What you need to know about the new NZ Biometric Processing Privacy Code

You may have heard the Privacy Commissioner has released the Biometric Privacy Code 2025 – which is now officially law under the Privacy Act.

This new piece of legislation is all about making sure organisations using biometric tech are doing so in a safe, secure and balanced way – something APLYiD has already got covered.

The good news is, if you’re using APLYiD, we will continue to remove a lot of the compliance burden from you. While the Code does place new obligations on agencies using biometric tech, such as managing your own notifications and privacy policies, and deciding if an alternative to biometrics should be offered, we’ll support you in meeting these.

What’s more, we only collect the necessary biometric data points which are required by law. The data’s strictly used for AML/CFT reasons, not for commercial or personal gain.

Clear customer consent and no surprises

APLYiD clearly asks for your customer’s consent before they go through the AML biometric checks. This means they can’t continue unless they tick the box to confirm they consent. We’re also transparent that we’re collecting biometric information through the AML process.

Why this law matters – ‘It is not just information about us, it is us.’

In the official press release (https://www.privacy.org.nz/news/statements-media-releases/privacy-commissioner-announces-new-rules-for-biometrics/), Privacy Commissioner Michael Webster says “Biometrics are some of our most sensitive information. It is not just information about us, it is us. The very thing that makes biometrics risky, their uniqueness, also makes them useful. The aim of the new rules is to allow for beneficial uses of biometrics while minimising the risks for people’s privacy and society as a whole.”

What exactly is biometric processing?

Biometric processing uses technologies like facial recognition to collect and process unique information in order to verify identity, gather accurate data, and confirm legitimate access.

Due to the sensitive nature of biometrics, collecting and processing this information needs to be appropriate, secure and consensual.

APLYiD requires users to give consent before they continue through our biometric AML checks.

When will the new rules take effect?

This new law was announced and published on Wednesday August 6, and it will take effect on November 3, 2025. Existing agencies and organisations collecting biometric info must comply by August 3, 2026 (12 months after the announcement).

If you’re using APLYiD for your AML biometric checks, this law change will not disrupt your processes. We already limit data sharing to necessary organisations, and collect all necessary consents along the way, and we’ll continue doing so.

More available resources on the context of these changes.

If you’re short on time, here’s an overview.

If you’re up for a longer read, here’s a comprehensive A-Z of all things biometrics.

If you’re curious to read what private individuals and agencies care about when it comes to biometrics and privacy, take a look at this report. It summarises the key themes from submissions received on the draft Biometric Processing Privacy Code.

APLYiD and biometrics – ramping up the benefits and dialling down the dangers

APLYiD only collects and processes biometric information to prevent fraud and other illegal activities – and to keep your business and reputation safe.

This means we never use biometric data for profiling, to categorise, or for any reason other than your AML/CFT checks.

We know this information is sensitive and processing it can be risky – that’s why we take privacy and security seriously, and why we’ve developed our AML biometric checks to a world class standard.

Our AML checks maximise the benefits of biometrics – ease, efficiency and assurance – while mitigating the risks including privacy breaches, a lack of transparency of what happens to the data, and bias.

Finally, APLYiD does not store any biometric data – it's automatically deleted after seven days.