How to Handle Biometric Consent in China: 2026 Guide for Foreign Businesses

Date:

Share post:






How to Handle Biometric Consent in China: 2026 Guide for Foreign Businesses


How to Handle Biometric Consent in China: 2026 Guide for Foreign Businesses

Compliance Snapshot: Under China’s PIPL Articles 29–32, biometric data requires separate, explicit, and informed consent distinct from general employment terms. The 2024 Facial Recognition Regulation added further requirements including mandatory signage, prohibition on covert collection, and mandatory alternatives. Companies failing to obtain proper consent face fines up to ¥50 million (approx. $7 million) or 5% of annual revenue.

1. PIPL Articles 29–32: The Consent Framework

Articles 29 through 32 of the Personal Information Protection Law establish the legal framework for processing biometric data as sensitive personal information. Understanding each article’s requirements is essential for foreign companies.

Article 29 — Separate Consent: Processing sensitive personal information requires “separate consent” from the data subject. This is distinct from the general consent obtained through employment contracts or standard privacy policies. Separate consent means an independent, dedicated consent action specifically addressing biometric data collection, with no bundling with other consent types.

Article 30 — Notification Obligations: Before processing biometric data, the data processor must notify the individual of: the necessity of processing the biometric data, the purpose and method of processing, the types of biometric data collected (fingerprint, facial, iris, voice, etc.), the retention period, and the impact on the individual’s rights and interests. This notification must be in clear, plain language and provided in both Chinese and, where practical, English for foreign employees.

Article 31 — Minors: Processing biometric data of minors under 14 requires parental or guardian consent. For foreign companies employing workers under 14 (rare but possible in certain entertainment or education contexts), this adds an additional consent layer.

Article 32 — Legal Provisions: Where other laws or regulations impose stricter requirements on specific types of biometric data processing, those requirements prevail. This creates a layered compliance environment where sector-specific regulations may add to — but never subtract from — PIPL requirements.

2. Separate vs. Bundled Consent

The concept of “separate consent” is perhaps the most important and most frequently misunderstood requirement of the PIPL. A 2025 CAC enforcement bulletin specifically flagged bundled consent as the top compliance failure among foreign-invested enterprises.

Aspect Bundled Consent (Non-Compliant) Separate Consent (Compliant)
Location Hidden in employee handbook or general PIPL privacy policy Standalone biometric consent document
Checkbox Pre-checked or part of a general “I agree” button Explicit opt-in checkbox, unchecked by default
Purpose Vague (“for HR management purposes”) Specific (“for fingerprint attendance tracking at Facility A entrance”)
Scope All personal data types combined Biometric data only, separate from other PI
Alternative No alternative mentioned Alternative method explicitly offered
Withdrawal Not addressed Clear withdrawal process described

3. Five Elements of Valid Consent

For biometric consent to be valid under Chinese law, it must satisfy five distinct elements:

  1. Specific purpose: The consent form must state precisely why biometric data is collected, where, for how long, and for what specific use. Example: “Fingerprint data will be collected for time and attendance recording at the Shanghai factory gate. Data will be stored locally on the terminal device and deleted within 30 days of employment termination.”
  2. Data retention period: The consent must specify how long biometric data will be retained and the criteria for determining this period. Example: “Your fingerprint template will be retained for the duration of your employment plus 30 days after termination, after which it will be permanently deleted.”
  3. Third-party sharing disclosure: Any third parties that will receive biometric data must be named. This includes HR software providers (e.g., SAP SuccessFactors, Workday), biometric system vendors, cloud storage providers, and overseas headquarters.
  4. Right to withdraw: The consent form must describe how to withdraw consent (e.g., submitting a written request to HR), what happens upon withdrawal (alternative method will be provided), and that withdrawal does not affect the lawfulness of processing before withdrawal.
  5. Voluntary nature: The consent form must state that providing biometric data is voluntary, that refusal does not affect employment status or benefits, and that a non-biometric alternative exists.
Model Language for Chinese Consent Forms:

“本人理解并同意,为[具体目的,如“门禁及考勤管理”]之目的,公司收集并使用本人的[具体生物识别信息类型]数据。本人理解提供此数据是自愿的,本人有权随时撤回同意而不影响本人的工作权益。公司将为本人提供非生物识别的替代验证方式。[公司名称]将根据《个人信息保护法》及相关法规保护本人数据安全。”

(Translation: “I understand and agree that for the purpose of [specific purpose], the company will collect and use my [specific biometric data type]. I understand that providing this data is voluntary and I have the right to withdraw consent at any time without affecting my employment rights. The company will provide alternative non-biometric verification methods.”)

