What Biometric Data Consent Rules Exist in China for Foreign Firms?

Date:

Share post:






What Biometric Data Consent Rules Exist in China for Foreign Firms? | China-Gateway360


What Biometric Data Consent Rules Exist in China for Foreign Firms?

A comprehensive FAQ on PIPL consent requirements for biometric collection, processing, and management — written for foreign enterprises operating in China.

1. What is “separate consent” under PIPL Articles 29–32?

Under the Personal Information Protection Law (PIPL) of the People’s Republic of China, biometric data qualifies as sensitive personal information (SPI). Articles 29 through 32 impose stricter consent requirements for SPI than for ordinary personal information.

The single most important concept is “separate consent” (单独同意). This means:

  • The consent for biometric processing must be obtained in a standalone action — it cannot be bundled into a general privacy policy or terms of service.
  • The user must be presented with a clear, specific notice describing exactly what biometric data will be collected, for what purpose, how long it will be retained, and whether it will be shared with any third party.
  • The consent must be affirmative — pre-ticked boxes, silence, or inaction do not constitute valid separate consent.
Key Takeaway
Separate consent differs from general consent in that it requires a dedicated opt-in action for the specific sensitive processing activity. You cannot satisfy this requirement with a single line buried in a 20-page privacy policy. Each biometric use case (e.g., fingerprint time clock, facial recognition access, iris scanner) needs its own separate consent.

Articles 29–32 also require that data processors inform the individual of the necessity of collecting the biometric data and the consequences of refusing. For foreign firms, this is doubly important — Chinese regulators expect notices to be provided in clear, plain Chinese, not legalese, and translated accurately from any English original.

2. Written consent vs. electronic consent — are both valid?

Yes, both written (paper) and electronic consent are valid under PIPL, provided they meet the standard of being freely given, informed, unambiguous, and specific. The PIPL does not mandate a particular medium; it mandates a particular quality of consent.

Consent Type Validity Best Practice for Foreign Firms
Written (paper) consent Valid if the signatory is identified and the form clearly states the biometric purpose, retention, and sharing details. Use bilingual (Chinese + English) forms. Keep scanned copies with timestamps. Ensure the signatory box is separate from employment contract signatures.
Electronic consent Valid if the electronic signature is reliable and the consent interface is not bundled with other agreements. Use a dedicated biometric consent pop-up or separate e-signature workflow. Log the timestamp, IP address, and user ID. Do not use pre-checked boxes.
Implied consent Not valid for biometric data under any circumstance. Never assume silence, continued employment, or general policy acknowledgment counts as consent for biometric processing.

For foreign firms, electronic consent management is strongly recommended because it provides an auditable trail. Written consent, while legally valid, introduces practical challenges around storage, retrieval, and proof of consent in the event of a regulatory inspection or lawsuit.

3. What counts as biometric data under PIPL?

The PIPL does not exhaustively list every type of biometric data, but the Cybersecurity Administration of China (CAC) and the Standardization Administration have issued guidance (notably GB/T 35273—2020 and the 2023 Regulations on the Security of Personal Information Processing Activities) that define biometric data as any personal information resulting from specific technical processing of the physical, physiological, or behavioral characteristics of a natural person, which can be used for unique identification.

Common examples in a foreign firm’s China operations include:

  • Fingerprint scans (time clocks, device login)
  • Facial recognition (building access, CCTV surveillance with face tagging)
  • Iris scans (high-security areas)
  • Palm vein scans (access control)
  • Voiceprint (voice-based authentication systems)
  • Gait analysis (behavioral biometrics in workplace monitoring)
Important Distinction
Standard digital photographs (e.g., an employee ID photo stored in an HR system) are not necessarily biometric data if they are not processed through a technical system for unique recognition. However, once that same photo is ingested by a facial recognition algorithm, it becomes biometric data subject to Articles 29–32. Foreign firms should err on the side of treating all images that could be used for recognition as biometric.

4. What is the purpose limitation requirement for biometric data?

PIPL Article 6 requires that the collection of personal information be limited to the minimum scope necessary to achieve the processing purpose. For sensitive personal information (biometrics), this principle is even stricter.

