Promulgated by: Cyberspace Administration of China (CAC) and Ministry of Public Security (MPS).
Document No.: Decree No. 19 of CAC and MPS.
Adopted at the 23rd CAC executive meeting in 2024 on September 30, 2024, with MPS concurrence. Promulgated March 13, 2025. Effective June 1, 2025. Zhuang Rongwen (CAC) and Wang Xiaohong (MPS).
Article 1. These Measures are enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Administrative Regulation on Network Data Security and other laws and administrative regulations in order to regulate the application of facial recognition technology to handle facial information and protect personal information rights and interests.
Article 2. These Measures apply to the application of facial recognition technology to handle facial information within the territory of the People’s Republic of China. These Measures shall not apply to the application of facial recognition technology to handle facial information for the research and development of facial recognition technology and algorithm training activities within the territory of the People’s Republic of China.
Article 3. Users of facial recognition technology to handle facial information shall comply with laws and regulations, respect for social morality and ethics, follow business morality and professional ethics, act in good faith, fulfill obligations of personal information protection and undertake social responsibilities, and shall not endanger national security, damage public interests or infringe upon legitimate rights and interests of individuals.
Article 4. Facial recognition technology shall be used for a specific purpose and of sufficient necessity or in a way that has the least impact on personal rights and interests, and strict protective measures shall be implemented.
Article 5. Prior to application of facial recognition technology to handle facial information, a personal information handler shall inform an individual of the following matters in a prominent manner and using easy-to-understand language in a truthful, accurate and complete manner: (1) name and contact information of the personal information handler;
(2) purpose and method of handling facial information and the period for storage of the handled facial information;
(3) necessity of handling facial information and impact of handling on personal rights and interests;
(4) methods and procedures for individuals to exercise rights in accordance with the law; and
(5) other matters to be notified in accordance with the provisions of laws and administrative regulations. If any of the matters prescribed in the preceding paragraph changes, the individual shall be notified of such change. Where it is stipulated by laws and administrative regulations that notification to individuals is not required, such provisions shall prevail. The handling of facial information of the disabled and the elderly shall also comply with the provisions of the State on building a barrier-free environment.
Article 6. Where the handling of facial information is based on an individual’s consent, the voluntary and explicit separate consent of the individual shall be obtained under the premise of full knowledge of the individual. Where laws and administrative regulations provide that the handling of facial information shall be subject to the individual’s written consent, such provisions shall prevail. Where an individual consents to the handling of his or her facial information, he or she has the right to withdraw his or her consent, and the personal information handler shall provide a convenient way to withdraw consent. The withdrawal of consent by an individual shall not affect the effectiveness of personal information handling activities that have been carried out based on the individual’s consent before the withdrawal.
Article 7. Where an individual consents to the handling of the facial information of minors under the age of 14, the consent of the minors’ parents or other guardians shall be obtained. Where a personal information handler applies facial recognition technology to handle facial information of minors under the age of 14, it/he shall formulate special handling rules in terms of storage, use, transfer and disclosure, in order to protect the safety of minors’ personal information according to the law.
Article 8. Unless otherwise stipulated by laws and administrative regulations or with an individual’s separate consent, facial information shall be stored in facial recognition equipment and shall not be externally transmitted through the Internet. Unless otherwise specified by laws and administrative regulations, the retention period of the facial information shall not exceed the minimum time required for achieving the purpose of handling. 3 Article 9 Where a personal information handler applies facial recognition technology to handle facial information, it/he shall carry out an assessment on the impact of personal information protection in advance and keep a record of the handling. An assessment on the impact of personal information protection shall mainly include the following aspects: (1) whether the purpose and method of handling facial information are legal, proper and necessary;
(2) impact on the personal rights and interests and whether the measures to mitigate adverse impact are effective;
(3) risks of divulgence, falsification, loss, damage, or illegal acquisition, sale or use of facial information and possible harm; and
(4) whether the protection measures taken are legal, effective and appropriate to the degree of risks. Assessment reports on the impact of personal information protection and handling records shall be kept for at least three years. Where the purpose and method of personal information handling change, or major security incidents occur, the assessment on impact of personal information protection shall be conducted anew.
