New Zealand Implements Biometric Privacy Code

Published Date : 8/6/2025 

New Zealand has introduced the Biometric Processing Privacy Code, which will come into effect on November 3rd, 2025, to regulate the use of biometric data by businesses and organizations. The code aims to balance innovation and privacy protection. 

New Zealand has officially adopted new privacy rules for businesses and organizations that handle biometric data. The Biometric Processing Privacy Code, which became law under the Privacy Act, will come into force on November 3rd, 2025. However, businesses and organizations will have until August 3rd, 2026, to align with the new biometric rulebook.

All organizations, including businesses, government agencies, and NGOs, that collect biometric information for biometric processing will be obliged to assess the effectiveness and proportionality of using biometrics. Agencies will also need to adopt safeguards to reduce privacy risks and inform people that a biometric system is used before or during the collection of biometric data.

“Ensuring that agencies can innovate while keeping New Zealanders safe from privacy risks is crucial; this Code will do that,” said Privacy Commissioner Michael Webster in a statement. The new law, similar to the European AI Act, limits “intrusive uses” of biometrics, such as emotion prediction or systems that can infer sensitive information like ethnicity or sex. However, it does not specifically prohibit controversial uses such as real-time biometric identification or untargeted scraping of online images and CCTV footage.

Special attention must be given when biometric information is being collected from children, an issue that has previously plagued the New Zealand police. “Biometrics should only be used if they are necessary, effective, and proportionate; the key thing to make sure of is that the benefits outweigh the privacy risks,” Webster stated.

The Office of the Privacy Commissioner (OPC) will be responsible for enforcing the law and investigating complaints. The Office has also issued guidance that outlines how the Code will be applied in practice, including examples. “Our guidance is a starting point; agencies still need to do their own thinking and seek advice to understand their own situation and how they are using or plan to use biometrics,” added Webster.

The Biometric Code was officially issued on July 21st, 2025, after years of consultations. The law was first announced in November 2023, with the Privacy Commissioner holding public consultations until March 2025. During the consultation period, the Office received 97 submissions from the public and 49 submissions from businesses, government agencies, and other organizations.

The rulebook comes amid increasing debates among New Zealanders on biometric technology deployments, especially in retail. Last year, supermarket chain Foodstuffs North Island (FSNI) kicked off a trial in which facial recognition was used to prevent retail crime. During the 7-month trial, more than 225.9 million faces were scanned across 25 supermarkets. In a report published in June, the Privacy Commissioner ruled that the trial was in line with New Zealand’s Privacy Act. However, Webster noted that some businesses may need further improvements to meet the new Code.

“I think one of the things that Foodstuffs North Island will have to do is assess the way it’s running the use of FRT,” he told Radio New Zealand. Organizations and businesses introducing biometric technology will also need to assess its impact on Māori and other populations due to the danger of bias and discrimination.

Last year, one Māori woman was misidentified as a thief by the facial recognition system deployed by supermarket chain New World. The use of biometric technology by the New Zealand police has also raised concerns over discrimination. The Code allows for some exemptions. Health agencies will still need to process biometric information which is health information under the rules of the Health Information Privacy Code (HIPC). If a health agency is processing biometrics which is not health information, for example, introducing a fingerprint scanner for staff to enter the premises, the agency will follow the Biometric Processing Privacy Code.

Intelligence and security agencies, including the New Zealand Security Intelligence Service and the Government Communications Security Bureau, have also received exclusions. This includes rules related to collecting biometric samples (Rule 2), informing an individual that their biometric data is being collected (Rule 3), rules on fair and non-intrusive data collection (Rule 4-b), and limits on the use of information that was not collected in accordance with Rule 1, which defines the purpose of the collection of biometric information (Rule 10-5). 

Frequently Asked Questions (FAQS): 

Q: When does the Biometric Processing Privacy Code come into effect?

A: The Biometric Processing Privacy Code comes into effect on November 3rd, 2025.

Q: What is the main purpose of the Biometric Processing Privacy Code?

A: The main purpose of the Biometric Processing Privacy Code is to ensure that the use of biometric data is necessary, effective, and proportionate, while minimizing privacy risks.

Q: Which organizations are required to comply with the Biometric Processing Privacy Code?

A: All organizations, including businesses, government agencies, and NGOs, that collect biometric information for biometric processing are required to comply with the Code.

Q: What are some of the key requirements for organizations under the Biometric Processing Privacy Code?

A: Key requirements include assessing the effectiveness and proportionality of using biometrics, adopting safeguards to reduce privacy risks, and informing individuals that their biometric data is being collected.

Q: Are there any exemptions to the Biometric Processing Privacy Code?

A: Yes, health agencies and intelligence and security agencies have certain exemptions under the Code, including rules related to collecting biometric samples and informing individuals of data collection. 

More Related Topics :