How to Decide on Biometric Systems in China: 2026 Guide for Foreign Companies

Date:

Share post:






How to Decide on Biometric Systems in China: 2026 Guide for Foreign Companies

How to Decide on Biometric Systems in China: 2026 Guide for Foreign Companies

China has become one of the world’s most advanced markets for biometric technology, with widespread adoption of facial recognition, fingerprint scanning, iris detection, and voice recognition across public security, financial services, healthcare, education, and commercial sectors. For foreign companies operating in or entering the Chinese market, deciding on the right biometric system is a complex decision that carries significant legal, operational, and reputational consequences. This guide provides a structured decision framework to help foreign businesses evaluate, select, and deploy biometric systems in China in compliance with 2026 regulations.

Understanding the Biometric Landscape in China

China’s biometric market is projected to exceed USD 25 billion by 2026, driven by government-led smart city initiatives, the widespread deployment of surveillance infrastructure, and increasing adoption by private enterprises for access control, payment authentication, employee management, and customer identification. Foreign companies entering this space must first understand that biometric data is classified as “sensitive personal information” under Chinese law, making its collection and processing subject to the strictest regulatory requirements.

The key laws governing biometric data in China include the Personal Information Protection Law (PIPL), the Data Security Law (DSL), the Cybersecurity Law (CSL), and several sector-specific regulations issued by the Cyberspace Administration of China (CAC), the Ministry of Public Security (MPS), and the People’s Bank of China (PBOC). In 2025-2026, additional regulations specifically targeting biometric data processing have been introduced, including mandatory registration requirements for companies processing large volumes of biometric data and enhanced consent rules.

Foreign companies must also contend with the cross-border data transfer restrictions under PIPL, which impose strict conditions on transferring biometric data outside of China. A standard contract, security assessment, or certification under the CAC’s cross-border data transfer mechanism may be required, depending on the volume and sensitivity of the data involved.

Step 1: Define Your Use Case and Data Requirements

The first step in deciding on a biometric system is to clearly define your use case. Are you implementing employee attendance tracking for your China-based workforce? Providing biometric payment authentication for customers? Conducting identity verification for financial services or healthcare? Each use case triggers different regulatory obligations, technical requirements, and risk profiles.

For employee-facing applications such as access control and time attendance, the legal basis is typically “necessary for human resources management under employment contracts” as outlined in PIPL Article 13. However, employers must still obtain explicit individual consent for the collection of biometric data and must provide a non-biometric alternative (such as a card-based system or PIN code) to avoid forcing employees into biometric enrollment.

For customer-facing applications such as biometric payments or identity verification, the legal basis is explicit consent under PIPL Article 14. Consent must be “freely given, specific, informed, and unambiguous.” This means you cannot bundle biometric consent with general terms of service — customers must have a genuine choice to opt in or out without suffering a degradation of service quality.

For public-facing or government-related applications, additional approvals from local Public Security Bureau (PSB) offices may be required, particularly if the system involves video surveillance in public spaces. China’s regulation on facial recognition in public places, effective from 2025, requires a public interest justification, a privacy impact assessment, and signage that clearly informs individuals of the surveillance.

Step 2: Evaluate the Types of Biometric Modalities

Each biometric modality carries different strengths, weaknesses, and regulatory implications in China. The most common modalities include:

Facial Recognition

Facial recognition is by far the most dominant biometric technology in China, used for everything from building access to mobile payments to public security surveillance. However, it is also the most heavily regulated modality. The CAC’s 2025 Facial Recognition Data Processing Regulations require businesses to conduct a Data Protection Impact Assessment (DPIA) before deploying facial recognition, register the system with local authorities, and provide clear opt-out mechanisms. Accuracy requirements are particularly strict for financial applications, where the People’s Bank of China mandates a false acceptance rate below 0.001%.

Fingerprint Recognition

Fingerprint systems remain widely used in China for employee attendance, device unlocking, and physical access control. Regulatory requirements are comparatively lighter than for facial recognition, but fingerprint data is still classified as sensitive personal information under PIPL. Companies must obtain separate explicit consent for fingerprint collection and cannot use fingerprints collected for one purpose (e.g., attendance) for another purpose (e.g., tracking employee movements) without fresh consent.

Iris Recognition

Iris scanning is less common but growing in high-security applications such as banking, border control, and data center access. China has deployed iris recognition at certain airports and border crossings. For foreign companies, implementing iris recognition requires particularly careful attention to cross-border data transfer rules, as iris data quality requirements often necessitate sending raw images to overseas servers for processing — a practice that is heavily restricted under PIPL.

