New Zealand’s New Legal Code for Biometric Processing: What Businesses Need to Know

The Biometric Processing Privacy Code 2025 is now law under the Privacy Act. It introduces a specific and enforceable set of rules for any organisation in New Zealand using biometric technologies such as facial recognition, voice ID, fingerprints, or similar tools to identify, verify, or categorise individuals.

Key Dates

• The Code comes into force on 3 November 2025

• Organisations already using biometric systems must comply by 3 August 2026

  
  

This Code substitutes the 13 standard privacy principles with 13 targeted rules specifically designed for biometric information. It brings much-needed clarity and structure to the regulation of biometric technologies.

What Has Changed?

The Code introduces new legal thresholds for the collection and use of biometric data. Under Rule 1, biometric data must only be collected if:

• It is for a lawful purpose connected to the organisation’s functions

• It is effective at achieving that purpose

• The same result cannot reasonably be achieved as effectively by another means that carries less privacy risk

• The organisation has implemented appropriate privacy safeguards

• The processing is proportionate, taking into account privacy risk and cultural impacts (including on Māori)

These are not soft guidelines. Organisations must be prepared to evidence their decision-making and justify their use of biometric tools.

Restrictions on High-Risk Uses

The Code also restricts certain high-risk uses of biometric information. In most cases, organisations cannot use biometric data to infer or detect:

• Emotions

• Mental state

• Fatigue or alertness

• Health status

• Age, sex, ethnicity, or other characteristics that may involve discrimination risks

These uses are only permitted in limited situations, such as for accessibility support or public safety purposes, and must still meet strict conditions.

Transparency and Rights of Individuals

The Code places a strong emphasis on individual rights and transparency. Organisations must clearly inform people:

• That biometric data is being collected

• The purpose for collection

• Whether any alternatives are available

• Their rights to access and correct their information

• How long the data will be kept

• How to raise concerns or make complaints

These obligations apply whether the system is in full use or being trialled.

What Your Business Should Do Now

If your business currently uses or is considering the use of biometric systems, the following steps will help you prepare for compliance:

• Review your biometric systems and clarify their purposes

• Assess whether each use meets the legal thresholds of necessity, effectiveness, and proportionality

• Document your assessment, including any less privacy-intrusive alternatives considered and your justification for proceeding

• Consider cultural impacts, including specific risks or impacts for Māori

• Review your data storage, disposal practices, and vendor arrangements

• Update privacy notices, consent communications, and internal training

• Seek legal advice, particularly where use is novel, high-risk, or involves sensitive decision-making

O’Brien Legal supports businesses across New Zealand to navigate these new privacy obligations with clarity and confidence. If you would like a confidential discussion about how the Code applies to your organisation, please get in touch.

#privacy #biometrics #NZprivacy #privacycode #dataprotection #facialrecognition #OBrienLegal #datagovernance #compliance #privacylawyer

This image is AI generated.