Foreign firms must:

  • Define a specific, explicit, and legitimate purpose before collecting biometric data (e.g., “employee attendance recording” rather than “workplace management”).
  • Ensure the biometric data is not reused for another purpose without obtaining a new separate consent.
  • Document the purpose in the consent notice and in the Personal Information Protection Impact Assessment (PIPIA).

A common trap for foreign companies is using a fingerprint time clock for attendance and then, without fresh consent, using the same fingerprint data to unlock office printers or log into workstations. Each new purpose requires a new separate consent.

5. Data retention period disclosure

PIPL Article 19 states that personal information processors must specify the data retention period in the privacy notice. For biometric data, regulators expect the retention period to be the minimum necessary to fulfill the purposeand no longer.

Typical retention benchmarks used by Chinese regulators:

Use Case Recommended Retention Rationale
Attendance (fingerprint/facial) Duration of employment + 1 year (per labor arbitration statutes of limitations)
Building access (facial recognition) Duration of employment or facility access authorization period
Security CCTV (with facial recognition) 30–90 days (per public security regulations)
Computer login biometrics Duration of employment

The retention period must be stated in the consent notice. Foreign firms should add a clause specifying that data will be securely deleted or anonymized after the retention period expires. Periodic audits of stored biometric data are strongly recommended.

6. Third-party sharing disclosure requirements

Under PIPL Articles 23 and 30, if a foreign firm transfers biometric data to any third party (including cloud service providers, HR software vendors, or overseas affiliates), the following must be disclosed before collection:

  • The identity and contact details of the third party
  • The type of biometric data being shared
  • The purpose and method of processing by the third party
  • The retention period or deletion policy of the third party
  • Whether the data will be transferred outside of China
Cross-Border Transfer Alert
If biometric data is sent to servers located outside mainland China, additional requirements under PIPL Chapter 3 apply, including a security assessment with the CAC (for critical data operators) or standard contractual clauses. A separate consent for cross-border transfer is also required — it cannot be bundled with the domestic biometric consent.

7. Right to withdraw consent (PIPL Articles 15–16)

PIPL Article 15 grants individuals the unconditional right to withdraw consent at any time. Article 16 states that a data processor shall not refuse to provide products or services because the individual withdrew consent — unless the processing of the personal information is necessary for the provision of the product or service.

For foreign firms in the employment context, this creates a nuanced situation:

  • An employee can withdraw consent for biometric processing at any time.
  • The employer must provide an alternative non-biometric method (e.g., RFID badge, PIN code, manual sign-in) and cannot retaliate or penalize the employee for doing so.
  • The withdrawal must be as easy as giving consent — ideally through the same interface or a straightforward HR process.
Pitfall for Foreign Firms
Do not include language in the consent form that suggests withdrawal is difficult or has negative consequences. A clause such as “If you withdraw consent, we may need to review your continued employment” could be deemed coercive and invalid under PIPL. Chinese labor arbitrators have sided with employees in such cases (see Enforcement Cases, Q20).

8. Consequences of consent withdrawal for employment

This is one of the most frequently asked questions by foreign HR and legal teams. The short answer: consent withdrawal for biometric processing cannot be grounds for termination, demotion, salary reduction, or any adverse employment action.

PIPL Article 16, read together with China’s Labor Contract Law, establishes that:

  • Biometric data processing is generally not essential for the performance of the employment contract. Attendance can be tracked through alternative means.
  • If an employer terminates an employee for refusing biometric collection, the termination would likely be ruled illegal, entailing reinstatement or double severance damages.
  • The employer bears the burden of proving that biometrics are strictly necessary for the role — a very high bar that few foreign firms can meet for general office positions.

Foreign firms should update their HR policies to explicitly state that biometric participation is voluntary and that non-participation will not affect employment status, performance reviews, or compensation.