Voice Recognition and Speaker Identification

Voice biometrics are increasingly used in China for call center authentication, smart speaker commands, and voice-based payments. The regulatory framework for voice data overlaps significantly with general audio data regulations under the DSL and the Provisions on the Management of Audio and Video Information Services. Voice data that can identify a specific individual is treated as sensitive personal information, subject to the same consent and impact assessment requirements as other biometric modalities.

Step 2: Assess Technical and Integration Requirements

Once you have determined the biometric modality that fits your use case, the next step is to assess the technical requirements for deployment in China. Key considerations include:

On-Device vs. Cloud Processing

Processing biometric data on-device (on a local terminal, edge device, or on-premises server) significantly reduces regulatory exposure compared to cloud processing. On-device processing is strongly recommended for foreign companies, as it minimizes cross-border data transfer issues and reduces the scope of required security assessments. Many modern biometric devices sold in China offer on-device template matching, where raw biometric images are converted to feature vectors locally and the raw data is immediately deleted.

Data Localization Requirements

Under PIPL and the 2025 Biometric Data Security Guidelines, all biometric data collected in China must be stored within mainland China. Foreign companies cannot store biometric data on overseas servers without passing a CAC security assessment, even if the data is anonymized or encrypted. If your biometric system requires cloud-based AI processing for matching or liveness detection, the processing must occur on servers physically located in China.

System Interoperability

China has developed its own national standards for biometric data interchange formats, including GB/T 35742-2017 for facial recognition data, GB/T 33841-2017 for fingerprint data, and GB/T 37036-2018 for iris data. Foreign vendors must ensure their systems support these Chinese national standards to be compatible with local government systems and industry platforms. Non-compliant systems may face difficulties in obtaining the necessary network access approvals (e.g., from the Ministry of Industry and Information Technology).

Network Security and Encryption

All biometric data transmitted between devices and servers must be encrypted using algorithms approved by the Chinese Cryptographic Bureau (the Shangmi algorithm suite, specifically SM2, SM3, and SM4). International encryption standards such as AES-256 and RSA are not sufficient on their own — your system must implement state-approved cryptographic algorithms. This is a mandatory requirement under the Cryptography Law of China, and failure to comply can result in device seizures, fines, and suspension of operations.

Step 4: Conduct a Data Protection Impact Assessment (DPIA)

Under PIPL Article 55, companies processing sensitive personal information (including biometric data) must conduct a DPIA before beginning processing activities. The DPIA must be documented in writing and retained for at least three years. The assessment should evaluate the necessity and proportionality of the biometric data processing, the potential risks to individuals’ rights and interests, and the measures in place to mitigate those risks.

For foreign companies, the DPIA should also address cross-border data transfer risks, the legal basis for processing, and the specific consent mechanisms implemented. While the DPIA does not need to be filed with the CAC in all cases (only where specifically required by regulation), it must be available for inspection by the CAC or local cyberspace administration upon request. In practice, foreign companies processing biometric data of more than 100,000 individuals should proactively lodge their DPIA with the relevant authorities to demonstrate compliance.

Step 5: Implement Consent and Individual Rights Mechanisms

PIPL grants individuals extensive rights with respect to their biometric data, including the right to know, the right to consent, the right to access, the right to correct, the right to delete, and the right to withdraw consent. Foreign companies must implement mechanisms to handle all of these rights in practice.

For biometric systems, the most critical right is the right to withdraw consent. Under PIPL Article 15, individuals may withdraw their consent at any time, and the company must provide a convenient mechanism for doing so. This means that a biometric system deployed in a Chinese factory or office must have a process by which an employee can deregister from the biometric system and switch to an alternative method (such as a card or PIN) without penalty.

Companies must also establish procedures for responding to data subject access requests (DSARs) within the statutory timeframe of 15 working days (extendable to 30 for complex requests). Given the sensitivity of biometric data, DSAR response procedures should include robust identity verification to prevent unauthorized access to biometric templates.

Step 6: Evaluate Vendor and Partner Options

Foreign companies have several options for sourcing biometric systems in China:

Domestic Chinese Vendors

Leading Chinese biometric vendors include Hikvision (facial recognition cameras), Dahua Technology (video surveillance and access control), Megvii (Face++ facial recognition platform), SenseTime (facial and gesture recognition), CloudWalk (facial recognition for payments), and ZKTeco (fingerprint and multi-biometric access control). These vendors offer products that are natively compliant with Chinese standards, support the Shangmi cryptographic algorithm suite, and have established relationships with local PSB offices for system registration. However, some foreign companies have compliance concerns regarding vendor access to biometric data, particularly for US-listed firms subject to CFIUS or sanctions considerations.

