---
title: "Reading the FRT Application Measures — What the 100k-Record Filing Threshold Actually Triggers"
author: "DCC Editorial"
published: 2025-10-28T01:00:00.000Z
url: https://datacompliancechina.com/posts/compliance-talker-frt-application-measures-impact/
description: "The Administrative Measures for the Application Security of Facial Recognition Technology took effect June 1, 2025. The May 2025 announcement on FRT filing implementation followed. Compliance Talker's global legal policy team walks through the seven specific compliance obligations the Measures impose — the non-exclusive-use rule, end-side storage default, 100k-individual filing threshold, separate-consent reinforcement, PIA mandate, and more — with practical implementation guidance on each. For overseas firms with any China-facing FRT deployment, this is the operational walkthrough."
tags: ["facial-recognition", "frt-measures", "sensitive-personal-information", "filing-regime", "commentary"]
laws_cited: ["facial-recognition-technology-application-measures", "facial-recognition-judicial-interpretation", "pipl"]
domains: ["personal-information", "enforcement"]
account: "compliance-talker"
original_title: "原创 || 《人脸识别技术应用安全管理办法》解读与企业影响分析"
original_author: "全球法律政策研究 (Global Legal Policy Research Team)"
original_publication: "合规小叨客"
original_url: "https://mp.weixin.qq.com/s/Pp_IuQ51wq0yrARWqQ0Y8g"
source_language: "zh"
---
> *Editor's Note — DCC.*
>
> The *Administrative Measures for the Application Security of Facial
> Recognition Technology* (《人脸识别技术应用安全管理办法》) — China's
> first standalone facial-recognition statute — were jointly issued by
> CAC and MPS on March 20, 2025 and took effect June 1, 2025. The
> *Announcement on Conducting FRT Filing Work* of May 28, 2025 added
> the operational filing procedure. Compliance Talker's team produced a
> detailed walk-through five months after effective date — the
> compliance picture has stabilized enough to deliver concrete
> operational guidance. DCC's framing emphasizes what the rules
> actually require of overseas-facing FRT deployments.

## Scope — what the Measures apply to

The Measures apply to: *"the application of facial recognition technology to process facial information within the territory of the PRC."* The scope is **focused and specific** — facial-feature-based biometric identification using already-collected facial information to identify or verify individuals. Two operational modes are covered:

- **One-to-one** verification — comparing a captured face against a single specific stored facial record to verify identity. Example use cases: airport / high-speed-rail identity verification against ID documents; mobile payment / online banking facial login.
- **One-to-many** recognition — comparing a captured face against a database of records to identify a specific individual. Example use cases: public-security suspect tracking; missing-person searches; mall and office-building security; school attendance; hotel self-check-in.

The Measures **do not apply** to FRT used for technology R&D or algorithm training. (Those activities remain subject to PIPL, the sensitive-PI rules under TC260 guidance, and other data-compliance regimes — but not the Measures themselves.)

## Seven concrete obligations the Measures impose

### 1. The non-exclusive-use rule

> *"Where the same purpose or business requirement can be achieved through non-facial-recognition technology, FRT shall not be the sole verification method. Where otherwise provided by the State, follow those provisions."*

This is the *necessity test*, codified. For most identity-verification scenarios — app login, in-person service identity check — at least one non-FRT alternative (SMS code, ID document check, etc.) must be provided. The technical implementation should avoid *"default-tick"* or *"hidden skip"* dark patterns that nudge users toward FRT.

Where FRT is the only viable verification method (in narrow technical scenarios), the data handler must produce a *multi-modal verification analysis report* documenting why other methods are not feasible — for example, demonstrably inferior accuracy or efficiency, or disproportionate business cost of alternatives.

### 2. Preferred use of national-identity infrastructure

For one-to-one verification scenarios, the Measures encourage *priority use of the **National Population Basic Information Database** and the **National Network Identity Authentication Public Service***. The implication: where regulated identity verification is needed (e.g., real-name registration), use the state-provided identity infrastructure rather than building independent FRT systems.

