Biometric technologies are on the rise — and now New Zealand has its first dedicated privacy code. The Biometric Processing Privacy Code 2025 sets new limits, safeguards, and expectations for agencies using biometrics. What does it mean for marketers and beyond? Read below.

At the start of the month, the Privacy Commissioner announced the Biometric Processing Privacy Code 2025, which creates more specific privacy rules for agencies using biometric technologies to collect and process biometric information.

The Code, which is now law, will help make sure agencies implementing biometric technologies are doing it safely and in a way that is proportionate.

It comes into force on 3 November 2025, but agencies already using biometrics have until 3 August 2026 to align themselves with the new rules (12 months from Code’s publication).

In addition to the existing rules in the Privacy Act, the Code will require agencies to:
  • Assess the proportionality of using biometrics – is it fit for the circumstances?
  • Adopt safeguards to reduce any risk
  • Tell people when and why a biometric system is in use, before their biometric information is collected.

The Code also restricts some particularly intrusive uses of biometric technologies like using them to predict people’s emotions or infer information, like ethnicity or sex, which is protected under the Human Rights Act.

Detailed guidance has been released to support the Code, which explains how we see the Code working in practice. It also sets out examples so agencies planning to use biometrics can understand their obligations.

Our guidance is a starting point; agencies still need to do their own thinking to understand their own situation and how they are using or plan to use biometrics.


Source: Privacy Commissioner website