China’s New Facial Recognition Regulations: What Every Business Leader Needs to Know

Facial recognition is no longer a lightly regulated tool for access control, attendance, or customer engagement. The new regulations signal a sharp pivot toward user autonomy, data transparency, and state-supervised compliance. Businesses that currently use facial recognition in any form, whether for workforce management, customer identification, or service personalization, must prepare for major operational adjustments or face serious legal and financial consequences.

At the core of the policy is a clear principle: facial recognition should only be used when absolutely necessary. It is no longer acceptable to deploy it simply for convenience or automation. Companies must demonstrate compelling, documented reasons for its use and must always offer alternative identification methods, such as ID cards or PINs. This means facial recognition can no longer be the default option, nor can it be made a requirement for accessing services or facilities.

One of the most business-critical elements of the new framework is the mandatory informed consent requirement. Before collecting any facial data, businesses must provide clear, written disclosures that include:

• The name and contact details of the data controller
• The specific purpose and scope of data collection
• How long the data will be stored
• Who will have access to it
• The individual’s rights, including the right to withdraw consent or request deletion

Critically, consent must be freely given, specific, and verifiable. Pre-checked boxes, vague notices, or bundled consent practices are explicitly prohibited. If your systems are not designed for granular consent management, now is the time to invest in updates.

The regulations also impose strict data storage requirements that may affect your infrastructure strategy:

• Facial recognition data must be stored locally, ideally within the device or on a secure server in China.
• Transmission over the internet is not allowed unless explicitly permitted by law or with documented user consent.
• Data retention must be limited to the shortest period necessary, with mandatory deletion after the intended purpose has been fulfilled.

International companies that rely on centralized data platforms or global biometric authentication systems will need to reconfigure those systems, or risk falling out of compliance with China’s data localization mandates.

If your company stores facial recognition data for more than 100,000 individuals, you fall under a special regulatory category that requires registration with provincial cyberspace authorities. Within 30 working days, your business must file detailed reports on your data collection methods, storage systems, encryption standards, and internal controls. Upon discontinuation of facial recognition use, you must formally de-register and prove that all biometric data has been securely and irreversibly deleted.

These requirements mean large organizations will need to build or enhance compliance teams capable of handling audit preparation, internal monitoring, and regulatory reporting.

The financial stakes for non-compliance are high: fines can reach RMB 50 million or 5% of annual revenue, whichever is greater. But beyond monetary penalties, reputational damage, operational disruption, and even loss of business licenses are real risks for companies that ignore or underprepare for these changes.

The rules also require immediate notification (within 24 hours) to authorities if a security breach involving facial recognition data occurs. This will likely prompt companies to revisit their incident response strategies and cybersecurity insurance policies.

Facial recognition is widely used in Chinese workplaces for time tracking, attendance logging, and facility access. Under the new regulations, employers must offer alternatives to employees who choose not to use biometric systems. Moreover, they are required to clearly explain:

• How employee facial data is used
• Who can access it internally
• How deletion or withdrawal of consent will be handled

HR departments will need training to manage these processes, and IT systems may require redesign to separate biometric and non-biometric verification paths. For small and medium-sized enterprises (SMEs), these changes could represent a substantial investment, both in technology and workforce education.

Sectors like retail, finance, and hospitality, which frequently use facial recognition for personalized services, will face immediate challenges. Retailers can no longer analyze customer expressions or behaviors without explicit, case-specific consent. Financial institutions that authenticate clients via facial scans must now justify the necessity of doing so and prepare fallback mechanisms.

Tech firms developing facial recognition algorithms must also reevaluate their training datasets and ensure that the data used complies with the new consent standards. For multinational companies, maintaining operational consistency across markets while meeting China’s localization and consent requirements will be especially complex.

Additionally, certain applications of facial recognition are now explicitly banned. These include systems designed to infer emotions or categorize people based on ethnicity, religion, or health status, practices now deemed discriminatory and illegal.

Given the complexity and potential exposure, business leaders should act proactively:

1. Conduct an audit of all current and planned uses of facial recognition across the organization.
2. Evaluate data flows and storage locations to ensure compliance with localization rules.
3. Update consent mechanisms, user disclosures, and privacy policies.
4. Train internal teams, particularly HR, IT, and compliance, on the new obligations.
5. Reassess vendor relationships, especially those involving third-party biometric systems.
6. Plan for contingencies, including the suspension or scaling back of biometric operations if full compliance cannot be achieved in time.

China’s new facial recognition regulations present a dual message to the business community: innovation is welcome, but not at the expense of personal privacy and data security. While the rules introduce complexity, they also offer a clearer regulatory path and may help rebuild public trust in biometric technology.

For companies that move quickly to align with these changes, there is an opportunity not only to avoid risk but also to position themselves as responsible technology leaders in a market increasingly defined by ethical governance.