Can Foreign Businesses Use Facial Recognition in China?
FAQ Contents
- Can Foreign Companies Use Facial Recognition for Employee Attendance?
- What Are the Key Regulations?
- What Consent Requirements Apply?
- Are There Restrictions on Public Space Facial Recognition?
- What Are the Best Practices for Workplace Facial Recognition?
- Can Facial Data Be Transferred Abroad?
- What Vendor Compliance Considerations Exist?
- What Are the Penalties for Non-Compliance?
- Are There City-Level Restrictions?
- What Alternatives Exist to Facial Recognition?
1. Can Foreign Companies Use Facial Recognition for Employee Attendance?
Yes, foreign companies may use facial recognition for employee attendance and access control, but only with a robust compliance framework in place. This is one of the most common use cases for biometrics among foreign-invested enterprises (FIEs) in China, particularly in manufacturing, logistics, and office environments.
For workplace attendance, the compliance requirements include:
- Separate explicit consent: Employees must sign a standalone consent form specifically authorizing the collection and processing of their facial data for attendance purposes. This consent cannot be bundled with the employment contract or general HR policies.
- Non-biometric alternative: Companies must provide alternative attendance methods (e.g., PIN code, access card, mobile app check-in) for employees who decline facial recognition. Under Article 16 of the PIPL, employers cannot penalize employees for refusing biometric consent.
- PIPIA: Before deploying any facial recognition system, employers must conduct a Personal Information Protection Impact Assessment and retain it for at least three years.
- Data minimization: Facial images should be converted to mathematical templates immediately upon capture, and raw images should not be stored. The templates should be stored locally within the device or on China-based servers.
- Retention and deletion: Facial data must be deleted promptly when the employment relationship ends or when the employee withdraws consent. Companies should establish clear retention schedules (typically not exceeding the duration of employment plus a reasonable transition period).
2. What Are the Key Regulations Governing Facial Recognition for Foreign Businesses?
Foreign businesses must navigate a multi-layered regulatory landscape. The following key instruments apply:
| Regulation | Effective Date | Key Impact on Foreign Companies |
|---|---|---|
| Personal Information Protection Law (PIPL) | Nov 2021 | Classifies facial data as sensitive PI; requires separate consent, PIPIA, and data localization |
| Cybersecurity Law (CSL) | Jun 2017 | MLPS (dengbao) classification and network security obligations for biometric systems |
| Data Security Law (DSL) | Sep 2021 | Data classification obligations; aggregated facial databases may qualify as “important data” |
| Facial Recognition Management Measures (CAC 2023) | 2023 | Specifically targets commercial FR use; bans covert collection; requires signage and consent |
| Shenzhen PIP Regulation (2021) | Jan 2022 | First local regulation; prohibits mandatory FR in public spaces |
| GB/T 41819-2022 (National Standard) | 2022 | Technical security standard for facial recognition systems |
The 2023 CAC Measures on Facial Recognition Technology Applications specifically targeting commercial use include a requirement that foreign businesses must conduct a prior PIPIA before any deployment. They also ban covert collection and mandate clear signage where cameras operate. In practice, this means a foreign retail chain cannot install facial recognition for customer analytics without first notifying individuals, obtaining explicit consent, and demonstrating a “necessary purpose” — such as security rather than marketing.
3. What Specific Consent Requirements Apply?
Consent for facial recognition under the PIPL is far more stringent than for general personal data. Article 29 mandates that consent for sensitive personal information must be “separate” — meaning it cannot be bundled with consent for other processing activities.
| Requirement | Pre-PIPL Practice | Post-PIPL Requirement (2026) |
|---|---|---|
| Consent type | Implied or bundled in terms of service | Separate, explicit opt-in with standalone form |
| Right to withdraw | Not always provided | Mandatory, with clearly communicated withdrawal mechanism |
| PIPIA | Not required | Mandatory before any facial recognition deployment |
| Alternative to biometrics | Rarely offered | Must be available by law; no penalty for refusal |
| Cross-border transfer | No specific restriction | Security assessment or SCC filing required |
| Retention period disclosure | Often omitted | Must be clearly stated in consent form |
| Third-party sharing disclosure | Rarely disclosed | Must explicitly list all third-party recipients |
A 2023 Shanghai court case fined a hotel chain ¥400,000 for requiring facial scan for room entry without offering an alternative. The court ruled that requiring biometric verification without a non-biometric alternative constitutes a violation of Article 16 of the PIPL.
