Do you know who I am?
The age of automated facial recognition technology (FRT) is already among us – what does it mean for you?
Think about it, have you….
- Unlocked your smartphone with just a glance?
- Departed or entered New Zealand through an eGate?
- Been asked by Facebook “is that you” in a friend’s recent photo?
It should come as no surprise that the age of automated facial recognition technology (FRT) is already among us, rampantly becoming commonplace globally and here in Aotearoa.
In a Victoria University of Wellington report commissioned by the New Zealand Law Foundation, FRT is defined simply as involving “the use of an algorithm to match a facial image to one already stored in a system”. As FRT becomes more accessible, and arguably more efficient in identity management – its use is increasingly being considered and implemented across the private and public sectors and is equally being scrutinised by the public and in academic institutions.
Police, airports, banks, and retail and hospitality outlets are increasingly deploying FRT for security and identity verification purposes. In New Zealand, there have even been adaptations of FRT for use in the agricultural sector for the identification of livestock.
While advancements in FRT may offer accuracy, speed and convenience, it is important to remember that there are legal obligations associated with the implementation of FRT. You should take steps to ensure you are aware of, and can meet, these obligations before you and your business decide to embrace the use of FRT.
The use of FRT is primarily based on the collection and analysis of facial images, a particularly sensitive category of personal information, and as such, the Privacy Act 2020 governs all things applicable to the collection and subsequent use of this personal information.
We explore below what you need to know as a business or consumer when considering the implementation of FRT:
What to consider as a business?
The Privacy Commissioner has released helpful guidance on what to consider when collecting biometric information, such as facial scans and fingerprints. In summary, key questions to consider include:
- Do you have a lawful purpose for collecting this information?
- Is the collection necessary for that lawful purpose?
- Is collection unreasonably intrusive or unfair?
- Have you obtained informed consent from the affected individual?
- How do you ensure accuracy of personal information?
- Are your security safeguards to protect the information reasonable?
The Privacy Act 2020 also governs how personal information can be processed, retained, and transferred.
The Privacy Commissioner strongly recommends that all businesses complete a Privacy Impact Assessment before implementing any kind of FRT. A privacy impact assessment (PIA) is a tool used by agencies to help them identify and assess the privacy risks arising from their collection, use or handling of personal information. A PIA will also propose ways to mitigate or minimise these risks.
Part 1: Whether to do a Privacy Impact Assessment
Part 2: How to do a Privacy Impact Assessment
Bonus tip: If you are contracting with a FRT Supplier, it is important to remember that you still have obligations towards the individuals you are collecting personal information from.
What are my rights as a consumer?
As a consumer you have rights. If an agency wants to collect your personal information, it must obtain your informed consent. This means it needs to make available the following information:
- What personal information is being collected;
- How will it be used
- Who will have access to it;
- Is collection voluntary or mandatory;
- What are the consequences, if any, of opting out;
- How can you access and correct your personal information?
Bonus tip: There are limited instances where an agency does not need to seek your consent to collect your personal information (information privacy principle 2).
The Privacy Commissioner can investigate complaints about an agency’s compliance with the Privacy Act, click here for more information if you are concerned with the use, collection, or disclosure of your personal information by an agency.
Partner, Anchali Anandanayagam says, "From a business perspective, it is important to be transparent about the reasons for which you are implementing the technology and the precautions you are taking to address the privacy concerns. Ensuring privacy is the foundation for trust – if your customers and other stakeholders are concerned about privacy, this will affect the trust they have in your business or the services you provide".
If you are a business or individual looking to understand if the use of facial recognition technology is aligned with the Privacy Act and best practice, please get in touch.
Services in this insight
Consultation opens on New Zealand's payment services regulation
Modern slavery regulation on the way – Is your business ready?
From Hertzian waves to hyperlinks – What the BSA’s online decision means for your business
Space Law in New Zealand — Signals from the ground
Cyber security changes flagged for New Zealand
The four Cs of successful fintech partnerships
New rule 3A introduced to the Biometric Processing Privacy Code
IPP3A is nearly in force – What agencies need to know
OPC shifts public enquiries online – What agencies should do now
AI as a confidante? Legal privilege and the ever-increasing use of AI
New Therapeutic and Health Advertising Code – What you need to know
Building blocks of trade mark law: New Zealand approach to "use as a trade mark" now compatible with Australia
Consumer law update 2025
Open banking launches in New Zealand
Is fair something to fear? The Government announces beefed-up Fair Trading Act
Is it fair? Lessons from Bartz v Anthropic and Kadrey v Meta
Open banking almost live
Why New Zealand businesses should care about the EU Data Act
Product labelling changes flagged for New Zealand
Biometric Processing Privacy Code 2025 introduced to New Zealand
Open banking regulations released for consultation
Ten tips for buy-side M&A success
A recipe for disaster – Is caramel a copyright work?
