Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Privacy Act 2020

Print | Email this page

Biometric Processing Privacy Code 2025

A woman stands and puts her finger into a fingerprint scanner to gain access to another space. She has a brown bobbed hairstyle with a fringe and wears a blue business shirt and blue jeans. She is carrying a notepad. About the code

The Biometric Processing Privacy Code 2025 (BPPC) was issued on 21 July 2025.

The BPPC came into force on 3 November 2025, but agencies already using biometrics have a nine-month grace period to move to the new set of rules. That transition period ends on 3 August 2026. 

The BPPC, made under the Privacy Act, sets out the privacy rules for organisations and businesses who collect and use people’s biometric information in biometric processing.

Biometric processing is the use of technologies, like facial recognition technology, to collect and process people’s biometric information to identify them or learn more about them.

Biometric information relates to people’s physical or behavioural features. For example, a person’s face, fingerprints, voice, keystroke patterns, or how they walk.

In March 2026 we issued Amendment No 1 to the BPPC to reflect new Information Privacy Principle 3A (IPP3A).

Read the full Code

Biometric Processing Privacy Code 2025 (in force from 1 May 2026; opens to PDF, 396 KB)

Guidance about biometrics

We have full and detailed guidance for agencies wanting to use biometric technologies. Read the guidance and use case examples in our Resources and Learning section

Read our summary factsheets

Biometric Processing Privacy Code 2025 Amendment No.1

The Privacy Amendment Act 2025 introduced IPP3A, which is in force from 1 May 2026. In March 2026, following consultation on how to reflect IPP3A in codes of practice, the Privacy Commissioner made changes to several of our codes. You can find more about those changes, including any amendments or submissions specific to this code, below:

Prior versions

Statutory consultation on draft code (Dec 2024 – March 2025)

Before issuing the final code, the Privacy Commissioner consulted on a draft version as required by section 33 of the Privacy Act. We received 146 submissions from members of the public, businesses, organisations, and government agencies. In line with our notification to submitters, we have published submissions received.

Biometric Processing Privacy Code: What's changed? (August 2025)

(opens to PDF, 180KB)

Report: Summary of submissions on Biometric Processing Privacy Code consultation

(opens to PDF, 365KB)

Submissions received from members of the public - Part 1

(opens to PDF, 6.9MB)

Submissions received from members of the public - Part 2

(opens to PDF, 5.1MB)

Submissions received from businesses and organisations - Part 1

(opens to PDF, 9.92MB)

Submissions received from businesses and organisations - Part 2

(opens to PDF, 5.4MB)

Submissions received from government agencies 

(opens to PDF, 4.3MB)

The draft Code was assessed for consistency with the New Zealand Bill of Rights and other human rights obligations by external legal counsel (Ben Keith, barrister). Read this assessment.  

Read about the history of the project.

Back to top