Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Is Facial Recognition Technology (And Why Is It Legally Sensitive)?
- Is Facial Recognition Technology Legal In New Zealand For Businesses?
A Practical Compliance Checklist Before You Roll It Out
- 1) Define The Purpose And Scope (In Writing)
- 2) Decide Whether Consent Is Needed (Or Whether You Can Rely On Notice And Legitimate Purpose)
- 3) Update Your Customer-Facing Privacy Settings
- 4) Review Your Vendor Contract And Data Hosting Arrangements
- 5) Build A “Human Review” Step Into Decision-Making
- 6) Prepare For Privacy Requests And Complaints
- 7) Have A Breach Plan Ready (Before You Need It)
- Key Takeaways
If you run a small business, facial recognition can feel like the next “smart” step - tighter security, less theft, faster check-ins, easier access control, and more personalised customer experiences.
But here’s the catch: facial recognition isn’t just another camera. In most cases, it involves collecting and using biometric information (data that identifies someone), which puts you squarely in privacy and employment law territory.
This guide breaks down what the legality of facial recognition technology in New Zealand means in practical terms, and what you should put in place before you switch anything on.
What Is Facial Recognition Technology (And Why Is It Legally Sensitive)?
Facial recognition technology (often shortened to “FRT”) generally refers to tools that:
- capture an image or video of a person’s face (for example, via CCTV or a kiosk camera);
- extract “biometric templates” or measurements (for example, distances between facial features); and
- compare that template to a database to identify or verify a person (or to categorise them).
From a legal perspective, the major difference between “regular CCTV” and facial recognition is that facial recognition can be used to identify a person (or attempt to identify them) in a way that’s more intrusive and higher-risk.
That triggers higher expectations around:
- necessity (do you actually need it for your purpose?);
- transparency (have you clearly told people what you’re doing?);
- security (can you protect biometric data properly?); and
- fairness (could it be discriminatory, inaccurate, or used in a way people wouldn’t reasonably expect?).
If you’re looking into the legality of facial recognition technology in New Zealand, the key takeaway is that the law doesn’t “ban” facial recognition outright - but it can be high risk to deploy without strong privacy governance (and the Office of the Privacy Commissioner commonly expects organisations to think carefully about necessity, proportionality and safeguards, including through a Privacy Impact Assessment for higher-risk uses).
Is Facial Recognition Technology Legal In New Zealand For Businesses?
In general, yes - facial recognition can be legal in New Zealand for businesses.
However, whether your specific use is lawful depends on how you collect facial data, why you’re collecting it, what you do with it, and what safeguards you put in place.
The main legal framework you’ll usually need to consider includes:
- Privacy Act 2020 (this is the big one - it governs how you collect, store, use, and disclose “personal information”);
- Health and Safety at Work Act 2015 (if you’re using it for safety, security, or site access control, you still need to manage workplace risks lawfully and proportionately);
- Employment Relations Act 2000 (if employees are affected, you should consider “good faith” and fair process);
- Human Rights Act 1993 (if the system’s use or outcomes are discriminatory - even unintentionally - that can create legal exposure); and
- Fair Trading Act 1986 (if you make claims to customers about what you do with their information, those claims need to be accurate and not misleading).
To make this more concrete: it’s one thing to use a basic camera to deter theft. It’s another thing to build (or buy) a system that identifies people, flags them as “high risk”, or tracks their return visits without them understanding that’s happening.
If you’re unsure whether your plan sits on the “low risk” or “high risk” end of the scale, it’s worth getting tailored privacy advice before you invest in software, devices, and training.
Privacy Act 2020: The Practical Rules Businesses Need To Follow
Most questions about the legality of facial recognition technology in New Zealand come back to the Privacy Act 2020 and the privacy principles (often called “IPPs”). You don’t need to memorise them - you just need to operationalise them in your business.
1) Collect Facial Data Only If You Have A Clear, Lawful Purpose
You should be able to clearly explain:
- what your purpose is (for example, access control to a restricted area);
- why facial recognition is necessary for that purpose (and why a less intrusive option won’t do); and
- how you’ll measure whether it’s actually effective.
