DCC summary, not a translation. TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC’s own paraphrase grounded in the guide’s title and the underlying regime; specific clauses should be checked against the published guide.
Scope
This practice guide provides personal-information security protection requirements for facial-recognition payment scenarios — the use of facial recognition to verify identity and authorize a payment. It applies to the parties operating such payment services (and their technology providers), and addresses the handling of facial (biometric) information across collection, verification, transmission, storage and deletion in this specific context.
It is a practice guide issued by the TC260 Secretariat — advisory, not a mandatory standard.
Key contents
At a structural level the guide is expected to cover:
- Consent and notice — obtaining the user’s separate consent for facial-recognition payment, with clear notice of purpose and scope.
- Non-facial alternatives — ensuring users retain a convenient alternative payment/verification method and are not compelled to use facial recognition.
- Minimization and purpose limitation — collecting only the face data necessary for payment verification and not repurposing it.
- Security of face data — anti-spoofing/liveness detection, encrypted transmission, protected (often tokenized) storage, strict access control, and secure deletion.
- Risk management and accountability — impact assessment, logging, and allocation of responsibility among the parties.
Editor: verify specific clauses against the published guide.
How it fits the regime
Facial information is sensitive personal information under PIPL Article 28, and facial-recognition payment is one of the highest-stakes consumer uses of it. The guide operationalizes the heightened sensitive-PI duties — separate consent (Article 29), strict necessity and protection (Article 28), and impact assessment (Article 55) — in the payment setting.
It complements the Measures for the Administration of the Application of Facial Recognition Technology, which require necessity, alternatives to facial recognition, and filing for large-scale use, and aligns with the facial-recognition judicial interpretation and the sensitive-PI identification and protection standards. For overseas compliance teams operating payment or identity-verification services in China that rely on face data, it is the scenario-specific reference for designing a compliant facial-recognition payment flow.