The following regulation defines the acceptable use of facial recognition technology in China. Its provisions to protect facial data privacy include stipulations that such data must remain on the original collecting device and not be transmitted over the internet, and that individuals must have another identity verification option besides facial recognition to log into apps and websites. The regulation includes a loophole that allows apparently unrestricted use of facial recognition technology for R&D and AI model training.

An archived version of the Chinese source text is available online at:    https://perma.cc/RKF7-GL2Q

Measures for the Security Management of Facial Recognition Technology Applications

Cyberspace Administration of China

Ministry of Public Security

Order No. 19

The Measures for the Security Management of Facial Recognition Technology Applications were reviewed and adopted at the 23rd executive meeting of the Cyberspace Administration of China (CAC) on September 30, 2024 and approved by the Ministry of Public Security. The Measures are hereby promulgated and shall take effect on June 1, 2025.

Director of the Cyberspace Administration of China     Zhuang Rongwen (庄荣文)

Minister of Public Security      Wang Xiaohong (王小洪)

March 13, 2025

Measures for the Security Management of Facial Recognition Technology Applications

Article 1          These Measures are formulated to regulate the use of facial recognition technology for processing facial information and to protect personal information rights and interests, in accordance with the Cybersecurity Law of the People’s Republic of China,¹ the Data Security Law of the People’s Republic of China,² the Personal Information Protection Law of the People’s Republic of China,³ the Regulations on Network Data Security Management (网络数据安全管理条例), and other laws and administrative regulations.

Article 2          These Measures apply to activities using facial recognition technology to process facial information within the People’s Republic of China (PRC).⁴

These Measures do not apply to the use of facial recognition technology to process facial information for research and development or algorithm training purposes within the PRC.

Article 3     Activities using facial recognition technology to process facial information shall comply with laws and regulations, respect social morality and ethics, comply with business and professional ethics, be honest and trustworthy, fulfill obligations to protect personal information, and bear responsibility to society, and shall not jeopardize national security or the public interest, or harm the legitimate rights and interests of individuals.

To view the rest of this translation, download the pdf below.

1. Translator’s note: An English translation of the Cybersecurity Law is available online at: https://digichina.stanford.edu/work/translation-cybersecurity-law-of-the-peoples-republic-of-china-effective-june-1-2017/.Footnote Link
2. Translator’s note: An English translation of the Data Security Law is available online at: https://www.chinalawtranslate.com/en/datasecuritylaw/.Footnote Link
3. Translator’s note: An English translation of the Personal Information Protection Law is available online at: https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/.Footnote Link
4. Translator’s note: The Chinese word 境內 jìngnèi, translated throughout as “within the PRC,” literally means “inside the borders [of mainland China].” China considers Hong Kong, Macao, and Taiwan to be part of China but not to be “within the PRC.”Footnote Link