New Zealand Implements Biometric Privacy Regulation

Published Date : 8/6/2025 

New Zealand has adopted the Biometric Processing Privacy Code to regulate the use of biometric data by businesses and organizations, aiming to balance innovation with privacy protection. 

New Zealand has officially adopted new privacy rules for businesses and organizations that handle biometric data. The Biometric Processing Privacy Code, which became law under the Privacy Act, comes into force on November 3rd, 2025. Businesses and organizations, however, will have until August 3rd, 2026, to align with the biometric rulebook.

All organizations, including businesses, government agencies, and NGOs, that collect biometric information for biometric processing will be obliged to assess the effectiveness and proportionality of using biometrics. Agencies will also need to adopt safeguards to reduce privacy risks and inform people that a biometric system is used before or during the collection of biometric data.

“It’s important that agencies can innovate while keeping New Zealanders safe from privacy risks; this Code will do that,” Privacy Commissioner Michael Webster said in a statement. Similar to the European AI Act, the new law also limits “intrusive uses” of biometrics, such as emotion prediction or systems that can infer sensitive information such as ethnicity or sex. Unlike the AI Act, however, it does not specifically prohibit controversial uses such as real-time biometric identification or untargeted scraping of online images and CCTV footage.

According to the rulebook, special attention must be given in circumstances in which biometric information is being collected from children, an issue that has previously plagued the New Zealand police. “Biometrics should only be used if they are necessary, effective, and proportionate; the key thing to make sure of is that the benefits outweigh the privacy risks,” says Webster.

The Office of the Privacy Commissioner (OPC) will be in charge of enforcing the law and investigating complaints. The Office has also issued guidance that lays out how the Code will be applied in practice, including examples. “Our guidance is a starting point; agencies still need to do their own thinking and seek advice to understand their own situation and how they are using or plan to use biometrics,” says Webster.

The Biometric Code was officially issued on July 21st, 2025, after years of consultations. The law was first announced in November 2023, with the Privacy Commissioner holding public consultations until March 2025. During the consultation period, the Office received 97 submissions from members of the public and 49 submissions from businesses, government agencies, and other organizations.

The rulebook comes amid increasing debates among New Zealanders on biometric technology deployments, especially in retail. Last year, supermarket chain Foodstuffs North Island (FSNI) kicked off a trial in which facial recognition was used to prevent retail crime. During the 7-month trial, more than 225.9 million faces were scanned across 25 supermarkets.

In a report published in June, the Privacy Commissioner ruled that the trial was in line with New Zealand’s Privacy Act. On Wednesday, however, Webster noted that some businesses may need further improvements to meet the new Code. “I think one of the things that Foodstuffs North Island will have to do is again assess the way it’s running the use of FRT,” he told Radio New Zealand.

Organizations and businesses introducing biometric technology will also need to assess its impact on Māori and other populations due to the danger of bias and discrimination, he adds. Last year, one Māori woman was misidentified as a thief by the facial recognition system deployed by supermarket chain New World. The use of biometric technology by the New Zealand police has also raised concerns over discrimination.

The Code allows for some exemptions. Health agencies will still need to process biometric information which is health information under the rules of the Health Information Privacy Code (HIPC). If a health agency is processing biometrics which is not health information, for example, introducing a fingerprint scanner for staff to enter the premises, the agency will follow the Biometric Processing Privacy Code.

Intelligence and security agencies, including the New Zealand Security Intelligence Service and the Government Communications Security Bureau, have also received exclusions. This includes rules related to collecting biometric samples (Rule 2), informing an individual that their biometric data is being collected (Rule 3), rules on fair and non-intrusive data collection (Rule 4-b) and limits on use of information that was not collected in accordance with Rule 1 which defines the purpose of collection of biometric information (Rule 10-5). 

Frequently Asked Questions (FAQS): 

Q: What is the Biometric Processing Privacy Code?

A: The Biometric Processing Privacy Code is a set of rules adopted by New Zealand to regulate the use of biometric data by businesses and organizations, ensuring that the benefits of using biometrics outweigh the privacy risks.

Q: When does the Biometric Processing Privacy Code come into force?

A: The Biometric Processing Privacy Code comes into force on November 3rd, 2025, with a compliance deadline for businesses and organizations set for August 3rd, 2026.

Q: What are the key obligations for organizations under the new Code?

A: Organizations must assess the effectiveness and proportionality of using biometrics, adopt safeguards to reduce privacy risks, and inform individuals that their biometric data is being collected.

Q: Are there any exemptions to the Biometric Processing Privacy Code?

A: Yes, health agencies and intelligence and security agencies have received some exemptions, including rules related to collecting biometric samples and informing individuals of data collection.

Q: How will the Office of the Privacy Commissioner enforce the new Code?

A: The Office of the Privacy Commissioner will be responsible for enforcing the law and investigating complaints, providing guidance on how the Code will be applied in practice. 

More Related Topics :