Facial Recognition Technology In New Zealand: Privacy And Legal Compliance

Facial recognition technology can feel like a no-brainer for small businesses. It promises faster entry, better security, less fraud, and smoother customer experiences - especially if you’re running a retail store, gym, venue, coworking space, or any business where access control and loss prevention matter.

But facial recognition technology is also one of the most privacy-sensitive tools you can use. If you get it wrong, you don’t just risk upsetting customers or staff - you can expose your business to complaints, investigations, reputational damage, and costly rework.

In New Zealand, the main legal lens is the Privacy Act 2020. The key idea is simple: if you’re collecting and using biometric information (like a face template), you need a clear, justifiable reason to do it and you need to handle it carefully.

Below, we break down what facial recognition technology is, when it’s high-risk, what compliance looks like in practice, and how to build privacy into your rollout from day one.

What Is Facial Recognition Technology (And Why Is It A Legal Issue)?

Facial recognition technology generally involves using software to detect a person’s face and either:

• Verify they are who they claim to be (for example, “Is this the member who should have access to the gym?”), or
• Identify who they are by comparing them against a database (for example, “Who is this person entering the venue?”).

Even if you don’t store a photo, many facial recognition systems convert face images into a biometric “template” (a mathematical representation of facial features). From a privacy perspective, this is still personal information if it’s about an identifiable individual.

This is where the legal risk starts: biometric data is hard to change. If a password leaks, you can reset it. If biometric templates leak, the individual can’t “reset” their face.

That’s why facial recognition technology tends to be treated as high sensitivity, and why your compliance needs to be tighter than for ordinary CCTV.

Common Small Business Use Cases

We see facial recognition technology pitched to small businesses in a few common scenarios:

• Access control (entry to gyms, offices, events, back-of-house areas)
• Fraud prevention (repeat offenders, chargeback disputes)
• Loss prevention and security (identifying known shoplifters)
• Time and attendance (clocking in/out)
• Personalised service (recognising VIPs or loyal customers)

Each of these raises different privacy questions - and some are much harder to justify than others.

Which New Zealand Laws Apply To Facial Recognition Technology?

There isn’t a single “facial recognition law” in New Zealand. Instead, your legal compliance usually comes from a mix of privacy obligations, employment obligations (if staff are involved), and general business risk management.

Privacy Act 2020 (The Big One)

If your business collects, uses, stores, or shares facial recognition data about customers, members, visitors, or staff, you’re almost certainly dealing with the Privacy Act 2020.

At a practical level, the Privacy Act is built around privacy principles that generally require you to:

• Collect only what you need for a lawful purpose connected to your business
• Be transparent about what you’re collecting and why
• Store it securely and limit access
• Only use it for the purpose you collected it for (unless a valid exception applies)
• Take reasonable steps to keep it accurate if you’re relying on it
• Not keep it longer than necessary
• Enable access and correction rights (subject to limited exceptions)

Facial recognition technology often runs into problems when a business jumps straight to “we can do this” and forgets the harder question: should we do this, and can we justify it?

Employment Obligations (If You Use It On Staff)

If you’re using facial recognition technology to manage staff attendance or building access, you also need to think about employment law expectations around good faith, reasonableness, and privacy in the workplace.

Consent in an employment context can be complicated because of the power imbalance between employer and employee. Even where something is technically lawful, it can still create employee relations risk if it’s rolled out without proper consultation, clear policies, and a genuine need.

This is where having an Employee privacy handbook and a fit-for-purpose Workplace policy can be a big help - not as a box-ticking exercise, but as a practical way to define what you do, why you do it, and where the boundaries are.

Health And Safety (When Security And Risk Are The Drivers)

Some businesses consider facial recognition technology because they’re dealing with safety incidents, violence, or serious security concerns. If you’re using it to manage risk (for example, excluding banned persons), you should also think about aligning your approach with your health and safety duties.

