NZ Biometric Code
Biometric Processing Privacy Code
Sets specific legal requirements under Privacy Act for collecting and using biometric data such as facial recognition and fingerprint scans. Prohibits particularly intrusive uses including emotion prediction and inferring protected characteristics like ethnicity or sex.
Jurisdiction
New Zealand
Enacted
Nov 1, 2024
Effective
Nov 3, 2025
Enforcement
Privacy Commissioner of New Zealand
Comes into force November 3, 2025; organizations have until August 3, 2026 to comply
Facia: NZ Biometric Privacy CodeWhy It Matters
First comprehensive biometric regulation in New Zealand. Prohibits emotion AI and characteristic inference - more restrictive than many jurisdictions. Affects AI companions, identity verification, and security systems using biometrics.
Recent Developments
November 2025 effective date announced. Existing users have grace period until August 2026. First specific biometric regulation in New Zealand.
At a Glance
Applies to
Harms addressed
Who Must Comply
- Businesses and organizations using biometric technology in New Zealand
- Existing biometric technology users have until August 2026 to comply
Safety Provisions
- Specific legal requirements for collecting and using facial recognition, fingerprints, and other biometric data
- Prohibited uses: emotion prediction, inferring ethnicity or sex, inferring information protected under Human Rights Act
- Applies to businesses using biometric technology
- Grace period until August 2026 for existing systems to comply
Compliance & Enforcement
Key Dates
Nov 3, 2025
Code comes into force
Aug 3, 2026
All organizations using biometric technology must comply
Penalties
Unspecified
View on map
New Zealand
Focus Areas
Compliance Help
Organizations must follow Privacy Code requirements for biometric data collection and use. Prohibited from using biometric tech to predict emotions or infer protected characteristics (ethnicity, sex, or other Human Rights Act protected info).
See how NOPE helpsCite This
APA
New Zealand. (2024). Biometric Processing Privacy Code.
Related Regulations
NZ HDCA
Establishes 10 communication principles and creates both criminal offenses and civil remedies for harmful digital communications. Amended 2022 for intimate image sharing. Note: Post-Christchurch rapid classification powers are in a separate law (Films, Videos, and Publications Classification Amendment Act 2021).
AU Privacy Amendment 2024
Strengthens Privacy Act requirements for biometric data collection, raising the standard of conduct for collecting biometric information used for automated verification or identification. Cannot collect such information unless individual has consented and it is reasonably necessary.
China FR Security Measures
Comprehensive facial recognition regulation requiring consent, protecting minors, restricting public space use, mandating data localization, and requiring filing for large-scale processing (100K+ individuals).
Korea AI Act
First comprehensive AI legislation in Asia-Pacific and second in the world after EU. Regulates "High-Impact AI" in healthcare, energy, nuclear, transport, government, and education sectors. Requires transparency notifications, content labeling for generative AI, and fundamental rights impact assessments. Notable for lower penalties than EU AI Act and absence of prohibited AI practices.
Taiwan AI Act
Comprehensive AI Basic Act (pending) establishes seven guiding principles and risk-based classification. Note: Taiwan already has ENACTED deepfake/election AI provisions via separate laws (Criminal Code 2023, Election Law 2023, Fraud Prevention Act 2024).
Japan AI Act
Creates "duty to make reasonable efforts" (not strict requirements) to follow AI principles. Establishes AI Strategy Center. Largely non-binding, consistent with Japan's "soft law" tradition.
Last updated January 22, 2026. Verify against primary sources before relying on this information.