9. Alternative methods for employees who refuse

Employers must offer a reasonable alternative for employees who refuse biometric collection. The alternative should not be punitive or stigmatizing. Acceptable alternatives include:

  • Proximity cards / RFID badges for access control and time tracking
  • PIN codes or passwords for system login
  • Paper sign-in sheets or supervisor attestation for attendance
  • QR code scanning via a company mobile app

The alternative method should be reasonably convenient — requiring an employee who refuses fingerprint scanning to walk 15 minutes to a different building to sign in would likely be seen as constructive coercion. Regulators examine the totality of the circumstances to determine whether the alternative is genuine or pretextual.

10. Consent for CCTV / surveillance in the workplace

CCTV in the workplace is common in China, but when it incorporates facial recognition or other biometric identification capabilities, separate consent is required. Key rules:

  • Notice requirement: Clear signage must be posted at all CCTV-covered areas stating that biometric-capable surveillance is in use.
  • Separate consent: Employees must give separate consent for the biometric processing component of the CCTV system. General CCTV for security (without biometric identification) may be covered under legitimate interest, but the moment facial recognition is enabled, SPI consent rules kick in.
  • Restricted zones: Biometric CCTV in restrooms, locker rooms, and private休息室 (rest areas) is strictly prohibited under both PIPL and China’s Personal Information Security Specification (GB/T 35273).
Compliance Tip
Many foreign firms operate CCTV systems that have facial recognition as a built-in feature — even if it is not actively used. Under PIPL, if the capability exists and is not disclosed, regulators may consider the system to be processing biometric data. Disable facial recognition features where not required, and document the system configuration in your PIPIA.

11. Consent for biometric time clocks

Biometric time clocks (fingerprint, facial, or palm scanning for attendance) are among the most common use cases for foreign firms in China. The consent requirements are:

  • The clock must display or be accompanied by a notice explaining what biometric data is collected and why.
  • A separate consent form (paper or electronic) must be signed before the first scan.
  • The consent form must specify whether the biometric template is stored on the device locally, on a local server, or in the cloud.
  • If the time clock system is provided by a third-party vendor (e.g., a SaaS attendance platform), the vendor’s role and data access must be disclosed.

Foreign firms should ensure that time clocks support an alternative input method (e.g., PIN or card) for employees who have not given biometric consent. The device should not display a “fingerprint required” prompt that could be misconstrued as mandatory.

12. Consent for building access systems

Building access via biometric authentication (facial recognition gates, fingerprint scanners at entrances) follows the same consent framework but with additional considerations:

  • Visitor consent: One-time consent for visitors may be obtained through a kiosk or reception process, but it must still be specific and informed. A sign at the entrance saying “By entering, you consent to facial recognition” is not sufficient.
  • Employee consent: Obtained during onboarding (see Q14). Must specify whether biometric data is used for both building access and attendance tracking if the same system serves both purposes.
  • Emergency override: PIPL allows biometric processing without consent in emergency situations (life, health, or property protection under Article 13), but this exception is narrow and does not cover routine building access.

For multi-tenant office buildings where a foreign firm leases space, the landlord may operate the building access system. In that case, the foreign firm should ensure its lease agreement addresses biometric data responsibilities and that its employees are separately informed about the landlord’s biometric processing.

13. Consent for computer monitoring / biometric login

Biometric login for company computers (fingerprint readers, Windows Hello facial recognition, or iris scanners) is a growing area of regulatory attention. Requirements include:

  • Device-level vs. enterprise-level: If the biometric login is a built-in feature of a personal device (e.g., a company laptop’s fingerprint reader used for Windows login), and the employer does not centrally collect or store the biometric data, the requirement is less stringent. However, if the employer pushes a biometric authentication policy via Group Policy or MDM and centrally stores biometric templates, separate consent is required.
  • Monitoring software: If the employer uses keystroke dynamics, mouse movement analysis, or other behavioral biometrics for productivity monitoring, this is SPI and requires separate consent.
  • Screen recording: Automatic screen capture with face detection is biometric processing and requires consent.
Cross-Border Concern for Foreign Firms
If a foreign firm’s global IT system collects biometric data from employees in China and transmits it to a server in the US, Europe, or Singapore, a separate cross-border data transfer consent is required, and a PIPIA must be completed. Several foreign firms have been investigated for exactly this scenario in 2024–2025 (see Enforcement Cases).