4. Are There Restrictions on Facial Recognition in Public Spaces Near Workplaces?
Yes. The 2024 Facial Recognition Regulation specifically addresses the use of facial recognition technology in public spaces, including areas adjacent to workplaces such as building lobbies, parking lots, and outdoor perimeters. The key restrictions are:
- Prohibition on mandatory use: Companies cannot force employees or visitors to use facial recognition for accessing public areas of a building if alternatives exist.
- Signage requirement: Any area monitored by facial recognition must have clear, visible signage at all entrances informing individuals of the surveillance.
- Prohibition on secret collection: Hidden or covert facial recognition systems are strictly prohibited.
- Minimization requirement: The number and placement of cameras must be limited to the minimum necessary for the stated security purpose.
- Retention limit: Facial data collected for security purposes in public areas may only be retained for the period necessary to fulfill the security purpose, typically no more than 30 days unless a specific incident requires longer retention.
5. What Are Best Practices for Workplace Facial Recognition?
For foreign companies that decide to deploy facial recognition in the workplace, the following best practices will help ensure compliance:
- Conduct a PIPIA before deployment: Document the necessity, purpose, scope, data flow, security measures, and risk assessment for each facial recognition system.
- Design a separate consent process: Create a standalone consent form specifically for facial recognition, separate from general HR documentation. Ensure it is available in both Chinese and English.
- Provide clear notice: Post signage at all camera locations. Include information about the data controller, purpose, retention period, and contact information for privacy inquiries.
- Offer alternatives: Provide keycards, PIN codes, or mobile app check-in for employees who decline facial recognition. Ensure these alternatives are equally convenient.
- Implement template-based storage: Convert facial images to encrypted mathematical templates immediately upon capture. Do not store raw facial images.
- Localize all data: Store all facial recognition data on servers physically located in mainland China. Do not use cloud servers hosted outside China.
- Establish deletion protocols: Automatically delete facial templates when employees depart or withdraw consent. Audit deletion logs quarterly.
- Limit access: Restrict access to facial recognition data to the minimum number of authorized HR and IT personnel. Implement audit logging.
- Conduct annual reviews: Review compliance with all applicable regulations annually, or more frequently if regulations change.
- Document vendor compliance: Ensure that all facial recognition system vendors (e.g., Hikvision, Dahua, ZKTeco) have PIPL-compliant data processing agreements in place.
6. Can Facial Data Be Transferred Abroad?
Cross-border transfer of facial recognition data is heavily restricted. Under PIPL Article 38 and the Measures for Security Assessment of Cross-Border Data Transfers, facial data transferred abroad requires one of three mechanisms:
- CAC Security Assessment: Required when processing sensitive personal information of 10,000+ individuals. Processing time is 3–6 months.
- Standard Contract (SCC) Filing: For smaller-scale transfers. Requires filing with provincial CAC authorities within 10 working days of signing.
- Third-Party Certification: An alternative to SCC, though less commonly used for facial data.
A PIPIA must also be completed before any cross-border transfer, regardless of the mechanism used. The safest path for most foreign companies is to localize all facial data on servers within mainland China and restrict overseas access to de-identified, aggregated reports only.