Article 10. Where there are other non-facial recognition methods to achieve the same purpose or meet the same business requirements, facial recognition technology shall not be used as the only verification method. If an individual does not agree to identity verification by means of facial information, other reasonable and convenient alternatives shall be provided. Where it is otherwise stipulated by the State on the application of facial recognition technology to verify personal identity, such provisions shall prevail.
Article 11. Where facial recognition technology is used to verify personal identity or identify specific individuals, it is encouraged to give priority to such channels as the national basic population information database and the national network identity authentication public services, so as to reduce facial information collection and storage and protect facial information security.
Article 12. No organization or individual may mislead, defraud or coerce an individual to accept facial recognition technology for verification of his/her personal identity on the grounds of handling business, improving service quality, etc.
Article 13. Facial recognition equipment shall be installed in public places necessary for maintaining public security, and the facial information collection areas shall be reasonably determined in accordance with the law, with eye-catching warning signs set up. No organization or individual may install facial recognition equipment inside private spaces in such public places as hotel guest rooms, public bathrooms, public locker rooms and toilets.
Article 14. The application system of facial recognition technology shall take such measures as data encryption, security audit, access control, authorization management, intrusion detection and defense to protect the security of facial information. Where cybersecurity graded protection or critical information infrastructure is involved, the obligations of cybersecurity graded protection or critical information infrastructure protection shall be performed in accordance with the relevant regulations of the State. 30 30 Article 15 A personal information handler shall go through the filing formalities with the cyberspace authority at or above the provincial level of the place where it/he is located within 30 working days from the day when the number of stored facial information handled with application of facial recognition technology reaches 100,000 persons. The following materials shall be submitted for the filing application: (1) basic information of the personal information handler;
(2) purpose and method of facial information handling;
(3) storage quantity of facial information and security protection measures;
(4) handling rules and operating procedures for facial information handling; and
(5) assessment report on the impact of personal information protection. Where there is any substantial change in the filed information, the formalities for change of filing shall be completed within 30 working days from the date of change. Where the application of facial recognition technology is terminated, the formalities for cancellation of filing shall be completed within 30 working days from the date of termination, and the facial information shall be handled in accordance with the law.
Article 16. The cyberspace authority shall, in concert with the public security organ and other authorities performing duties of personal information protection, establish and improve the information sharing and notification mechanism and cooperate with each other in carrying out the relevant work. The cyberspace authority, public security organ and other authorities performing duties of personal information protection shall carry out supervision and inspection over the activities of handling personal information with application of facial recognition technology in accordance with the law, and personal information handlers shall provide cooperation pursuant to the law.
Article 17. Any organization or individual has the right to complain or report to the authorities performing duties of personal information protection on the illegal application of facial recognition technology to handle facial information. The authorities receiving such complaints or reports shall handle them in a timely manner in accordance with the law and inform the complainants or whistleblowers of the handling results.
Article 18. Any violation of the provisions hereof shall be punished in accordance with the provisions of relevant laws and administrative regulations; if a crime is constituted, criminal liability shall be investigated in accordance with the law.
Article 19. For the purpose of these Measures, the following terms shall have the following meanings: (1) “personal information handler” refers to any organization or individual that independently determines the purpose and method of handling in the activities of handling personal information.
(2) “facial information” refers to the biometric information of facial features that is recorded in electronic or otherwise and is related to an identified or identifiable natural person, excluding the anonymized information.
(3) “facial recognition technology” refers to the individual biometric recognition technology that identifies an individual based on the facial information.
(4) “facial recognition equipment” refers to the terminal equipment that applies facial recognition technology to identify personal identity.
(5) “verifying personal identity” refers to making “one-to-one” comparison of the collected facial information with the specific facial information stored in the information system so as to confirm and check whether the two are the same person.
(6) “identifying specific individuals” refers to making “one-to-many” comparison of the collected facial information with the facial information within the specific scope stored in the information system so as to discover and identify individuals with specific identities. 2025 6 1 Article 20 These Measures shall come into force as of June 1, 2025. PAGE/NUMPAGES PAGE/NUMPAGES