On 21 March 2025, the Cyberspace Administration of China (CAC) and the Ministry of Public Security jointly released Security Management Measures for the Application of Facial Recognition Industry(hereinafter referred to as “the Measures”). This is China’s first set of legally binding rules applicable to facial recognition technology (FRT) and will take effect from June 1, 2025.

The Measures stipulate the general processing rules and requirements for using FRT to handle facial information, security norms for the application of FRT, and responsibilities for supervision and management.

Any activities utilizing FRT to process facial information and identify Individuals in China will be regulated by these measures, except in the following two scenarios:

  1. Using facial recognition technology for research,
  2. Algorithm training purposes in China.

The purpose of the exemption is to not hamper innovation and development of FRT while enhancing the protection for individuals.

 

SESEC has extracted a few key points to take note of in this new measure. Several provisions listed below reflects China’ perspectives on protecting individuals’ rights and interests:

I. Chinas Restriction on FRT Installation

The measures specify that FRT installation is limited to public areas and must be for the purpose of safeguarding public security. Any area where facial information is being detected must display clear signage to inform individuals that they are entering a monitored zone. FRT installation in private spaces within the public area—such as hotel rooms or changing rooms is strictly prohibited.

 

 II. Fully Informed Consent from Individuals

As stated in the Measures, companies should clearly identify specific purposes and necessities of using FRT before its adoption and minimize potential impact of FRT usage on individual’s rights and interests. Companies must truthfully, accurately and fully inform individuals about the following matters in clear and simple language:

  1. The name or identity and contact information of the personal information processor’
  2. The purpose and method of processing facial recognition information, and the retention period of the processed information,
  3. The necessity of processing facial recognition information and its impact on personal rights and interests.
  4. The methods and procedures for individuals to legally exercise their rights’
  5. Other matters that should be informed according to laws or administrative regulations.

Processing of facial information must only proceed after obtaining separate consent from a fully informed individual. Moreover, the individuals’ consent must be provided in written form.

The Measures particularly highlight that for minors under the age of 14, consent must be obtained from their parents or guardians. Additionally, a separate regulation containing more detailed provisions on the storage, usage, transfer and disclosure of minors’ facial information will be developed.

 

III. Storage Requirements of Facial Information

Facial or biometric information should only be stored in local devices. Cloud storage is prohibited to prevent large-scale personal information leaks. The storage period of facial information must not exceed the minimum time required to achieve the intended purpose.

 

IV. Impact Assessment Before Adopting FRT

Prior to performing facial or biometric information using FRT, companies should conduct a thorough impact assessment regarding personal information protection and maintain processing records. The assessment report and processing records must be kept for at least three years. The assessment must address the following aspects:

  1. Whether the purpose or method of processing facial information is legal, legitimate, and necessary
  2. The impact on personal rights or interests and the effectiveness of measures to mitigate adverse effects.
  3. The risk of facial information being leaked, tampered with, lost, damaged, illegally acquired, sold, or used, and the potential harm this may cause.
  4. Whether the protective measures taken are legal, effective, and appropriate to the level of risk.

 

V. Facial Recognition Cannot Be the Only Option

FRT must not be the sole verification method when other non-biometric verification technology is available. However, as long as alternative non-biometric option is provided, FRT can still be used as the preferred method.

Companies must not mislead, deceive or coerce individuals into surrendering their facial information with the purpose of Individuals retain the right to withdraw their consent at any time, and companies shall provide alternative, appropriate, and convenient options.

 

VI. Filing with Local Cyberspace Authorities

Companies must monitor the volume of stored facial information. When this accumulation reaches 100,000, companies must immediately file with the local provincial- or higher-level cyberspace authorities within 30 working days from that date. The following materials must be submitted for filing:

  1. Basic information of the personal information processor
  2. The purpose and method of processing facial information
  3. The amount of stored facial information and security protection measures
  4. The processing rules and operating procedures for facial information
  5. The personal information protection impact assessment report

Companies must prepare for the filing from day one as these materials should have clearly specified the necessity and legality of their FRT use. Any ambiguity found within the submitted materials will result in rejection of the filing.

 

As the first regulatory rules targeting facial recognition technology, the Measures fill in a critical void in China’s existing cybersecurity legal framework by establishing a regulatory framework for an emerging and rapidly evolving technology. However, significant uncertainties remain throughout the entire implementation process, such as internal restructuring and adjustments required of relevant stakeholders, impact assessment and record-keeping, as well as preparation and submission of filling materials. Real-life implementation will be more complex with variations on a case by case basis. Further revisions are likely as more and more issues will emerge in the practice.

 

Access the original legal document of the Measure (in Chinese) via this link:

https://www.cac.gov.cn/2025-03/21/c_1744174262156096.htm

Access the press release of the CAC on deciphering the Measure (in Chinese) via this link:

https://www.cac.gov.cn/2025-03/21/c_1744259774719484.htm