November 2025

What’s changing – and why it matters

The Biometric Processing Privacy Code 2025 has been finalised and took effect on 3 November 2025. It replaces the general Information Privacy Principles in the Privacy Act 2020 wherever automated biometric processing is used.

Organisations already using biometric systems before that date have until 3 August 2026 to comply. The Office of the Privacy Commissioner has also published guidance on the Code to help organisations prepare.

Common business use cases

You might be using biometric technology without realising it. The Code applies to a wide range of systems, including:

• CCTV with facial recognition – security monitoring, access control, or incident investigation.
• Staff time and attendance systems – fingerprint or palm scanners to clock in and out.
• Access control for secure areas – iris or facial scanning for high-security or hazardous sites.
• Event management and ticketing – facial recognition or gait analysis to speed up entry or identify banned attendees.
• Customer personalisation – retail or tourism operators using facial recognition to identify returning customers and tailor service.
• Health and fitness monitoring – attendance tracking or posture analysis in gyms and wellness centres.
• Transport and passenger processing – biometric ID verification at check-in or boarding.
• Accommodation access – biometric locks or entry systems for boarding houses, hostels, or staff accommodation.

If your business uses any of these technologies, the new Code is likely to apply.

What counts as biometrics?

Biometrics are unique physical or behavioural features that can be measured and used to identify or monitor a person.

Under the new Code, common examples include:

• Facial features – via CCTV, security cameras, or photo databases.
• Fingerprints – for staff time clocks or device log-ins.
• Palm or hand geometry – for access control.
• Iris or retina scans – in high-security areas.
• Voice patterns – used in call centres or authentication systems.
• Gait or posture – analysing how someone walks or stands.

These can be collected by obvious means (a scanner at a doorway) or less obvious ones (a camera that runs facial recognition in the background).

If your technology measures a unique human trait and uses it to identify or track someone, it’s likely covered by the Code.

Top three things the Code requires

Necessity Test

You must show that using biometrics is necessary, effective, and proportionate – and that less privacy-intrusive options wouldn’t work as well.

Clear Disclosure

People must be told, before or at the time of collection, what biometric data is being collected, why, how it will be used, and any alternatives available.

Strong Safeguards

Biometric information must be stored securely, protected from unauthorised access, and deleted when no longer needed for its original purpose.

Key insight – applying the ‘Necessity Test’

The Code’s most significant requirement is the necessity, effectiveness, and proportionality test. You must be able to demonstrate that:

1. Biometrics are necessary – A genuine need exists that can’t be met through less privacy-intrusive methods.
2. They are effective – The technology reliably achieves its purpose.
3. The use is proportionate – The benefits outweigh the privacy risks.

This requires evidence-based decision-making. For example, if you want to introduce facial recognition for staff entry, you’ll need to show that alternatives like swipe cards or PINs wouldn’t be as effective.

What’s new since the Draft

The final Code includes a few important changes:

• Extended compliance period – Existing systems have until August 2026 to comply.
• Trial flexibility – The necessity test can be deferred for controlled trials, provided they are proportionate and secure.
• Clearer exemptions – Personal consumer devices like smartphones or VR filters are excluded.
• Tighter controls on certain uses – Emotion detection, attention tracking, or inferring sensitive traits are heavily restricted, only allowed for specific safety or welfare purposes.

What businesses should do now

1. Audit current biometric systems – Identify what you’re using, how, and why.
2. Apply the necessity test – Assess whether the technology is the most appropriate and document your reasoning.
3. Update your privacy policy – Clearly explain biometric use, reasons, and alternatives.
4. Strengthen safeguards – Use encryption, access controls, and staff training.
5. Plan for trials – If piloting tech, ensure they’re proportionate, secure, and documented.
6. Start early – Preparing now avoids disruption when the deadline arrives.

What will happen if you fail to comply?

Failure to comply with the Code puts your business at risk of being found to have interfered with someone’s privacy under the Privacy Act 2020. Possible outcomes include:

• A complaint to the Privacy Commissioner – any individual can complain to the Office of the Privacy Commissioner (OPC), which can investigate and issue compliance notices.
• Compliance notices and enforcement – the OPC can require you to take or stop certain actions. A failure to comply can lead to referral to the Human Rights Review Tribunal, which can also make orders and award damages.
• Reputational damage – if the OPC issues a compliance notice, it will generally publish it (including the organisation’s name) unless there is good reason not to.
• Other breaches – non-compliance could also mean you risk breaching third party contracts where you have agreed to comply with the Privacy Act, or your obligations as an employer.

How we can help

A key principle is that individuals must be told, clearly and up front, when their biometric information is being collected, why it’s being collected, how it will be used, and what alternatives (if any) are available. This disclosure must happen before or at the time of collection, not buried in fine print.

We can help you with:

• Updating privacy statements so they meet the Privacy Act 2020 and Code requirements.
• Drafting signage and notices for CCTV, biometric scanners, or trial systems that meet the disclosure requirements.
• Reviewing your necessity assessment to ensure it is well-documented and defensible.

Whether you’re implementing new technology, updating existing systems, or starting from scratch with your first privacy statement, your lawyer can help in keeping your organisation compliant and maintaining the trust of your staff, customers, and community.