That doesn’t automatically make facial recognition “okay”, but it can strengthen your argument that you have a legitimate reason - as long as your approach is still proportionate and privacy-conscious.

Cameras And Monitoring More Broadly

Facial recognition technology often sits alongside CCTV. If you’re already thinking about surveillance, it’s worth making sure you’ve got the basics right first, including signage and workplace considerations. The same practical issues come up (and are often amplified) with facial recognition.

If you’re using cameras at work in any form, it’s also worth reading Are Cameras Legal In The Workplace to understand the broader expectations around transparency and reasonableness.

How To Use Facial Recognition Technology In A Privacy-Compliant Way

Facial recognition technology compliance isn’t just about writing a privacy policy. It’s about setting up the whole system so it collects the minimum data, for a clear purpose, with proper safeguards.

If you’re considering rolling it out, here are the key building blocks to get right.

1. Be Clear On Your Purpose (And Pressure-Test It)

Start with a simple sentence:

“We want to use facial recognition technology to ________.”

Then ask:

• Is this purpose connected to our business functions?
• Is facial recognition necessary, or just convenient?
• Could we achieve the same outcome with something less invasive (PIN, swipe card, staff check-in, standard CCTV)?
• What’s the worst-case impact on an individual if we get it wrong (false match / false non-match / breach)?

A common trap is using facial recognition for “nice to have” personalisation. If it’s not truly needed, it’s harder to justify collecting high-sensitivity biometric data.

2. Choose “Verification” Over “Identification” Where Possible

From a privacy-risk perspective:

• Verification (1:1 matching) is typically lower risk - someone opts in and you verify them against their own stored template.
• Identification (1:many matching) is typically higher risk - you’re scanning people and matching them against a database.

If you can design your system around verification, you’ll usually have an easier compliance pathway (and fewer customer trust issues to manage).

3. Collect Only What You Need (And Don’t Over-Retain)

Facial recognition vendors sometimes default to collecting more than your business actually needs - like retaining raw images, storing logs indefinitely, or enabling extra analytics.

In practice, you should be able to justify:

• What data is collected (image, template, metadata, logs)
• Where it’s stored (local device vs cloud)
• Who can access it (roles, permissions)
• How long you keep it (retention periods)
• How it’s deleted (and whether deletion is permanent)

As a rule of thumb, keeping biometric data “just in case” is where a lot of privacy risk (and public backlash) comes from.

4. Get Consent Right (Especially For Customers And Staff)

Consent can be important, but it’s not a magic shield. You still need a justified purpose and a proportionate approach.

That said, if you’re using facial recognition technology for entry systems or membership features, you should think carefully about whether people genuinely have a choice.

• If facial recognition is mandatory, consent may be questionable because the person can’t realistically refuse.
• If it’s optional, you should provide a meaningful alternative (like a swipe card or PIN) without punishing the person for choosing it.

For staff, because of the inherent power imbalance, “consent” may not always be the cleanest legal basis to rely on. A better approach is often to treat it as a workplace requirement only where it is genuinely necessary and reasonable in your context, and after proper consultation.

5. Be Transparent: Notices, Signage, And Plain-English Explanations

One of the fastest ways to end up with complaints is surprising people with facial recognition technology.

Transparency usually includes:

• Clear signage at entrances (before a person is scanned)
• A plain-English explanation of why you’re using it
• What information is collected and how long it’s kept
• Whether the information is shared with anyone (including vendors)
• How someone can ask questions or make a complaint

This is also where a properly drafted Privacy Policy matters - not as legal fluff, but as your public-facing explanation of how your business handles personal information.

6. Secure The Data (And Plan For Breaches)

If you’re going to collect biometric information, you need strong security controls. That usually means:

• Strong access control and role-based permissions
• Encryption (in transit and at rest, where appropriate)
• Vendor due diligence (security posture, breach history, hosting locations)
• Audit logs and monitoring
• Staff training (so access isn’t shared informally)

Just as importantly, you should have a plan for what happens if something goes wrong. A Data breach response plan helps you respond quickly, meet notification obligations where required, and reduce damage.

