China FR Security Measures
Security Management Measures for the Application of Facial Recognition Technology
Comprehensive facial recognition regulation requiring consent, protecting minors, restricting public space use, mandating data localization, and requiring filing for large-scale processing (100K+ individuals).
Jurisdiction
China
Enacted
Mar 13, 2025
Effective
Jun 1, 2025
Enforcement
Cyberspace Administration of China (CAC) and Ministry of Public Security
Reviewed and adopted by CAC September 30, 2024; promulgated March 13, 2025; effective June 1, 2025
CSET Georgetown TranslationWhy It Matters
First major facial recognition regulation in APAC. Affects any platform using facial recognition with Chinese users. Filing requirement (100K+ users) impacts scale platforms. Sets precedent for biometric regulation in Asia-Pacific region.
Recent Developments
Effective June 1, 2025; represents China's first comprehensive facial recognition regulation
At a Glance
Applies to
Harms addressed
Who Must Comply
- Organizations and individuals using facial recognition technology to process facial information in China
- Excludes: research and development or algorithm training purposes
Obligations fall on:
Applicability thresholds:
Safety Provisions
- Consent and withdrawal rights for facial information processing
- Parental consent required for minors under age 14
- Prohibited locations: hotel guest rooms, public baths, changing rooms, public restrooms
- Data localization: facial information should be stored in FR device, not transmitted via internet unless consented
- Privacy impact assessment required for large-scale processing
- Filing requirement with provincial CAC for 100K+ individuals processed
Exemptions
Research and Development Exemption
Facial recognition for R&D or algorithm training purposes within China
- • Used solely for research purposes
- • Not deployed in production
Compliance & Enforcement
Key Dates
Jun 1, 2025
All provisions take effect
Jul 1, 2025
Filing deadline for existing systems processing 100K+ individuals (30 business days from effective date)
Penalties
criminal liability
View on map
China
Focus Areas
Cite This
APA
China. (2025). Security Management Measures for the Application of Facial Recognition Technology.
Related Regulations
China Minor Content Classification Measures
Establishes a four-category classification framework for online content that may harm minors' physical and mental health. Prohibits platforms from displaying classified harmful content in prominent positions (homepage, pop-ups, trending, recommendations). Requires preventive measures against content risks from algorithmic recommendations and generative AI.
China GenAI Rules
Requires generative AI providers to ensure content "upholds Core Socialist Values," implement content controls, and file algorithms with CAC within 10 business days.
NZ Biometric Code
Sets specific legal requirements under Privacy Act for collecting and using biometric data such as facial recognition and fingerprint scans. Prohibits particularly intrusive uses including emotion prediction and inferring protected characteristics like ethnicity or sex.
AU Privacy Amendment 2024
Strengthens Privacy Act requirements for biometric data collection, raising the standard of conduct for collecting biometric information used for automated verification or identification. Cannot collect such information unless individual has consented and it is reasonably necessary.
Brunei PDPO
Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.
Philippines OSAEC Act
Criminalizes computer-generated and simulated child sexual abuse material, which includes AI-generated imagery. One of few laws globally explicitly addressing synthetic CSAM.
Last updated January 22, 2026. Verify against primary sources before relying on this information.