Enacted Code of Practice Data Protection High Relevance

NZ Biometric Code

Biometric Processing Privacy Code

Sets specific legal requirements under Privacy Act for collecting and using biometric data such as facial recognition and fingerprint scans. Prohibits particularly intrusive uses including emotion prediction and inferring protected characteristics like ethnicity or sex.

Jurisdiction

New Zealand

Enacted

Nov 1, 2024

Effective

Nov 3, 2025

Enforcement

Privacy Commissioner of New Zealand

Comes into force November 3, 2025; organizations have until August 3, 2026 to comply

What It Requires

Transparency

Must disclose AI nature, data practices, or algorithmic decisions

User Rights

Must honor access, correction, and deletion requests

Data Minimization

Must limit data collection to what is necessary

Harms Addressed

Discrimination

Discriminatory treatment or bias

Who Must Comply

This law applies to:

• Businesses and organizations using biometric technology in New Zealand
• Existing biometric technology users have until August 2026 to comply

Capability triggers:

● biometricData (required)

● facialRecognition (required)

○ Emotional interaction (prohibited)

● Required ◐ Increases applicability

Who bears obligations:

Data Controller Operator

Safety Provisions

• Specific legal requirements for collecting and using facial recognition, fingerprints, and other biometric data
• Prohibited uses: emotion prediction, inferring ethnicity or sex, inferring information protected under Human Rights Act
• Applies to businesses using biometric technology
• Grace period until August 2026 for existing systems to comply

Compliance Timeline

Nov 3, 2025

Code comes into force

Aug 3, 2026

All organizations using biometric technology must comply

Enforcement

Enforced by

Privacy Commissioner of New Zealand

Penalties

Unspecified

Enforcement per Privacy Act 2020; Privacy Commissioner can investigate and issue compliance notices

Primary Source

Facia: NZ Biometric Privacy Code (opens in new tab)

https://facia.ai/news/new-zealand-to-enforce-biometric-privacy-code-starting-november-2025/

Quick Facts

Binding: Yes
Mental Health Focus: No
Child Safety Focus: No
Algorithmic Scope: Yes

Why It Matters

First comprehensive biometric regulation in New Zealand. Prohibits emotion AI and characteristic inference - more restrictive than many jurisdictions. Affects AI companions, identity verification, and security systems using biometrics.

Recent Developments

November 2025 effective date announced. Existing users have grace period until August 2026. First specific biometric regulation in New Zealand.

What You Need to Comply

Organizations must follow Privacy Code requirements for biometric data collection and use. Prohibited from using biometric tech to predict emotions or infer protected characteristics (ethnicity, sex, or other Human Rights Act protected info).

NOPE can help

Cite This

APA

New Zealand. (2024). Biometric Processing Privacy Code. Retrieved from https://nope.net/regs/nz-biometric-privacy-code

BibTeX

@misc{nz_biometric_privacy_code,
  title = {Biometric Processing Privacy Code},
  author = {New Zealand},
  year = {2024},
  url = {https://nope.net/regs/nz-biometric-privacy-code}
}

Related Regulations

In Effect NZ • Data Protection

NZ HDCA

Establishes 10 communication principles and creates both criminal offenses and civil remedies for harmful digital communications. Amended 2022 for intimate image sharing. Note: Post-Christchurch rapid classification powers are in a separate law (Films, Videos, and Publications Classification Amendment Act 2021).

In Effect CN • Data Protection

China FR Security Measures

Comprehensive facial recognition regulation requiring consent, protecting minors, restricting public space use, mandating data localization, and requiring filing for large-scale processing (100K+ individuals).

In Effect AU • Data Protection

AU Privacy Amendment 2024

Strengthens Privacy Act requirements for biometric data collection, raising the standard of conduct for collecting biometric information used for automated verification or identification. Cannot collect such information unless individual has consented and it is reasonably necessary.

In Effect KR • AI Safety

Korea AI Act

First comprehensive AI legislation in Asia-Pacific and second in the world after EU. Regulates "High-Impact AI" in healthcare, energy, nuclear, transport, government, and education sectors. Requires transparency notifications, content labeling for generative AI, and fundamental rights impact assessments. Notable for lower penalties than EU AI Act and absence of prohibited AI practices.

In Effect CN • AI Safety

China Algorithm Rules

Requires algorithm filing/registration, user notification of recommendations, and opt-out mechanisms. Prohibits price discrimination based on user profiling.

In Effect SG • Sector-Specific

SG MAS AI Governance

First mandatory AI governance requirements in Singapore, shifting from voluntary Model AI Governance Framework to binding obligations for financial sector. Establishes three mandatory focus areas: oversight and governance, risk management systems, and development/validation/deployment protocols.

Back to all regulations Check if this applies to you