In Effect Regulation Data Protection High Relevance

China FR Security Measures

Security Management Measures for the Application of Facial Recognition Technology

Comprehensive facial recognition regulation requiring consent, protecting minors, restricting public space use, mandating data localization, and requiring filing for large-scale processing (100K+ individuals).

Jurisdiction

China

Enacted

Mar 13, 2025

Effective

Jun 1, 2025

Enforcement

Cyberspace Administration of China (CAC) and Ministry of Public Security

Reviewed and adopted by CAC September 30, 2024; promulgated March 13, 2025; effective June 1, 2025

What It Requires

Transparency

Must disclose AI nature, data practices, or algorithmic decisions

Data Minimization

Must limit data collection to what is necessary

Incident Reporting

Must notify authorities of specific incidents

User Rights

Must honor access, correction, and deletion requests

Harms Addressed

Child Exploitation

CSAM, grooming, or sexual exploitation of minors

Who Must Comply

This law applies to:

• Organizations and individuals using facial recognition technology to process facial information in China
• Excludes: research and development or algorithm training purposes

Capability triggers:

● biometricData (required)

● facialRecognition (required)

● Required ◐ Increases applicability

Applicability thresholds:

100K CN individuals (large_scale_processing)

large_scale_processing

Must file with provincial CAC within 30 business days; must conduct privacy impact assessment

Under 14 years old

minor_protection

Parental consent required for processing facial information of minors under 14

Who bears obligations:

Developer Operator Data Controller

Exemptions

Research and Development Exemption

high confidence

Facial recognition for R&D or algorithm training purposes within China

Conditions:

• Used solely for research purposes
• Not deployed in production

Safety Provisions

• Consent and withdrawal rights for facial information processing
• Parental consent required for minors under age 14
• Prohibited locations: hotel guest rooms, public baths, changing rooms, public restrooms
• Data localization: facial information should be stored in FR device, not transmitted via internet unless consented
• Privacy impact assessment required for large-scale processing
• Filing requirement with provincial CAC for 100K+ individuals processed

Compliance Timeline

Jun 1, 2025

All provisions take effect

Jul 1, 2025

Filing deadline for existing systems processing 100K+ individuals (30 business days from effective date)

Enforcement

Enforced by

Cyberspace Administration of China (CAC) and Ministry of Public Security

Penalties

criminal liability

Criminal liability

Handled in accordance with relevant laws and administrative regulations; criminal liability may apply where crimes are constituted

Primary Source

CSET Georgetown Translation (opens in new tab)

https://cset.georgetown.edu/publication/china-facial-recognition-security-measures/

Quick Facts

Binding: Yes
Mental Health Focus: No
Child Safety Focus: Yes
Algorithmic Scope: Yes

Why It Matters

First major facial recognition regulation in APAC. Affects any platform using facial recognition with Chinese users. Filing requirement (100K+ users) impacts scale platforms. Sets precedent for biometric regulation in Asia-Pacific region.

Recent Developments

Effective June 1, 2025; represents China's first comprehensive facial recognition regulation

What You Need to Comply

Organizations must obtain consent, protect minors under 14 with parental consent, avoid prohibited sensitive locations, localize data storage, conduct privacy impact assessments for large-scale use, and file with CAC when processing 100K+ individuals

NOPE can help

Cite This

APA

China. (2025). Security Management Measures for the Application of Facial Recognition Technology. Retrieved from https://nope.net/regs/cn-facial-recognition-2025

BibTeX

@misc{cn_facial_recognition_2025,
  title = {Security Management Measures for the Application of Facial Recognition Technology},
  author = {China},
  year = {2025},
  url = {https://nope.net/regs/cn-facial-recognition-2025}
}

Related Regulations

In Effect CN • AI Safety

China GenAI Rules

Requires generative AI providers to ensure content "upholds Core Socialist Values," implement content controls, and file algorithms with CAC within 10 business days.

In Effect CN • AI Safety

China Deepfake Rules

Controls on "deep synthesis" (deepfake) technology including labeling requirements for all deep synthesis outputs and privacy consent for biometric editing.

Enacted NZ • Data Protection

NZ Biometric Code

Sets specific legal requirements under Privacy Act for collecting and using biometric data such as facial recognition and fingerprint scans. Prohibits particularly intrusive uses including emotion prediction and inferring protected characteristics like ethnicity or sex.

In Effect AU • Data Protection

AU Privacy Amendment 2024

Strengthens Privacy Act requirements for biometric data collection, raising the standard of conduct for collecting biometric information used for automated verification or identification. Cannot collect such information unless individual has consented and it is reasonably necessary.

In Effect BN • Data Protection

Brunei PDPO

Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.

In Effect AU • Online Safety

AU Online Safety Act

Grants eSafety Commissioner powers to issue removal notices with 24-hour compliance. Basic Online Safety Expectations (BOSE) formalize baseline safety governance requirements.

Back to all regulations Check if this applies to you