What Are The Biggest Compliance Risks With Facial Recognition Technology?

Facial recognition technology often fails legally (and commercially) not because the business had bad intentions - but because the rollout is rushed, the settings are too broad, or the vendor’s “default” approach doesn’t match New Zealand privacy expectations.

Here are the risks we see come up most often for small businesses.

Using It When There’s No Strong Need

If your business uses facial recognition technology mainly for convenience (rather than a clear security need), it can be difficult to justify collecting such sensitive information.

This can also create reputational risk. Even if you technically comply, customers may still decide they don’t want to shop with a business that scans faces.

Function Creep (Using The Data For New Purposes Later)

A classic example: you start with entry verification, then later decide to use the same data for marketing, behavioural analytics, or identifying “high value” customers.

This is where you can accidentally step outside the purpose you originally collected the information for. If you think you may want to expand uses later, it’s worth getting advice before you build the system.

Relying On Vendor Promises Without Checking The Details

Vendors may say things like “we’re compliant” or “we don’t store images”, but compliance depends on your actual configuration, your notices, your retention settings, your access controls, and your contracts.

You should also check where data is stored and whether your vendor uses subprocessors (other service providers) to deliver the service.

Employee Pushback And Workplace Relationship Issues

Facial recognition for timekeeping is one of the most common flashpoints. Staff may see it as excessive monitoring, or feel they’re being treated like they can’t be trusted.

Even when you have a legitimate operational reason, you’ll usually get a better outcome if you:

• consult early
• explain the “why”
• document limits on use
• offer alternatives where reasonable

Not Being Ready For Privacy Requests

People may ask:

• “Do you have my facial data?”
• “What do you store and for how long?”
• “Who have you shared it with?”
• “Please delete it.”

Even if you ultimately have grounds to refuse a request in limited circumstances, you still need a process to handle requests properly and within a reasonable timeframe.

Practical Checklist Before You Roll It Out

If you’re close to implementing facial recognition technology, it helps to slow down and do a structured pre-launch check. This is where you save money and stress - because it’s far easier to build compliance in than to retrofit it after complaints start rolling in.

Here’s a practical checklist you can work through:

• Document your purpose and why facial recognition is necessary.
• Choose the lowest-risk design (verification where possible, minimal data collection, minimal retention).
• Map the data flow (what is collected, where it goes, who accesses it, who hosts it).
• Review vendor terms (data ownership, security obligations, breach notification, deletion).
• Set retention and deletion rules that match your purpose.
• Prepare customer-facing transparency (signage, scripts, onboarding wording, website updates).
• Update internal policies so staff know what to do and what not to do.
• Have a breach plan and train key staff on it.
• Decide how you’ll handle opt-outs and alternatives (where appropriate).

If you want your policies to be practical (not just “legal-sounding”), it can help to align your internal IT expectations too - for example, setting rules around devices, access, and security in an Acceptable use policy.

And if you’re unsure whether your use case is proportionate, getting tailored Privacy advice early can save you from building the wrong system and having to unwind it later.

Key Takeaways

• Facial recognition technology is typically high-risk from a privacy perspective because it involves biometric information that can’t be easily changed if compromised.
• In New Zealand, facial recognition technology is usually regulated through the Privacy Act 2020, plus employment and workplace obligations if staff are involved.
• You should be able to clearly explain (and document) why you’re using facial recognition technology and why a less intrusive option wouldn’t meet your needs.
• A privacy-compliant rollout usually means data minimisation, short retention periods, strong security, clear signage and notices, and strict limits on who can access the data.
• Employee use cases (like timekeeping) can be especially sensitive - consultation, clear policies, and reasonable alternatives can help reduce risk.
• Having the right legal documents and operational policies in place early will help you stay compliant and protect trust in your brand.

This article is general information only and does not constitute legal advice. If you’d like help reviewing your facial recognition technology rollout, privacy compliance, or workplace policies, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.