### 3. Prohibition on coerced FRT consent

No organization or individual may, for reasons of *"providing services" or "improving service quality,"* mislead, deceive, or coerce individuals into accepting FRT-based identity verification. The hard-stop matters for product designers who use friction or feature gating to push users toward FRT.

### 4. Public-space deployment rules

For FRT devices in public spaces:

- Deployment must be **necessary for public security**.
- The **collection area must be lawfully and reasonably determined**.
- **Visible notice signs** must be set up.
- **No FRT in private spaces** within public venues — explicitly: hotel guest rooms, public bathhouses, public changing rooms, public toilets. (The latter list responds to documented incidents — see the 2025 Shanghai swimming-pool changing-room case the Compliance Talker team cites.)

### 5. Technical security measures

FRT application systems must implement: *data encryption, security audit, access control, authorization management, intrusion detection and defense.* The list is referenced from existing TC260 / GB standards, now made mandatory under the Measures.

### 6. End-side storage default

> *"Facial information shall be stored within facial recognition equipment. It shall not be transmitted externally via the internet, except where otherwise provided by laws / administrative regulations, or with separate individual consent."*

This is **the most operationally consequential provision** in the Measures. The default is **end-side storage** — facial information stays on the device that collected it. Cloud storage and external transmission are *prohibited* absent (a) statutory authorization or (b) **separate individual consent**.

The Measures upgrade what was previously a TC260 recommended-standard preference (end-side storage) into a **mandatory legal requirement**. The compliance implication for an FRT product:

- *"Non-essential, non-stored"* — FRT data should be processed and deleted (or anonymized) where possible.
- Where storage is necessary, **end-side storage by default**.
- Where cloud storage or external transmission is needed, **product design must include a consent prompt (pop-up or checkbox)** obtaining separate individual consent, and the data must be encrypted in transit and at rest.

### 7. 100,000-record filing trigger — the regulatory headline

> *"PI handlers shall, within 30 working days from the date when the stored facial information processed using FRT reaches 100,000 individuals, perform filing procedures with the provincial-level or higher CAC of their location."*

The filing regime is China's third major direct-supervisory channel alongside data-export filing and large-model algorithm filing. Specific operational parameters:

- **Counting unit**: number of *individuals* whose facial data is stored (deduplicated), not number of records.
- **Cumulative basis**: historical accumulated stored count (cache that's "used and deleted" generally excluded; end-side-stored data inaccessible remotely is generally excluded).
- **Excluded scenarios**: FRT R&D and algorithm training are out of scope.
- **Filing trigger**: 30 business days after crossing the 100k threshold.
- **Filing materials**: processing rules, security measures, evaluation report, and other materials specified in the *FRT Filing Announcement* (May 28, 2025).
- **Material change re-filing**: substantial changes to processing volume or method require re-filing.
- **Filing cancellation**: discontinuation of FRT use requires cancellation filing.

The 100,000 threshold is meaningfully *higher* than the 10,000 threshold in the 2023 draft for public consultation. The Compliance Talker team's reading: the regulator chose to *raise the threshold* to reduce compliance burden on smaller deployments while concentrating enforcement attention on larger-scale FRT operators.

## Statutory underpinnings the Measures reinforce

The Measures don't create new PIPL obligations — they make existing PIPL obligations concrete for the FRT context:

| Measures Provision | PIPL Anchor |
|---|---|
| Specific purpose + necessity + minimum-impact protection | PIPL Article 6 (purpose limitation + necessity) |
| Notice obligation | PIPL Articles 17, 30 |
| Separate, voluntary, explicit consent | PIPL Article 29 (sensitive PI); Article 31 (minors under 14 — parent/guardian consent) |
| Pre-deployment Personal Information Impact Assessment | PIPL Article 55 (PIA mandatory for sensitive PI) |
| Maximum-necessary storage duration | PIPL Article 19 |

The Measures stack on top of the existing standards (**GB/T 44248-2024**, **GB/T 41819-2022**) and judicial framework (the **SPC FRT Judicial Interpretation** — see [DCC's law page](/laws/facial-recognition-judicial-interpretation/)).