4. Informed vs. Written Consent

Article 29 of the PIPL requires “separate consent” but does not explicitly mandate written (signed) consent. However, the practical compliance burden is effectively the same for foreign companies. While electronic consent (e.g., clicking a checkbox on an HR system, scanning a QR code) is legally valid, written consent with a wet signature remains the gold standard for CAC enforcement purposes.

In practice, most foreign companies use a hybrid approach: employees sign a paper consent form during onboarding, which is then scanned and stored in the HR system alongside an electronic acknowledgment. This dual-record approach provides the strongest evidentiary position in the event of a CAC inspection.

5. Consent Withdrawal Mechanisms

Under Article 15 of the PIPL, individuals have the right to withdraw their consent at any time. Article 16 specifies that a data processor cannot refuse to provide services or lower service quality because an individual withdraws consent, unless the biometric processing is strictly necessary for the service.

For employment contexts, this means:

  • No penalty for withdrawal: An employee who withdraws biometric consent cannot be demoted, have their pay reduced, or be otherwise disadvantaged.
  • Immediate effect: Withdrawal takes effect immediately for future processing. The company must stop collecting the employee’s biometric data as soon as the withdrawal is processed.
  • Data deletion: Upon withdrawal, the company must delete the employee’s biometric data unless retention is required by law (e.g., for labor dispute evidence).
  • Retrospective validity: Processing conducted before withdrawal remains lawful — withdrawal does not have retrospective effect.

Foreign companies should establish a dedicated process for handling consent withdrawal requests, with a target response time of no more than 5 business days. The withdrawal process should be as easy as the consent process — ideally through the same HR portal or a simple written request to HR.

6. Handling Refusal and Providing Alternatives

A critical requirement under the PIPL is that companies must provide non-biometric alternatives for employees who refuse biometric data collection. This is not optional — the 2024 Facial Recognition Regulation and multiple enforcement actions have confirmed this obligation.

Acceptable alternatives include: keycard/PIN code for access control, manual sign-in for attendance, password-based computer login, and smartphone-based authentication (QR code, OTP). The alternative should be functionally equivalent to the biometric system — it should not be slower, less convenient, or stigmatizing to use.

High-Profile Case: In 2025, a US technology company’s Shanghai office was fined ¥1.5 million for requiring all employees to use facial recognition for building access. The company offered no alternative. After 12 employees filed complaints with the CAC, the company was ordered to install card readers and retroactively obtain consent from all 400+ employees.

7. Existing vs. New Employees

Foreign companies often ask whether existing employees need new consent forms. The answer is yes — any biometric system deployed before the PIPL (or before the company established a compliant consent process) must be re-authorized.

Scenario Requirement Timeline
New employee onboarding Biometric consent must be obtained before the first day of data collection Prior to system enrollment
Existing employees (new system) Full separate consent before deploying any new biometric system At least 14 days before go-live
Existing employees (existing system) Retroactive consent if system predates compliant consent process As soon as practical; if consent is refused, alternative must be provided
System upgrade (new data types) New consent required if new biometric types are added Before upgrade
New purpose New consent required if data is used for a purpose not covered in original consent Before new purpose is implemented

8. Consent by Use Case

Different biometric use cases require different consent approaches:

Use Case Consent Requirements Alternative Needed?
Fingerprint time clock (attendance) Separate consent; specify data as template only, no raw image storage Yes — keycard or PIN code
Facial recognition access (building entry) Separate consent; signage required at camera locations; PIPIA needed Yes — card reader or mobile app
CCTV with facial recognition (security monitoring) Separate consent; additional signage; limited retention (max 30 days unless incident) N/A — passive system; individuals can avoid monitored areas
Voice recognition (phone-based authentication) Separate consent; specify voiceprint creation Yes — PIN or operator-assisted verification
Computer login (fingerprint/face) Separate consent; on-device processing preferred Yes — password or security key

9. Template Consent Form Structure

A compliant biometric consent form for foreign companies should include the following sections:

  1. Header: Company legal name in China, registration number, and privacy officer contact information
  2. Purpose clause: Specific description of why biometric data is needed
  3. Data description: What biometric types will be collected (fingerprint, facial, iris, etc.)
  4. Processing method: How data will be processed (on-device, centralized, cloud-based)
  5. Storage and security: Where data is stored, encryption measures, access controls
  6. Retention period: Specific timeline for data retention and deletion
  7. Third-party recipients: Names of any third parties with access to biometric data
  8. Cross-border transfers: Whether data will be transferred abroad and the legal mechanism
  9. Voluntary statement: Clear statement that consent is voluntary
  10. Withdrawal process: How to withdraw consent and what happens next
  11. Alternative method: Description of the non-biometric alternative available
  12. Signature blocks: Employee name, ID number, signature, and date

