Skip to main content
NOPE
In Effect Regulation Data Protection

China FR Security Measures

Security Management Measures for the Application of Facial Recognition Technology

Comprehensive facial recognition regulation requiring consent, protecting minors, restricting public space use, mandating data localization, and requiring filing for large-scale processing (100K+ individuals).

Jurisdiction

China

Enacted

Mar 13, 2025

Effective

Jun 1, 2025

Enforcement

Cyberspace Administration of China (CAC) and Ministry of Public Security

Reviewed and adopted by CAC September 30, 2024; promulgated March 13, 2025; effective June 1, 2025

CSET Georgetown Translation

Why It Matters

First major facial recognition regulation in APAC. Affects any platform using facial recognition with Chinese users. Filing requirement (100K+ users) impacts scale platforms. Sets precedent for biometric regulation in Asia-Pacific region.

Recent Developments

Effective June 1, 2025; represents China's first comprehensive facial recognition regulation

At a Glance

Applies to

Social PlatformOnline PlatformFacial Recognition

Harms addressed

Child Exploitation

Who Must Comply

  • Organizations and individuals using facial recognition technology to process facial information in China
  • Excludes: research and development or algorithm training purposes

Obligations fall on:

Applicability thresholds:

100K CN individuals (large_scale_processing) — Must file with provincial CAC within 30 business days; must conduct privacy impact assessment
Under 14 years old — Parental consent required for processing facial information of minors under 14

Safety Provisions

  • Consent and withdrawal rights for facial information processing
  • Parental consent required for minors under age 14
  • Prohibited locations: hotel guest rooms, public baths, changing rooms, public restrooms
  • Data localization: facial information should be stored in FR device, not transmitted via internet unless consented
  • Privacy impact assessment required for large-scale processing
  • Filing requirement with provincial CAC for 100K+ individuals processed

Exemptions

Research and Development Exemption

Facial recognition for R&D or algorithm training purposes within China

  • • Used solely for research purposes
  • • Not deployed in production

Compliance & Enforcement

Key Dates

Jun 1, 2025

All provisions take effect

Jul 1, 2025

Filing deadline for existing systems processing 100K+ individuals (30 business days from effective date)

Penalties

criminal liability

Criminal liability

View on map

China

Focus Areas

Child safety
Algorithmic accountability
Active safeguards required

Compliance Help

Organizations must obtain consent, protect minors under 14 with parental consent, avoid prohibited sensitive locations, localize data storage, conduct privacy impact assessments for large-scale use, and file with CAC when processing 100K+ individuals

See how NOPE helps

Cite This

APA

China. (2025). Security Management Measures for the Application of Facial Recognition Technology.

Related Regulations

In Effect CN

China GenAI Rules

Requires generative AI providers to ensure content "upholds Core Socialist Values," implement content controls, and file algorithms with CAC within 10 business days.

In Effect CN

China Deepfake Rules

Controls on "deep synthesis" (deepfake) technology including labeling requirements for all deep synthesis outputs and privacy consent for biometric editing.

Enacted NZ

NZ Biometric Code

Sets specific legal requirements under Privacy Act for collecting and using biometric data such as facial recognition and fingerprint scans. Prohibits particularly intrusive uses including emotion prediction and inferring protected characteristics like ethnicity or sex.

In Effect AU

AU Privacy Amendment 2024

Strengthens Privacy Act requirements for biometric data collection, raising the standard of conduct for collecting biometric information used for automated verification or identification. Cannot collect such information unless individual has consented and it is reasonably necessary.

In Effect BN

Brunei PDPO

Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.

In Effect PH

Philippines OSAEC Act

Criminalizes computer-generated and simulated child sexual abuse material, which includes AI-generated imagery. One of few laws globally explicitly addressing synthetic CSAM.

All regulations Check if this applies to you

Last updated January 22, 2026. Verify against primary sources before relying on this information.