## Why the Measures came out when they did

The Compliance Talker team identifies two drivers:

- **Legislative trajectory** — PIPL Article 62 directed the development of FRT-specific implementation rules. The Measures are that delivery.
- **Enforcement-pull from documented FRT misuse cases** — a 2024 Zhoushan real-estate firm collected facial data of viewing customers without consent for commission settlement; a 2025 Shanghai swimming-pool installed FRT in a changing room. These cases drove regulatory urgency.

The Measures' regulatory model is *dual-track*: **full-lifecycle management** (collection / storage / transmission / destruction, with closed-loop controls) **+ scenario-based grading** (public-safety scenarios permitted with conditions, private spaces flatly prohibited).

## Implementation guidance for foreign-invested entities

The Compliance Talker team gives a long operational playbook. Three of the most important items for overseas firms:

### Implementation 1 — Verification design audit

For any business flow that uses FRT for identity verification (app login, in-person service check, employee access control):

- Implement at least one non-FRT alternative (SMS, document check, password, hardware key).
- The non-FRT alternative must be *reasonably available* — no dark patterns ("default-checked FRT option," "hidden skip button") that push users toward FRT.
- If FRT must be the sole method, prepare a *multi-modal verification analysis report* documenting why non-FRT alternatives are unsuitable (accuracy / efficiency / cost differential).

### Implementation 2 — Storage architecture rebuild

For FRT data currently transmitted to the cloud or to centralized servers:

- Default to **end-side storage**.
- Where central / cloud storage is required, redesign the consent UI: explicit pop-up or checkbox obtaining separate consent before any external transmission.
- Encrypt at rest and in transit.
- Build the *dynamic counting and threshold-alert system* to monitor stored individual count and trigger filing process at the 100k threshold.

### Implementation 3 — Filing workflow

For entities with FRT stored data approaching or above 100k individuals:

- **Existing systems**: inventory storage distribution and total count. If already ≥100k individuals, complete filing per the *FRT Filing Announcement* with the provincial-level CAC.
- **New systems**: build pre-deployment filing into product launch workflow. Track storage growth; file within 30 business days of crossing 100k.
- **Material changes**: process re-filing for substantial volume changes or processing-method changes.

The filing timeline:

- Entities exceeding 100k at the time the Measures took effect (June 1, 2025): files due within 30 business days from the date the threshold was exceeded.
- Entities exceeding 100k after the effective date: files due within 30 business days from the date the threshold is exceeded.

## Why this matters for overseas teams

Three takeaways:

- **The 100k filing threshold is the headline operational change.** Foreign-invested entities running FRT deployments at any scale should immediately benchmark their stored-individual counts. A 100k+ deployment without filing is now a direct violation; entities approaching the threshold should architect for filing readiness.
- **The end-side storage default rebuilds product architecture.** Cloud-based facial recognition products are now legally disfavored by default. The compliance architecture for new FRT products in China should assume end-side storage as the baseline, with cloud only as a separately-consented exception. This will materially affect how foreign FRT vendors structure their China product offerings.
- **The non-exclusive-use rule changes user-experience design.** Product flows that pushed users toward FRT through default-tick / hidden-skip patterns are now non-compliant. UX reviews should specifically check for these patterns and offer reasonably accessible alternatives.

The deeper point in the Compliance Talker piece is that **FRT regulation in China has matured from principle-based PIPL provisions into operational rules with specific filing channels**. Compliance teams should now treat FRT as a *separately supervised* category — alongside cross-border data export and large-model algorithm filing — rather than as one application of general PI compliance.

---

— Compliance Talker (合规小叨客) Global Legal Policy Research Team, *原创 || 《人脸识别技术应用安全管理办法》解读与企业影响分析* (Interpretation of the Administrative Measures for the Application Security of Facial Recognition Technology and Enterprise Impact Analysis), 合规小叨客 WeChat Official Account, October 28, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/Pp_IuQ51wq0yrARWqQ0Y8g)

*Not legal advice. The above is DCC's structured summary of the source article's analysis; not a verbatim translation. The source carries an original-content non-republish clause and is summarized here under fair-use principles with full attribution.*