complete filings with the province department of cybersecurity within 30 business days of storing more than 100,000 individuals’ facial recognition data records.” Filing is triggered by the scale of storage and limits on parties.
The public comment draft of the Procedures initially set the triggers at any use of facial recognition in a public place in China, or where facial recognition data is stored on over 100,000 individuals. The final Procedures use instead only a single trigger, which being storing records on over 100,000 individuals’ facial recognition data, based on the following logic.
Penalties for failing to file are not well defined under the Procedures § 18, which state simply that, “Violations of these Procedures are subject to regulatory and criminal penalties under the law.” Notwithstanding, failure to file creates a risk of regulatory enforcement actions or penalties.
Non-punitive enforcement action is permitted to put pressure on data controllers who fail to file as required, and can include name-and-shame tactics, questioning, and compliance audits. The Act § 18 empowers Chinese regulators to directly audit a data controller or mandate them to engage a third-party firm to do so. The audit report is submitted to the regulator, and its results can be disclosed in such a way that can destroy consumer trust and business goodwill.
Regulatory liability risk may be created under forthcoming regulations that create liability for organizations who are not compliant with facial recognition rules. The Internet IT Service Algorithm Recommendation Administrative Procedures § 31 impose publishing violations and issuing fines on organizations that fail to file. If corrective action is not taken, the violator will be warned and their non-compliance published, and if corrections are not made by the deadline, escalating fines are imposed.
Conclusion
The Chinese government will progressively require compliance with the Procedures and its rules with the goal of establishing standardization. You can reduce reputational and legal risks associated with regulatory violations by proactively doing compliance audits and making the necessary corrections, to ensure your management policy is in compliance. The underlying legal policy seeks to balance security with innovation as facial recognition technology continues to develop.