New Biometric Processing Privacy Code has implications for NZ businesses

Earlier this month, the New Zealand Privacy Commissioner introduced the Biometric Processing Privacy Code (Code). The Code is set to come into force on 3 November 2025, although businesses already undertaking biometric processing activities have until 3 August 2026 to comply.

The Code establishes 13 stringent rules for the collection, use and management of biometric data, including facial recognition, fingerprints and voiceprints. These rules generally correspond with the Information Privacy Principles under the Privacy Act 2020, although new concepts have also been introduced.

In essence, the Code is designed to balance the benefits of biometric technologies with strong protections for individual privacy, ensuring that personal biometric data is handled responsibly and ethically. Businesses of all sizes and across all industries, whether using biometrics for security, customer engagement or operational efficiency, will need to understand and prepare for these new requirements.

Considerations for businesses

The introduction of the Code requires businesses to carefully consider their privacy and compliance obligations. Set out below are key obligations under the Code and the measures businesses should take to ensure compliance:

1. Necessity and proportionality: Any collection and use of biometric information must be necessary and proportionate. Businesses should assess whether biometric systems are genuinely required to meet their objectives or if less intrusive alternatives (such as PIN codes or ID cards) could achieve the same result. This assessment is critical for compliance and reducing potential privacy risks.
2. Transparency and consent: Transparency is a cornerstone of the Code. Businesses must inform employees, customers and other stakeholders about the collection of biometric data, why it is being collected, how long it will be retained, and what alternatives are available. Where required, businesses must obtain consent and respect individuals’ rights to opt out.
3. Data security and safeguards: Strong safeguards must be in place to protect biometric data from misuse or unauthorised access. Businesses should implement secure storage systems, enforce strict access controls, and delete data promptly when it is no longer needed. Regular audits and sound governance practices will help maintain compliance and reduce emerging risks.
4. Bias and accuracy concerns: Facial recognition and similar technologies raise risks of bias and inaccuracy, particularly around profiling and the inference of sensitive characteristics such as ethnicity or gender. Businesses must ensure their biometric systems are reliable, tested for fairness, and do not result in discriminatory outcomes. Corrective measures should be in place where any bias or inaccuracies are identified.
5. Cultural and social considerations: The Code places emphasis on assessing the cultural and social impacts of biometric technologies, particularly in relation to Māori and other communities. Businesses should factor these considerations into their decision making to ensure fair and equitable outcomes.

We can help

Meeting the obligations of the Code calls for strategic planning and careful evaluation of business practices. If you have any questions about how the Code applies to your business, or need guidance on implementing compliant biometric systems, please reach out to the Wynn Williams team for tailored support and advice.

Katrina Hammon – Partner

Roxana Cvasniuc – Associate