10. Enforcement Cases 2025–2026

CAC enforcement of biometric consent violations has accelerated. Notable cases include:

  • Shanghai retail chain (2025): ¥1.8 million fine for using facial recognition for customer analytics without any separate consent form. The chain’s privacy policy mentioned “analytics” generically but did not specifically disclose facial data collection.
  • Shenzhen manufacturing JV (2025): ¥2.3 million fine for requiring fingerprint attendance without offering alternative check-in methods. The CAC found that 200+ employees who objected were forced to enroll or face disciplinary action.
  • Guangzhou logistics company (2026): Ordered to cease all biometric data collection for 90 days after failing to respond to employee consent withdrawal requests within the statutory timeline. The company had also not conducted a PIPIA.
  • Beijing financial services firm (2026): ¥3.5 million fine for transferring voiceprint data to overseas headquarters without obtaining separate consent for cross-border transfer. The original consent form mentioned only domestic processing.
  • Nanjing R&D center (2025): ¥750,000 fine for collecting iris scan data from employees without separate consent — iris scans were included in a general “biometric enrollment” form that lumped fingerprint, facial, and iris data under a single checkbox.

11. Record-Keeping Requirements

Foreign companies must maintain comprehensive records of all biometric consent activities. The PIPIA must be retained for at least three years. Consent records (signed forms, electronic audit trails) should be retained for the duration of the employment relationship plus at least two years after termination. Access logs for biometric data should be retained for at least six months. Train all relevant employees on biometric consent procedures annually and maintain training attendance records. CAC inspectors routinely request these documents during on-site inspections, and failure to produce them is treated as a compliance failure even if the underlying consent is valid.

12. Special Categories: Minors and Foreign Employees

Minors: Under Article 31 of the PIPL, biometric data of children under 14 requires parental or guardian consent. Foreign companies operating schools, training centers, or entertainment venues serving children must implement additional verification procedures. This includes obtaining proof of parental relationship (e.g., household registration book, hukou), securing separate parental consent, and implementing heightened security measures for children’s biometric data.

Foreign employees: Foreign employees working in China are entitled to the same PIPL protections as Chinese citizens. Consent forms and privacy notices should be available in English (or the employee’s native language) as well as Chinese. The CAC has guidance that language barriers do not excuse non-compliance — a foreign employee who signs a consent form only in Chinese may later argue they did not give informed consent.

13. Best Practices for Consent Management

Leading foreign companies in China implement centralized consent management systems that track each employee’s consent status, support withdrawal requests, and generate compliance reports for CAC inspection. These systems maintain version control (so consent forms can be updated when regulations change), provide audit trails showing when and how consent was obtained, and integrate automated reminders for renewal of consent when processing purposes change.

Finally, conduct a quarterly audit of all biometric consent documentation. Verify that consent forms match the actual biometric systems deployed, that deleted employees’ data has been removed, that withdrawal requests have been processed, and that alternatives remain available and functional.

Conclusion

Proper biometric consent management is the foundation of PIPL compliance for foreign businesses in China. The requirement for separate, explicit, and informed consent — with clearly documented alternatives and withdrawal mechanisms — demands a systematic approach backed by proper record-keeping and periodic auditing.

As CAC enforcement continues to intensify in 2026, foreign companies that invest in compliant consent processes — including clear documentation, accessible alternatives, and robust record-keeping — will be best positioned to avoid penalties and maintain employee trust.

This guide was updated in July 2026. Consult with qualified legal counsel for advice specific to your company’s circumstances.


Related articles

China’s 2025 Carbon Emissions Trading Regulations Reviewed: How 9% Fines, Stricter MRV, and Expanded Sector Coverage Reshape ESG Compliance for Foreign Firms

China’s 2025 Carbon Emissions Trading Regulations Reviewed: How 9% Fines, Stricter MRV, and Expanded Sector Coverage Reshape ESG Compliance for Foreig

China’s 2025 Environmental Protection Law Amendments: What They Mean for Environmental Compliance

China's 2025 Environmental Protection Law Amendments: What They Mean for Environmental Compliance China's 2025 amendments to the Environmental Protect

How Unilever Met China’s Solid Waste Management Regulations: A Compliance Case Study

How Unilever Met China’s Solid Waste Management Regulations: A Compliance Case Study By 2023, Unilever had reduced its total waste generation across i

How Apple Helped Its China Suppliers Switch to Renewable Energy: Carbon Reduction Case Study

How Apple Helped Its China Suppliers Switch to Renewable Energy: Carbon Reduction Case Study body{font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-se