The Security Management Measures Concerning the Application of Facial Recognition Technology officially came into effect on June 1, 2025, approximately three months after their release. Jointly issued by China’s Cyberspace Administration and the Ministry of Public Security, these Measures represent China’s first dedicated legal framework regulating the social use of facial recognition technology. Positioned as a complement to existing legislation, including the Cybersecurity Law, Data Security Law, and Personal Information Protection Law (PIPL), the Measures reflect a growing consensus that AI-powered biometric systems require stricter safeguards to protect individual rights and the public interest.
At its core, the Measures emphasize that the use of facial recognition technology must be lawful, ethical, professionally responsible, and consistent with societal values. The application of this technology is limited to specific, necessary purposes that minimize its impact on individuals, with clear, transparent protections throughout its use. Individuals must be fully informed and provide explicit, voluntary consent before their facial data is collected, with special provisions in place for minors under the age of 14 — highlighting the fundamental importance of consent in the use of facial recognition.
Acknowledging that facial data is classified as sensitive biometric information under the PIPL, the Measures impose strict limitations on its collection, use, and storage. For instance, facial data must, by default, be stored locally, and transmission over the internet is prohibited unless expressly permitted by law or separately authorized by the individual. Data must be retained only for the minimum time required to fulfill its stated purpose, in order to avoid excessive or indefinite storage. Service providers are also required to conduct a personal information protection impact assessment prior to developing any facial recognition system, and to retain related records for at least three years to ensure accountability and risk management.
Importantly, the Measures prohibit the compulsory use of face‑scans for routine services such as hotel check‑ins, gated‑community access, or entry to public facilities. Where facial recognition systems are already in place, service providers must offer reasonable alternatives. Operators are also prohibited from misleading, coercing, or deceiving individuals into accepting facial recognition. In public settings, users must be clearly informed of the presence of facial recognition technology. The Measures also explicitly ban the use of facial recognition in certain provate spaces, including bathrooms, changing rooms, and hotel guest rooms.
To further safeguard public interests, the Measures stipulate that if other identity verification methods (such as passwords or national digital ID systems) can achieve the same goal, facial recognition must not be the sole option. The regulation encourages the use of national identity services, such as the National Network Identity Authentication system, to reduce redundant data collection and minimize privacy risks.
This regulation directly addresses growing public concern over the unchecked use of facial recognition, particularly following incidents in cities such as Shanghai where hotels mandated facial scans, triggering public backlash and regulatory intervention. In March 2025, authorities reaffirmed that individuals must not be forced to verify their identities through facial recognition, even for routine services, and that meaningful consent is paramount. From a technical perspective, the Measures call for enhanced system protections, including encryption, access controls, auditing, and intrusion detection, to prevent data misuse or breaches. Their introduction reflects a broader policy effort to balance innovation with safety, fairness, and individual dignity in the age of AI.
In the broader context, the Measures are reshaping China’s surveillance landscape by establishing clearer boundaries on when, where, and how facial recognition can be applied. They work in tandem with the PIPL and other legal instruments to form a comprehensive regulatory strategy that promotes the responsible and ethical development of digital technologies, while addressing widespread concerns about mass‑surveillance.
Bibliography
Baptista, E. (2025, March 21). China says facial recognition should not be forced on individuals. Reuters. Retrieved from https://www.reuters.com/technology/china-says-facial-recognition-should-not-be-forced-individuals-2025-03-21/
China Daily. (2025, June 12). Security Management Measures for the Application of Facial Recognition Technology Applications [Column]. China Daily. Retrieved from https://column.chinadaily.com.cn/a/202506/12/WS684a3c8da310205377037a92.html
Cyberspace Administration of China & Ministry of Public Security. (2025, March 21). 人脸识别技术应用安全管理办法 [Measures for the Security Management of Facial Recognition Technology Applications]. Retrieved from https://www.cac.gov.cn/2025-03/21/c_1744174262156096.htm