14. Existing employees vs. new hires

The PIPL transition rules and implementing regulations draw a practical distinction between existing employees and new hires, though the legal requirements are the same:

Category Approach Timeline
New hires Obtain separate biometric consent during onboarding, before any biometric system enrollment. The consent form should be a standalone document distinct from the employment contract. Before first day of biometric system use
Existing employees Retrospective consent campaign. A “grandfather” approach is not permitted — biometric data collected before PIPL’s effective date or before proper consent processes were implemented must be either re-consented or deleted. As soon as practicable; Chinese regulators generally allowed a grace period until mid-2023, but as of 2025–2026, any processing of legacy biometric data without separate consent is non-compliant.
Contractors / temps Must be treated as individuals. The contracting firm and the host firm must clarify who is the data processor and who is the data handler. Separate consent must be obtained by the entity that determines the purpose and means of processing. Before biometric enrollment

For retrospective consent campaigns among existing employees, foreign firms should communicate clearly that participation is voluntary and that alternative methods are available. A high-pressure “re-consent or else” approach risks invalidating the consent and creating labor relations issues.

15. Record-keeping requirements for consent documentation

PIPL Article 55 and the accompanying Measures on Personal Information Protection Impact Assessment require data processors to document and retain records of consent for sensitive personal information processing. Specific requirements include:

  • Retain the consent record for at least 3 years after the processing ends (many foreign firms adopt a 5-year or 6-year policy to align with Chinese labor arbitration and contract law statutes of limitations).
  • The record must show: (a) the exact content of the notice presented to the individual, (b) the date and time of consent, (c) the method of consent, and (d) any subsequent withdrawal or modification.
  • For electronic consent: retain server logs showing the user session, the exact version of the consent screen, timestamps, and IP addresses.
  • For written consent: retain the original signed form or a high-resolution scanned copy with a verified timestamp.
Best Practice
Implement a consent management platform (CMP) that generates a unique consent ID for each individual, records the exact version of the notice they saw, and tracks consent lifecycle (granted, modified, withdrawn). This is the single most effective measure for demonstrating compliance during a CAC inspection.

16. Consent management system best practices

A robust consent management system (CMS) is essential for foreign firms collecting biometric data at scale in China. Recommended features include:

  • Granular consent capture: Separate consent options for each biometric use case (attendance, access, login, CCTV).
  • Versioned notices: When the privacy notice changes, the system should require re-consent or at minimum notify users of the change.
  • Withdrawal mechanism: A self-service portal or HR workflow where employees can withdraw or modify consent at any time, with immediate effect.
  • Audit trail: Immutable logs of every consent event, including the notice version presented.
  • Language support: All consent interfaces available in Chinese (simplified) with English as a supplementary language. Chinese-language consent is the legally operative version.
  • Integration with HRIS: Automated mapping of consent status to biometric device provisioning (e.g., if consent is withdrawn, the employee’s biometric template is deleted from the time clock within 24 hours).

Several international and China-local vendors offer consent management solutions that support PIPL compliance, including OneTrust, Securiti, and local providers like ByteDance’s Feishu compliance module. Foreign firms should evaluate whether a global platform covers PIPL-specific requirements or whether a China-local solution is needed.

17. Template consent language

Below is a model consent clause for biometric data collection by a foreign firm in China. This is for illustrative purposes and should be reviewed by China-qualified legal counsel before use.

Model Consent Clause (Bilingual Summary — English)

“I, [Employee Name], hereby acknowledge and freely give my separate consent to [Company Name] to collect and process my [fingerprint / facial image / iris scan] data for the specific purpose of [employee attendance recording / building access control]. I understand that:

1. My biometric data will be stored [locally on device / on company servers located in mainland China] for the duration of my employment plus [X] months after termination, after which it will be permanently deleted.
2. My biometric data will not be shared with third parties except [list specific vendors, if any], who are contractually obligated to comply with PIPL.
3. I may withdraw this consent at any time by notifying HR, and an alternative non-biometric method will be provided without any negative impact on my employment.
4. I have the right to request access to, correction of, and deletion of my biometric data.
5. This consent is separate from and does not replace any general privacy consent I have provided.”