Good purposes are usually narrow, specific, and risk-based (for example, protecting staff in a high-risk environment or controlling access to secure rooms). “Because it’s available” or “because it’s cool” is not a great legal starting point.
2) Be Transparent: Tell People What You’re Doing
If you’re collecting personal information, you generally need to take reasonable steps to make sure individuals know what’s going on.
In practice, that often means:
- clear signage at entry points if facial recognition is operating;
- a short “just-in-time” explanation near the camera or kiosk; and
- a written Privacy Policy that explains what you collect, why you collect it, and how people can contact you about it.
Depending on the setup, you may also want a dedicated privacy collection notice that’s easy to read (and not buried in a website footer).
3) Don’t Collect More Than You Need
Facial recognition systems can collect more information than you realise, including metadata, timestamps, location information, and behavioural patterns.
From a legal and risk-management standpoint, it’s usually safer to:
- limit capture to the minimum necessary area (avoid scanning footpaths or neighbouring premises);
- avoid “always-on” identification if you only need verification for a specific moment (for example, entry to a staff-only area);
- reduce retention periods; and
- avoid creating a large database of face templates unless you genuinely need it.
4) Store It Securely (Biometric Data Is High-Value Data)
If you store face templates or identifiable images, treat them like highly sensitive information. If they’re compromised, you can’t “reset” a face the way you reset a password.
Good practice usually includes:
- strong access controls (role-based access, MFA, strong passwords);
- encryption (in transit and at rest, where appropriate);
- supplier due diligence (especially if the vendor hosts data offshore);
- regular audits and logging; and
- a documented data breach response plan so you can act fast if something goes wrong.
5) Use And Share It Only In Ways People Would Expect
Even if you collect facial data lawfully, you still need to be careful about what you do with it later.
Ask yourself:
- Will we use it only for the original purpose?
- Are we sharing it with anyone else (security providers, landlords, head office, overseas vendors)?
- Could it be used for profiling or automated decisions that affect people?
If you “function creep” - for example, collecting facial data for security but later using it for marketing segmentation - you can quickly drift into non-compliant territory.
Using Facial Recognition In The Workplace: What Small Businesses Should Watch For
Facial recognition often shows up in workplaces as:
- site entry or access control;
- time and attendance tracking;
- security monitoring in customer-facing spaces;
- protecting stock, cash handling areas, or sensitive client information.
Even if your goal is reasonable, workplace use can become legally messy if it feels excessive or unfair. As a business owner, you want solutions that improve safety and operations - without damaging trust or triggering employment disputes.
Be Clear On Whether You’re Monitoring Employees Or Securing Premises
If facial recognition is used in a way that monitors employees (even indirectly), you should treat this as a significant workplace change.
It’s also worth checking your approach against your broader monitoring setup - for example, how your workplace cameras operate, what signage you use, and what policies cover monitoring.
Have A Written Policy (And Make Sure Staff Actually Understand It)
For small businesses, a common mistake is relying on informal “everyone knows” arrangements.
A better approach is to document:
- why facial recognition is used at work;
- where it operates and when;
- who can access the information and for what reasons;
- how long data is kept;
- what happens if the tech flags a match (including a human review step); and
- how employees can raise concerns or request access to information.
This is often handled as part of an Employee Privacy Handbook or broader workplace policy suite.
Avoid “Overreach” (It’s A Common Reason These Systems Backfire)
Some examples of high-risk workplace uses include:
- using facial recognition as the default timekeeping tool when less intrusive methods exist;
- using it to infer mood, fatigue, or performance levels (this can create serious privacy and discrimination concerns);
- disciplining staff based solely on automated matches (without human verification); and
- running facial recognition in break rooms or private areas where employees reasonably expect privacy.
In short: if you’re using this tech at work, make sure it’s proportionate, transparent, and supported by fair process.
A Practical Compliance Checklist Before You Roll It Out
If you’re planning to deploy facial recognition, it helps to think of it like any other high-impact system: you need governance, documentation, and a plan for when things go wrong.
Here’s a practical pre-launch checklist you can work through.
