A new frontier in biometrics regulation: what do you need to know?

A new frontier in Biometrics Regulation: what do you need to know?

The Office of the Privacy Commissioner (OPC) has officially enacted the Biometric Processing Privacy Code (Code), which marks a significant shift in how biometric data is regulated in New Zealand. This new code introduces binding rules for organisations that collect, use, or store biometric information, including facial recognition, fingerprint scanning, and voice identification technologies.

This article explores the new regulatory landscape for biometrics in New Zealand, the impact of the new Code, and what organisations should be doing now to prepare for compliance with the Code.

Biometric data is uniquely sensitive. Unlike passwords or ID cards, biometric identifiers are biologically tied to individuals and cannot be changed if compromised. This permanence, combined with the potential for mass surveillance and profiling, makes biometrics particularly high-risk from a privacy perspective.

While biometric data already qualifies as “personal information” under the Act, the Office of the Privacy Commissioner has recognised that more targeted regulation is needed for this type of data, hence the introduction of the Code.

In addition to the existing privacy framework under the Privacy Act 2020, the Code clarifies that agencies have a requirement to:

• Assess how effective and proportional their use of biometrics is;
• Ensure adequate safeguards are in place; and
• Inform individuals of when their biometric information is in use or will be collected.

Who must comply?

The Code applies to any agency operating in New Zealand that processes biometric information for the purpose of identifying individuals.

This includes:

• Public and private sector organisations; and
• Agencies using third-party biometric service providers.

Importantly, the Code does not apply to biometric technologies used solely for authentication (e.g. unlocking a personal device), unless the data is retained or used for identification purposes beyond the immediate transaction.

Compliance deadlines

Although the Code comes into force on 3 November 2025, the OPC has provided a transitional period to allow organisations time to align their practices, if they are already undertaking biometric processing prior to 3 November 2025. These agencies must ensure full compliance by 3 August 2026. This transitional period is intended to support the development of internal policies, staff training, and technical adjustments necessary to meet the Code’s requirements. Importantly, for biometric processing that starts after 3 November 2025, full compliance is required immediately.

Preparing for compliance

Organisations should begin by reviewing existing biometric practices and assessing whether they fall within the scope of the Code. Legal teams and privacy officers should collaborate to update internal policies, engage with technology providers, and ensure that systems are designed with privacy by default.

The introduction of the Code reflects growing public concern around the ethical use of biometric technologies and reinforces New Zealand’s commitment to safeguarding personal information in the digital age.

Biometric technologies offer powerful tools for authentication, security, and efficiency but also raise profound privacy challenges. The Privacy Commissioner’s focus on biometrics signals a shift toward more targeted regulation, and organisations should act now to ensure they are ready.

As the legal landscape evolves, those who take a proactive, privacy-first approach will be best positioned to navigate the changes and maintain public trust.

Special thanks to Partner Peter Fernando and Solicitor Aimee Wilson for preparing this article. 

For more information or assistance, please contact data protection and privacy team.

Disclaimer: The content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.