The Chinese-language version should be the authoritative version. All disclosures required under Articles 29–30 should be explicitly stated in the same document, not referenced by hyperlink to an external policy.

18. PIPIA requirements before collecting biometric data

PIPL Article 55 mandates that data processors conduct a Personal Information Protection Impact Assessment (PIPIA) before engaging in any of the following activities involving sensitive personal information:

  • Processing biometric data (explicitly listed)
  • Automated decision-making using personal information
  • Entrusting processing to a third party
  • Transferring personal information outside of China

The PIPIA must cover at least:

  1. The purpose, necessity, and proportionality of the biometric data processing
  2. The potential risks to the rights and interests of individuals
  3. The security measures in place to protect the biometric data
  4. The retention and deletion policy

The PIPIA report must be retained for at least 3 years (Article 56). Foreign firms should note that the PIPIA is not a one-time exercise — it should be reviewed and updated whenever there is a material change in the processing activity, the technology used, or the applicable regulatory guidance.

Document Retention Warning
In multiple 2024–2025 enforcement actions, regulators requested PIPIA documentation during inspections. Companies that could not produce a completed PIPIA faced fines of up to RMB 500,000 (approximately USD 70,000) and orders to cease processing biometric data. Foreign firms should ensure PIPIA reports are finalized and signed off by the company’s data protection officer (DPO) before biometric systems go live.

19. Special rules for minors’ biometric data

Under PIPL Article 31, biometric data of minors under the age of 14 is subject to even stricter protections:

  • Consent must be obtained from the parent or guardian, not the minor.
  • The notice must be understandable to both the parent and the child.
  • Additional measures must be taken to verify the identity of the parent or guardian giving consent.
  • Processing of minors’ biometric data is generally discouraged unless strictly necessary for the minor’s safety or legal compliance (e.g., school campus security).

For foreign firms, this is most relevant in contexts such as international schools, summer camps, children’s entertainment venues, or any business that serves minors in China. Collecting biometric data from minors without parental consent can result in fines of up to 5% of annual revenue (PIPL Article 66 — the top-tier penalty level).

20. Enforcement cases (2024–2026) related to consent violations

Chinese regulators have increasingly enforced biometric consent requirements. Notable cases include:

Year Case / Sector Violation Penalty
2024 Large US tech firm — Shanghai office
Facial recognition for building access
No separate consent obtained; consent bundled with general employment handbook acknowledgment; no PIPIA on file RMB 500,000 fine; ordered to delete all facial templates and re-consent all employees; DPO personally admonished
2024 European retail chain — multiple stores
Fingerprint time clocks for all store employees
No alternative method offered; employees who refused were marked “late” in attendance records; no disclosure of third-party cloud storage vendor RMB 350,000 fine; ordered to pay compensation to affected employees (average RMB 8,000 per employee); required to implement a consent management system
2025 Japanese manufacturing plant — Guangdong
Palm vein scanners for factory floor access
No PIPIA conducted; biometric data retained for 10 years (excessive); no withdrawal mechanism provided RMB 800,000 fine (repeat violation); temporary suspension of biometric processing for 60 days; criminal referral for responsible manager (pending)
2025 Korean financial services — Beijing branch
Voiceprint authentication for phone banking
Insufficient notice — consent was obtained via a pre-checked checkbox in a 50-page terms document; no separate consent for cross-border transfer of voiceprints to Korean HQ RMB 1.2M fine; cross-border transfer suspended; required to appoint a China-based data protection representative
2026 Singaporean logistics firm — nationwide
Facial recognition in warehouse CCTV
Facial recognition enabled but not disclosed to employees or visitors; CCTV signs mentioned only “security recording” not “biometric identification” RMB 2.1M fine (largest biometric consent fine to date); public shaming notice on local CAC website; CEO summoned for regulatory interview

These cases demonstrate a clear escalation in enforcement. Key patterns: (a) fines are increasing year over year, (b) regulators are looking beyond consent forms to actual implementation (e.g., whether real alternatives exist), and (c) personal liability for managers is becoming a real risk.