International Vendors with China Operations

International biometric vendors such as NEC Corporation, Idemia, Gemalto (Thales Group), and ASSA ABLOY HID Global maintain operations in China and offer products designed for the Chinese market. These vendors typically offer stronger data governance guarantees and international compliance certifications, but their products may be more expensive and may not be as tightly integrated with Chinese government systems. Compatibility with Chinese national standards (GB/T series) should be verified explicitly in the contract.

Partnership with Chinese System Integrators

Many foreign companies choose to work with Chinese system integrators (SIs) who handle the full deployment process, including hardware procurement, software integration, PSB registration, and ongoing compliance management. Major SIs active in the biometric space include China Telecom System Integration, Neusoft, Digital China, and Inspur. When outsourcing to an SI, the foreign company remains the data controller under PIPL and bears ultimate responsibility for compliance, so contractual protections, audit rights, and data processing agreements (DPAs) are essential.

Step 7: Budget and Cost Considerations

The total cost of deploying a biometric system in China varies significantly depending on the modality, scale, and compliance requirements. Key cost components include:

  • Hardware costs: Fingerprint readers (USD 100-500 per unit), facial recognition terminals (USD 500-3,000 per unit), iris scanners (USD 1,000-5,000 per unit).
  • Software licensing: Recognition algorithms, liveness detection, and management platform (USD 5,000-100,000 depending on scale).
  • Compliance costs: DPIA preparation (USD 3,000-15,000 for external consultant), PSB registration fees (minimal), legal review (USD 5,000-20,000).
  • Data localization infrastructure: Local server deployment or China-based cloud services (Alibaba Cloud, Tencent Cloud, Huawei Cloud) adds 20-40% to cloud infrastructure costs compared to international cloud providers.
  • Ongoing maintenance and compliance: Annual compliance audits, consent refresh, and system updates (5-15% of initial deployment cost per year).

Step 8: Plan for Regulatory Changes and Audits

China’s regulatory environment for biometric data is evolving rapidly. In 2025-2026, several new measures have been introduced or strengthened:

The registration requirement for biometric data processing (covered in detail in our companion guide, CG360-BIOMETRICS-GUID-006) now applies to any enterprise processing biometric data of more than 10,000 individuals annually. The CAC has also increased the frequency of spot inspections, particularly for foreign-invested enterprises. Companies should maintain a comprehensive compliance documentation package that includes the DPIA, consent records, data flow maps, vendor due diligence reports, and cross-border transfer impact assessments.

Foreign companies should also designate a local representative or data protection officer (DPO) based in China, as required by PIPL Article 53 for companies that process large volumes of personal information. The DPO serves as the primary point of contact for regulatory inquiries and is personally accountable for compliance breaches, making this a critical hiring decision.

Decision Matrix Summary

To help foreign companies make a structured decision, we provide the following decision framework:

Factor Facial Recognition Fingerprint Iris Voice
Regulatory burden Highest Moderate High Moderate
PSB registration required Yes Generally no Yes (security context) No
DPIA required Yes Yes Yes Yes
Cross-border transfer Restricted Restricted Highly restricted Restricted
On-device processing feasible Yes Yes Limited Limited
Alternative modality required Yes Yes Yes Yes
Typical deployment cost per point USD 1,000-3,000 USD 200-500 USD 2,000-5,000 USD 500-2,000

Conclusion

Deciding on a biometric system in China requires foreign companies to carefully balance operational needs against a complex and evolving regulatory framework. The safest approach is to start with a clear use case definition, choose the least intrusive biometric modality that meets your requirements, deploy on-device processing to minimize data exposure, and engage experienced Chinese legal counsel with specific expertise in data protection and cybersecurity law. Companies that invest in proper compliance infrastructure from the start will find that biometric systems in China can deliver significant operational efficiencies while maintaining regulatory compliance in 2026 and beyond.

For the next steps on registration requirements, please refer to our companion guide: How to Register Biometric Data Processing in China: 2026 Guide for Foreign Firms.


Related articles

How Volkswagen Passed China’s Dual Credit Emissions Standards: Manufacturing Compliance Case Study

How Volkswagen Passed China's Dual Credit Emissions Standards: Manufacturing Case Study body{font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-serif;l

How Schneider Electric Green-Certified Its China Supply Chain: ESG Case Study

How Schneider Electric Green-Certified Its China Supply Chain: ESG Case Study body{font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-serif;line-height

How Tesla Reduced Factory Emissions in Shanghai: Environmental Compliance Case Study

How Tesla Reduced Factory Emissions in Shanghai: Environmental Compliance Case Study In just 36 months from groundbreaking to full operation, Tesla's

How BASF Achieved Zero Liquid Discharge at Its China Verbund Site: Wastewater Compliance Case Study

How BASF Achieved Zero Liquid Discharge at Its China Verbund Site: Wastewater Case Study body{font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-serif;