The use nowadays of biometric technology by New Zealand businesses is rapidly transforming key areas of their operations – such as customer verification, workplace access and payment security – by enhancing efficiency, authentication and security. Many businesses use biometric information, such as physical and behavioural traits like facial recognition, fingerprints, keystroke and voice patterns to verify identity, control access, and track engagement.
While biometrics offer convenience, they clearly also raise concerns about surveillance, profiling, and bias – involving uniquely sensitive information. Biometric information is deeply personal and irreplaceable. Unlike passwords or credit cards, it cannot be changed if compromised. In the view of the Privacy Commissioner, these risks have created a need for stronger legal protections.
To address these risks, the Privacy Commissioner has proposed the Biometric Processing Privacy Code, a legally enforceable code under the Privacy Act 2020. The Code introduces stricter and more specific obligations than the Privacy Act because biometric information is especially sensitive and high risk. Existing privacy principles will be adapted and added to, impacting agencies (including businesses) that handle biometric information. These are explained below.
WHAT THE NEW CODE WILL REQUIRE
The new Code will impose safeguards focussed on necessity, transparency, and privacy.
NECESSITY: PROPORTIONALITY TEST AND RISK ASSESSMENTS
Before collecting biometric information, businesses will need to prove necessity through a proportionality test by:
- showing the processing is lawful, effective, and that no less privacy-intrusive alternative is reasonably available;
- assessing privacy risks, weighing them against expected benefits, and considering cultural impacts on Māori;
- using a trial period if effectiveness can’t be confirmed in advance;
- putting in place safeguards like consent, opt-outs, strong security, and collecting identifying details only if necessary.
TRANSPARENCY: STRONGER NOTIFICATION AND TRANSPARENCY RULES
Businesses will need to notify individuals before collecting biometric information, explaining:
- why it is being collected and how it will be used;
- whether alternatives like PINs or passwords exist;
- the retention period and access or deletion options;
- how to file complaints and where to access proportionality assessments.
SAFEGUARDS: LIMITS ON BIOMETRIC USE
The Code will also ban certain high risk biometric uses, including:
- emotion analysis to infer mental state, health, or intentions;
- biometric profiling, except in consumer devices like fitness trackers;
- using biometric information to infer protected personal characteristics like race, ethnicity, or other grounds prohibited under the Human Rights Act 1993.
OTHER IMPORTANT FEATURES OF THE CODE
- The Code applies to automated biometric processing but excludes manual collection, biological material, and brain activity. Health agencies are exempt, but businesses using biometrics for staff monitoring or security must comply.
- Businesses do not have to disclose risk assessments or notify the Privacy Commissioner when they complete one. However, non-compliance with the Code may result in complaints, investigations, penalties, or lawsuits. Law enforcement can access biometric information under permitted exceptions without notification.
- Although the Code no longer specifically bans web scraping, businesses collecting biometric information from public sources must ensure that any collection is fair and does not unreasonably intrude into individuals’ personal affairs.
COMPLIANCE
For New Zealand businesses, the Code will work in conjunction with (and so it will not replace) the Privacy Act in relation to the handling of biometric information. The Privacy Act establishes general principles for handling personal information, while the Code introduces specific rules tailored to biometric information. This means that businesses must comply with both the obligations of the Privacy Act and the additional requirements contained in the Code.
NEXT STEPS
- The public consultation period has closed, and the final Code is expected to be announced by mid-2025.
- The Code takes effect 28 days after publication in the New Zealand Gazette.
- Once in force, the Code applies immediately to new biometric processing. Existing systems will have nine months to comply before enforcement begins.
As stated above, non-compliance could have serious legal consequences for businesses, but there is also a risk of reputational damage if systems and processes relating to biometric information fall short. Businesses collecting, using, storing, handing, processing or disclosing biometric information will need to consider what changes they need to make to comply with the Code and maintain the trust of their customers.
Please contact our Jackson Russell Business Law Team if you would like further guidance on compliance with the Code.
