The Office of the Privacy Commissioner (OPC) has released the final version of the Biometric Processing Privacy Code 2025 (Code) which is now law under the Privacy Act 2020 (Act). The Code creates specific privacy rules for organisations that collect and process biometric information in an automated way.
Key Dates
The Code comes into force on 3 November 2025, however organisations that already use biometric processing on or before this date have until 3 August 2026 to comply.
The Privacy Commissioner will undertake a review of the Code no later than 3 November 2028.
Application
The Code broadly sets out 13 rules which, where the Code applies, substitute the Information Privacy Principles under the Act. For further background on the Code and a full overview of the 13 rules, please see our previous article.
The Code applies to any organisation that collects or processes biometric information (such as facial features, fingerprints or voice) in automated systems to verify, identify or categorise individuals. This includes technologies such as facial recognition, or voice analysis.
The Code does not apply to: (a) health agencies that carry out biometric processing in order to provide health services (they are subject to the Health Information Privacy Code); (b) manual processing of biometric information; or (c) personal consumer devices (e.g. smartwatches, or fitness trackers).
Certain rules also don't apply to the New Zealand Security Intelligence Service or the Government Communications Security Bureau.
Key Changes to the Code
There have been limited changes to the Code since the revised version was released for public consultation in December 2024. Key changes include:
- Transition period: The Code comes into force on 3 November 2025, with a nine-month transition period. As mentioned above, organisations already collecting or processing biometric information on or before 3 November 2025 have until 3 August 2026 to comply.
- Necessity test: Under rule 1 of the Code, the collection and processing of biometric information must be for a lawful purpose, necessary, safeguarded and proportionate in the circumstances. To determine whether processing is "necessary", organisations must consider whether the biometric processing is effective in achieving the organisations' lawful purpose and whether that lawful purpose can be achieved as effectively via an alternative option with lower privacy risks. The key clarification in the final version of the Code is that organisations may consider how effective those alternatives are in practice, not just whether alternatives exist (as was previously the case).
- Trial exemptions: If an organisation is running a trial of a biometric system, it can delay meeting the necessity test described above until the end of the trial, provided that it can show the trial is proportionate in the circumstances and has appropriate safeguards in place (and otherwise complies with all other applicable rules).
- Consumer device exclusion: The definition of "biometric categorisation" has been amended to clarify that the Code does not apply to processing by consumer devices or services used solely for providing that user with their own health or personal information (e.g. fitness trackers) or an entertainment or immersive experience (e.g. virtual try-on filters).
- Attention tracking safeguards: The Code now makes it clear that biometric systems that monitor things like alertness or fatigue can only be used for safety reasons, such as to lessen or prevent a risk to life or health, and not for general workplace surveillance.
Other Resources
To support compliance with the Code, the OPC has published detailed guidance for agencies considering the use of biometric technologies. The OPC has also published additional factsheets.
Next Steps
Organisations should review the Code and guidance released by the OPC, assess its current biometric technology use for compliance, update privacy policies as needed, and inform staff of new obligations. Preparing early will reduce risks and enable a smooth transition when the Code comes into force.
Should you wish to discuss your organisation’s compliance with the Code, please contact one of our experts listed below. We will continue to monitor activities relating to the Code and other related developments in New Zealand.