21. How foreign companies should handle consent differently from domestic firms

While PIPL applies equally to domestic and foreign firms, foreign companies face unique risks and obligations that warrant a differentiated approach:

Area Foreign Firm Considerations Domestic Firm Baseline
Cross-border data transfer Biometric data is almost always subject to CAC security assessment or standard contractual clauses if sent overseas. Many foreign firms’ global HR systems store data outside China, triggering additional consent and assessment requirements. Most domestic firms process and store data within China, avoiding the cross-border compliance layer.
Language of consent Must provide consent forms and notices in Chinese that are clear and plain. English-only or English-primary consent is a common compliance gap. Courts and regulators will read the Chinese version. Chinese-language consent is standard. No translation complexities.
Data localization Must identify whether biometric data falls under data localization requirements (e.g., if processed by a critical information infrastructure operator). Foreign firms often inadvertently route biometric data through global VPNs or cloud services. Generally process within China; fewer localization concerns.
Regulatory scrutiny Foreign firms are subject to heightened regulatory scrutiny, particularly US and EU companies. CAC inspections are more frequent, and penalties tend to be higher for foreign firms to set an example. Domestic firms face enforcement but typically receive lower fines and more remedial guidance.
DPO appointment PIPL requires the appointment of a DPO for certain data processing volumes. For foreign firms, the DPO should be based in China or accessible during Chinese business hours. A DPO located only at global HQ will not satisfy regulators. DPO is typically a local appointment.
Inspection readiness Foreign firms should conduct mock CAC inspections at least annually, testing consent documentation, PIPIA files, data deletion procedures, and withdrawal mechanisms. Domestic firms increasingly adopt similar readiness practices, but foreign firms face a higher inspection probability.
Strategic Recommendation
Foreign firms should treat PIPL biometric consent compliance not as a checkbox exercise but as an ongoing governance program. The costs of non-compliance — direct fines, operational suspension, reputational damage in the Chinese market — far exceed the investment required to implement a proper consent management system, conduct PIPIAs, and train local HR and IT teams. Given the 2024–2026 enforcement trajectory, proactive compliance is the only viable strategy.

Summary Checklist for Foreign Firms

  • ☐ Identify all biometric data processing activities across all China offices and facilities
  • ☐ Obtain separate consent for each biometric use case from every individual
  • ☐ Complete and document a PIPIA for each biometric processing activity
  • ☐ Implement a consent management system with audit trails and withdrawal capabilities
  • ☐ Offer genuine, non-punitive alternative methods for employees who refuse
  • ☐ Disclose all third-party sharing and cross-border transfers with separate consent
  • ☐ Set and communicate specific retention periods with automated deletion triggers
  • ☐ Conduct a retrospective consent campaign for existing employees and legacy data
  • ☐ Appoint a China-based DPO and train local HR/IT/legal teams on PIPL consent rules
  • ☐ Engage China-qualified legal counsel to review consent forms and privacy notices


Related articles

Incineration vs Landfill: Which Waste Treatment Approach for Industrial Waste in China?

Incineration vs Landfill: Which Waste Treatment Approach for Industrial Waste in China? China's industrial sector generates over 3.5 billion metric to

In-House ESG Reporting vs Third-Party Auditing: Which Sustainability Approach in China?

In-House ESG Reporting vs Third-Party Auditing: Which Sustainability Approach in China? Last updated: July 2026 | Category: Environmental Compliance |

China National ETS vs Voluntary Carbon Market: Which Carbon Trading Approach for Foreign Firms?

China National ETS vs Voluntary Carbon Market: Which Carbon Trading Approach for Foreign Firms? Last updated: July 2026 | Category: Environmental Comp

China’s 2025 Carbon Emissions Trading Regulations Reviewed: How 9% Fines, Stricter MRV, and Expanded Sector Coverage Reshape ESG Compliance for Foreign Firms

China’s 2025 Carbon Emissions Trading Regulations Reviewed: How 9% Fines, Stricter MRV, and Expanded Sector Coverage Reshape ESG Compliance for Foreig