NZ Biometric Privacy Code: The August Deadline | TLY

AI Regulation Tracker  /  Privacy code

New Zealand's Biometric Privacy Code sets an August 2026 deadline for existing biometric users

New Zealand's Office of the Privacy Commissioner issued a binding code with 13 rules for any agency that uses facial recognition or other biometrics. Organisations already using biometrics have until August 3, 2026 to comply.

New Zealand's Biometric Privacy Code sets an August 2026 deadline for existing biometric users regulation briefing
The Leveraged Years AI Regulation Tracker

New Zealand now has a binding set of rules built specifically for facial recognition and other biometric systems. The Office of the Privacy Commissioner issued the Biometric Processing Privacy Code 2025 under the Privacy Act 2020, and it came into force on November 3, 2025. For agencies already running biometrics, the code sets a firm compliance date of August 3, 2026, a nine-month grace period from commencement. After that date, an agency that cannot show its biometric processing meets the code is in breach.

What the code replaces

The code does not sit alongside the Privacy Act's general framework. It substitutes for it in the biometric context. The Privacy Act 2020 is built around 13 information privacy principles. The Biometric Processing Privacy Code replaces those 13 principles with 13 rules tailored to biometric information, covering collection, notification, storage and security, access, correction, accuracy, retention, use limits, disclosure, cross-border disclosure, and unique identifiers. An agency that processes biometric information follows the code's rules in place of the equivalent principles.

Biometric information, in this context, means information about a person's physical or behavioural features that can be used to identify them, such as a facial image processed by a recognition system, a fingerprint, or a voice pattern. The trigger for the code is not the storage of a photograph on its own but the automated processing of that data to recognise or classify an individual. Agencies that were relying on general privacy consent to run these systems now have a distinct rulebook to meet, and the burden of showing compliance sits with the agency, not the person whose data is collected.

The proportionality test is the core duty

The rule that changes day-to-day practice most is the requirement that biometric processing be necessary, effective, and proportionate. According to the Office of the Privacy Commissioner, whether processing is necessary depends on whether it is effective in achieving the agency's lawful purpose, and whether the agency could reasonably achieve the same purpose as effectively through an alternative that carries less privacy risk. The commissioner's guidance states that an agency must not collect biometric information unless it believes on reasonable grounds that the processing is proportionate to the likely impacts on people. In practice this means a retailer cannot install facial recognition simply because it is available. It has to show the tool works for the stated purpose and that a less intrusive method would not do the same job.

Transparency and safeguards

The code pairs the proportionality test with transparency and safeguard obligations. Agencies must be open with people about biometric collection through specific notification, and they must have appropriate safeguards in place around how biometric information is stored, secured, used, and disclosed. The rules also place limits on certain sensitive uses, including biometric categorisation, and govern disclosure of biometric information outside New Zealand. The combined effect is that biometric data is treated as higher-risk personal information that requires a documented justification, not a routine data field.

For a privacy officer, the transparency duty is more demanding than a line in a general privacy policy. People need to understand that a biometric system is in use, what it does, and why. For retail loss prevention, that points toward clear signage and a defensible record of the assessment behind the deployment. For an employer, it points toward informing staff about a biometric time or access system and being able to explain why a swipe card or PIN would not serve the same purpose. The documentation an agency keeps now is what it will rely on if the processing is later questioned.

What the code does not do

The code does not ban facial recognition or biometrics. It does not require every existing system to be switched off. An agency that can demonstrate its processing is necessary, effective, and proportionate, and that meets the notification and safeguard rules, may continue. The code also does not remove the underlying protections of the Privacy Act framework; it re-expresses them for biometrics and adds requirements on top. The obligation is to justify and document, not to abandon the technology.

The cross-border angle

For a United States reader, the code binds any operations a US company runs in New Zealand that collect biometric information there, including retail chains and employers with New Zealand sites. It also fits a wider pattern. New Zealand's approach, a proportionality test plus transparency and use limits, echoes the direction of biometric and facial recognition rules in Illinois, Texas, and the European Union, and it gives US compliance teams a working model of what a dedicated biometric regime looks like in practice.

Frequently Asked Questions

What changed under the Biometric Processing Privacy Code 2025?

The Office of the Privacy Commissioner issued a binding code that replaces the Privacy Act's 13 information privacy principles with 13 biometric-specific rules. It came into force on November 3, 2025 and requires that biometric processing, including facial recognition, be necessary, effective, and proportionate, with transparency and safeguards.

Who does the code apply to?

Any agency in New Zealand, public or private, that collects or processes biometric information. That includes retailers using facial recognition for loss prevention, employers using biometric time, attendance, or access systems, security providers, and the privacy officers responsible for those systems.

When is the compliance deadline?

The code has been in force since November 3, 2025. Agencies that were already using biometrics have a nine-month grace period that ends on August 3, 2026. After that date, biometric processing that does not meet the code's rules is in breach.

Does the code ban facial recognition?

No. It does not prohibit biometrics or facial recognition. It requires an agency to show that the processing is necessary, effective, and proportionate to its impact on people, that no reasonable lower-risk alternative would achieve the same purpose, and that transparency and safeguard rules are met.

What is the single most important step to take now?

Complete and document a proportionality assessment for each biometric system, confirming it is necessary and effective for a lawful purpose and that a less intrusive method would not work as well, then align notification and safeguards with the 13 rules before August 3, 2026.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.