7. What Vendor Compliance Considerations Exist?
When procuring facial recognition systems from Chinese vendors, foreign companies must conduct thorough due diligence:
| Vendor | Key Products | Compliance Considerations |
|---|---|---|
| Hikvision | Face recognition cameras, terminals, NVRs | Ensure data processing agreement (DPA) covers PIPL requirements; verify local storage option |
| Dahua Technology | Face recognition access control, time attendance | Require on-device template matching; ensure no cloud backup outside China |
| ZKTeco | Biometric time clocks, access control panels | Configure for local-only processing; disable any cloud synchronization features |
All vendor contracts must include PIPL-compliant data processing clauses specifying: scope of data processing, purpose limitation, security measures, subcontracting restrictions, data deletion upon contract termination, audit rights, and liability allocation.
8. What Are the Penalties for Non-Compliance?
Penalties under the PIPL and related laws are severe:
| Violation | Maximum Penalty | Additional Consequences |
|---|---|---|
| Processing facial data without separate consent | ¥50 million or 5% of annual revenue | Suspension of activities, license revocation |
| Cross-border transfer without security assessment | ¥50 million or 5% of annual revenue | Data deletion order, business suspension |
| Failure to conduct PIPIA | ¥500,000 corporate; ¥100,000 personal | Rectification order, public notice |
| Covert facial recognition collection | ¥1–5 million | System removal, negative publicity |
In 2025, a European retail chain in Beijing was fined ¥680,000 for using facial recognition at store entrances without proper signage or separate consent. The company also had to remove all cameras and issue a public apology.
9. Are There City-Level Restrictions?
Yes, several cities have enacted local regulations that add requirements beyond national law:
Shenzhen (2021): The Shenzhen Special Economic Zone Personal Information Protection Regulation was the first local law. It specifically prohibits mandatory facial recognition and requires alternatives. Foreign companies with Shenzhen operations face the strictest local framework.
Shanghai (2023–2024): Shanghai’s PIPL implementation guidelines require additional notice formatting and language requirements for foreign companies in the Shanghai Free Trade Zone.
Beijing (2023): Beijing’s pilot data governance rules for the CBD area restrict the use of facial recognition in commercial settings, particularly for customer behavior tracking.
Hangzhou (2024): Hangzhou introduced guidelines for facial recognition in the hospitality sector, requiring hotels to clearly disclose all facial data collection practices.
Chengdu (2024): Chengdu’s guidelines focus on tourism and entertainment venues, requiring clear signage and alternative verification methods at attractions and performance venues.
10. What Alternatives Exist to Facial Recognition?
Given the regulatory complexity, many foreign companies are choosing alternative technologies that carry lower compliance burdens:
- Contactless smart cards (RFID/NFC): Low compliance burden, well-established technology, compatible with existing access control infrastructure. Acceptable for most use cases.
- PIN code or password: Minimal regulatory requirements. Best suited for low-traffic areas where security requirements are moderate.
- Mobile app check-in with QR code: Privacy-friendly, no biometric concerns. Increasingly popular for workplace attendance.
- Bluetooth beacon proximity detection: No biometric data collected. Suitable for attendance tracking in office environments.
- Fingerprint recognition (template-based): Still biometric but less regulatory scrutiny than facial recognition. Requires fewer compliance steps though still needs separate consent.
- Palm vein recognition: More secure than facial recognition and less regulated. Requires consent but generally viewed more favorably by regulators.
Conclusion
Foreign businesses can use facial recognition in China, but the regulatory environment in 2026 demands a sophisticated compliance approach. The key requirements — separate consent, PIPIA, data localization, and purpose limitation — are non-negotiable, and enforcement against foreign-invested enterprises has intensified dramatically in 2025–2026.
For most foreign companies, the pragmatic approach is to avoid facial recognition for non-essential use cases (marketing, analytics, general security) and rely on alternative technologies. Where facial recognition is genuinely necessary (high-security areas, time-critical attendance for large workforces), invest in compliant systems with on-device processing, local data storage, and transparent consent processes from the outset.
This FAQ was updated in July 2026. Consult with qualified legal professionals specializing in Chinese data protection law for advice specific to your company’s circumstances.