Becoming a Globally Renowned Fintech Nation (and how regulation can light the path)
Important changes made to the Privacy Act
New Zealand may ban social media for young users
Customer and Product Data Act update – Open banking officially on the way
Tips from the trenches – Your AI policy cheat sheet
Significant regulatory reform proposed for New Zealand media
Security guidance released for emerging tech companies
Customer and Product Data Bill – Select Committee reports back
Consumer law update 2024
New Zealand’s Artist Resale Royalty is ready to go
The shape of coffee – “Moccona” vs “Vittoria”
New Zealand’s Copyright Act gets a sense of humour
WIPO’s traditional knowledge treaty is adopted
Doing business in the Middle East
AI and advertising – What producers need to know
Seven contract clauses every freelancer needs
Baby Reindeer – When truth is stranger than fiction?
Our comments on the Biometric Processing Privacy Code
Therapeutic Products Act to be repealed this year
Is End-to-End to end?
Geographical indications – Changes uncorked by the EU-NZ Fair Trade Agreement
Lawyers and Generative AI – New NZ Law Society guidance released
Facing the future – A biometrics code of practice for New Zealand?
Deepfakes and style mimicking – Should New Zealand adopt a right of publicity?
Five Eyes release the Five Principles to Secure Innovation
The copyright conundrum with generative AI
Innovate at the speed of trust – Privacy Commissioner releases new guidance on artificial intelligence tools
Political advertising on social media: sludge or copyright quagmire?
Privacy Amendment Bill introduced to Parliament
New Data Privacy Framework: Meta gets a lifeline
The long and winding road to royalties
Implications of the Supreme Court’s “new debt” approach in Mainzeal
EU gets closer to AI laws
UK Supreme Court puts Quincecare ‘duty’ back in its box
A Deep Dive into The Customer and Product Data Bill
Searching for a shield: Meta’s €1.2 billion fine and international transfers in the age of Big Data
New NZ-UK Free Trade Agreement signals tech, media and IP law changes
Ditch the fax! Tips for building a tech-savvy law firm
The Incorporated Societies Act 2022 – what you need to know for your society
Common myths about copyright online
Artificial artist, or artificial plagiarist?
Big boost to gaming
Is your product “AI powered”?
The latest on New Zealand’s Consumer Data Right
Space Law in New Zealand
You Cannot Defame the Dead or Can You? Tikanga Māori and NZ Defamation Law
Open Banking is coming – through the Consumer Data Right
Massive SEC Fines for Companies Using Text and Instant Messaging
One Act to Rule Them All
A Legal Guide to Kicking SaaS
Potential changes to the Privacy Act 2020
NZ's Social Media "Code of Practice" Launched
Are you being unfair?
Are you legal?
Power Up 2022
A new Companies Office levy is one step closer
Has Paramount Pictures gone maverick?
From Russia with love: The ‘other’ Russian conflict targeting intellectual property owners
I'm back, baby
Retail Payment System Act 2022 now in force
Paying the price for getting privacy wrong
Can AI be an inventor?
Finfluencer Crackdown
TIN Fintech Insights Report Launch
Britain seeks to regulate 'Big Tech'
Disclosure of personal information - how to, not don't do
The Spice May Flow, But The Copyright Doesn’t
Sound Recording Ownership (Taylor's Version)
The Lowdown (and Lockdown) on Summer Clerkships
Building Blocks of Trust
Firm News | Legal Rankings
Buy Now, Regulate Soon
Ten simple things
Funding the Future
Cyber Security for Start-ups
Fit for purchase
The Screen Industry Workers Bill
Other articles you
might like
.jpg)
New Zealand is consulting on reforms to its payment services regulatory framework, with submissions closing 3 July 2026.
Negotiating a fintech partnership agreement is not a zero sum game.
New rule 3A means individuals must be notified about indirect collection under the Biometric Processing Privacy Code 2025.
