Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Focus areas

Print | Email this page

Biometrics Project

November 2025

The Privacy Commissioner has issued a Biometric Processing Privacy Code that creates specific privacy rules for agencies (businesses and organisations) using biometric technologies to collect and process biometric information.

The Code, which is now law made under the Privacy Act, will help make sure agencies implementing biometric technologies are doing it safely and in a way that is proportionate. 

Guidance has also been developed to support the Code.

When do organisations need to comply with the Biometrics Code?

The Code came into force on 3 November 2025, but agencies already using biometrics have a nine-month grace period to move to the new set of rules. That transition period ends on 3 August 2026.

What is biometric information?

Biometric information is personal information and is regulated by the Privacy Act. It is particularly sensitive because it’s based on the human body and is fundamental to who a person is. 

Biometric information relates to people’s physical or behavioural features. For example, a person’s face, fingerprints, voice, keystroke patterns, or how they walk.

Biometric technologies, like facial recognition technology, analyse biometric information to recognise who someone is, or to work out other things about them (such as their gender or mood).

We use the term biometrics to mean when technologies like facial recognition are used to collect and process people’s biometric information to identify or classify them.

These are some examples of how biometrics can be used:

  • verifying people’s identities
  • border control
  • policing and law enforcement
  • retail security
  • controlling access to devices or physical spaces
  • monitoring attendance (for example, in workplaces or schools).

Biometric technologies can have major benefits, including convenience, efficiency, and security. However, they can also create significant risks, including privacy risks relating to surveillance and profiling, lack of transparency and control, and accuracy, bias, and discrimination. 

Māori stakeholders we’ve heard from have expressed significant concerns about the use of biometrics in New Zealand, particularly around the potential for bias and discrimination.

Guidance

We have developed guidance to help agencies comply with their obligations under the Biometrics Code. The guidance explains how we see the Biometrics Code working in practice and sets out examples and case studies so agencies planning to use biometrics can better understand the obligations.

Our guidance is a starting point; organisations still need to do their own thinking and seek advice to understand their own situation and how they are using or plan to use biometrics.

Read our biometrics guidance

Biometrics papers and past consultation

This table provides information about the history of our work around regulating biometric information and developing a Biometric Processing Privacy Code. 

December 2024 - March 2025

Public consultation on draft Biometrics Code and guidance

We released an updated draft Biometric Privacy Code for public consultation in December 2024. We received 97 submissions from members of the public and 49 submissions from businesses, government agencies and other organisations. 

Read a summary of consultation feedback that identifies the key themes.

Read all the submissions received during this part of the process.

The consultation period ended on March 14 2025. The documents below are from this period. 

December 2024

Decision to proceed with code and public consultation

The Privacy Commissioner announced his intention to issue a Biometric Processing Privacy Code of Practice. The code will create more specific rules for agencies using biometrics.

Read the media release.

August 2024

Report-back on exposure draft of biometrics code

We received 250 submissions; 180 from the public and 70 from agencies (businesses, government agencies and organisations).

Almost every submission from members of the public told us that people were concerned about the use of biometrics in New Zealand. There was broad support for the proposed rules in the draft code.

Agencies that sent in feedback were from diverse sectors. Agencies were generally supportive of the code proposals and for the proposed modifications to the three IPPs that we’d outlined. At times opinion was divided, but overall, the feedback gave us clear direction on what may need to be changed or reworked, which is what we’ll do now.

Read detail about who commented and what the themes of the feedback were.

April/May 2024

Public consultation on exposure draft of biometrics code

We developed an exposure draft of a biometrics code of practice based on what we had learned in targeted engagement the previous year. A biometrics code of practice would create specific rules for agencies using biometric technologies to collect and process biometric information. The exposure draft included three new rules: a proportionality requirement, additional notification and transparency requirements, and fair processing limits that restrict some uses of biometric classification.

We conducted a broad public consultation on the biometrics code exposure draft, seeking views from members of the public, Māori, businesses, government agencies, and advocacy organisations.

Read the exposure draft (Word).
Read the consultation document (Word).
Read the one-page summary (PDF).
View our infographic (PDF). 

November 2023

Announcement

The Privacy Commissioner announces he will release an exposure draft of a biometrics code for public consultation in early 2024.

Read the explainer document (PDF).

July/August 2023

Targeted engagement

We released a discussion document outlining proposals for a potential code of practice for biometrics. We sought views from key stakeholders: Māori, private sector users or providers of biometrics, public sector users of biometrics, privacy specialists, and advocates with expertise in human rights, employment, and consumer rights. We held workshops and meetings with stakeholders and received 54 submissions on our discussion document.

Read the summary document (PDF)
Read the summary document (Word)
Read the full discussion document (Word)
Read the summary of submissions.
December 2022

Announcement
The Privacy Commissioner announces he will explore the option of a code to regulate biometrics.

August 2022

Public consultation

We revisited our position paper on biometrics and conducted a period of broad public engagement with a consultation paper to asking whether further regulation of biometrics was needed in New Zealand.

We also talked to stakeholders, including Māori experts and organisations using biometric information, to ensure we were hearing from the right people. We received 100 submissions from individuals, businesses, government departments, and advocacy groups.

Read the consultation paper.
Read a one-page summary.
Read the summary of submissions.

October 2021

Biometrics position paper

We launched a position paper on how the Privacy Act regulates biometrics.

Read a one-page summary of key issues regarding biometric technologies and privacy.
Read the biometrics position paper (PDF).

If you want to contact us about this work please email biometrics@privacy.org.nz

Back to top