Facial recognition in China: What business leaders need to know about the new regulations

Since 1 June 2025, China has been enforcing some of the world’s strictest rules on facial recognition. The new security management measures for the application of facial recognition technology demand tighter controls, clearer consent, and stronger data protection. For companies operating in China, the changes bring both compliance risks and a chance to build trust.

The central rule of the package of measures adopted by the Cyberspace Administration and the Ministry of Public Security is necessity: facial recognition in China may only be used when it is truly required and never simply for convenience. Businesses must prove a legitimate purpose, document it, and offer alternatives such as ID cards or PINs. Facial recognition can no longer be the default or the only option for accessing services, explain the Ecovis experts.

Informed consent is mandatory. Companies must clearly explain who collects the data, for what purpose, how long it will be stored, who can access it, and what rights the individual has, including withdrawal and deletion. Consent must be freely given, specific, and verifiable – vague notices or pre-checked boxes are banned.

Strict data storage regulations

Facial data must be stored locally in China, preferably on the device or a secure domestic server. Internet transfers are only allowed with legal approval or explicit user consent. Retention must be minimal, and deletion is required once the purpose is fulfilled. Firms using global biometric platforms must adapt or risk non-compliance.

Large-scale collectors – those holding data on more than 100,000 individuals – must register with provincial authorities, file detailed reports, and deregister with proof of deletion when operations cease.

Companies should act promptly to minimise risks. We can help you do this.

Pingwen Hu, Senior Partner and Certified Public Accountant, ECOVIS Ruide Certified Public Accountants Co., Ltd, Shanghai, China

Risk of high fines

Penalties for violations can reach RMB 50 million or 5% of annual revenue, alongside reputational harm and possible loss of business licenses. Breaches involving facial data must be reported to authorities within 24 hours.

Offering additional access options will be mandatory in the future

Employers must now offer non-biometric options for attendance or access and inform staff in detail about data use, access rights, and deletion procedures. Retailers, banks, and hospitality providers face limits on customer tracking and personalisation, while developers must ensure training data meets consent requirements. Certain uses – such as emotion detection or classification by ethnicity, religion, or health – are banned.

Business leaders should act quickly: audit all uses of facial recognition, review data flows, update consent mechanisms, train staff, and ensure vendor compliance.

For further information please contact:

Pingwen Hu, Senior Partner and Certified Public Accountant, ECOVIS Ruide Certified Public Accountants Co., Ltd, Shanghai, China
Email: pingwen.hu@ecovis.cn