1) Define The Purpose And Scope (In Writing)
- What problem are you solving?
- Where will cameras/devices operate?
- Who will be enrolled in the database (staff only, members, known offenders, everyone)?
- What happens when the system generates a “match”?
This is the step that often decides whether your plan will meet expectations around the legality of facial recognition technology in New Zealand.
2) Decide Whether Consent Is Needed (Or Whether You Can Rely On Notice And Legitimate Purpose)
In some contexts, consent might be appropriate (for example, an opt-in membership verification process). In others, consent might not be meaningful (for example, a customer walking into a store can’t realistically “negotiate” surveillance terms).
In New Zealand, the Privacy Act doesn’t always require consent as a stand-alone rule - what matters is whether collection is for a lawful purpose, necessary, and carried out fairly, with appropriate notice. Consent can help (especially for optional features), but it won’t necessarily “fix” a collection practice that’s excessive or unexpected.
3) Update Your Customer-Facing Privacy Settings
- Signage that’s visible before collection occurs.
- A short-form explanation (what, why, who to contact).
- A more detailed Privacy Policy that matches your actual practices (not a generic template).
If your privacy documents don’t reflect reality, you can end up with both privacy compliance issues and misleading conduct risk.
4) Review Your Vendor Contract And Data Hosting Arrangements
Facial recognition is often delivered by third-party providers. Before you sign anything, make sure you understand:
- who owns the data and biometric templates;
- whether the vendor can use the data to train their systems;
- where the data is stored (including offshore storage, and whether disclosures overseas are handled in a way that meets New Zealand’s cross-border disclosure requirements);
- your security obligations vs the vendor’s obligations; and
- what happens when you stop using the service (data deletion, return, or retention).
Good contracting here can save you a lot of headaches later - especially if you ever need to change suppliers or respond to a complaint.
5) Build A “Human Review” Step Into Decision-Making
Facial recognition can be wrong. False positives and false negatives happen, and the business risk usually lands on you.
Where the system’s output could affect someone (for example, refusing entry, contacting security, or taking disciplinary action), it’s smart to build in:
- a requirement for human verification before action;
- a process for resolving disputes quickly;
- a way to correct data if it’s wrong; and
- a documented escalation pathway.
6) Prepare For Privacy Requests And Complaints
Individuals may request access to personal information you hold about them, and may also challenge accuracy or complain about collection practices.
You should know internally:
- who receives privacy requests;
- how you verify identity before releasing information;
- what information you can provide; and
- how fast you can respond.
This is where having clear documentation (and trained staff) matters just as much as the technology itself.
7) Have A Breach Plan Ready (Before You Need It)
Because biometric data is high risk, you should assume you may need to respond to:
- unauthorised access (internal or external);
- lost devices;
- misconfigurations; or
- vendor incidents.
A documented data breach response plan helps you act quickly and consistently, which is crucial because New Zealand has mandatory privacy breach notification in some situations (for example, where a breach is likely to cause serious harm, you may need to notify both affected individuals and the Office of the Privacy Commissioner).
Key Takeaways
- In most cases, the legality of facial recognition technology in New Zealand comes down to how you manage privacy, fairness, and security - facial recognition can be legal, but it’s higher risk than standard CCTV.
- The Privacy Act 2020 is usually the main law you need to comply with, especially around purpose, transparency, data minimisation, secure storage, and limits on use/disclosure.
- If you use facial recognition in the workplace, you should be especially careful about proportionality and employee trust, supported by clear workplace policies (often through an Employee Privacy Handbook).
- Clear notice is essential - practical steps like signage and a properly tailored privacy collection notice can make or break compliance.
- Vendor contracts and data hosting arrangements matter, particularly around who owns the biometric data, where it’s stored, and how it’s deleted when you exit.
- Build human review into any decisions based on facial recognition outputs to reduce legal risk from inaccuracies and unfair outcomes.
- Because biometric information is sensitive, you should prepare for security incidents upfront with a data breach response plan.
Note: This article is general information only and isn’t legal advice. If you’d like help reviewing your facial recognition rollout, privacy documentation, or workplace policies, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
