On April 2, 2026, three of China's most powerful regulators — the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS) — jointly launched a nationwide enforcement campaign against unlawful personal-data processing across six sectors: apps and SDKs, internet advertising, education, transport, healthcare and financial services. The announcement marks a shift from rule-writing to operational enforcement, and its most consequential element is narrow but real: in education, healthcare and finance, providers may no longer force users to verify their identity by face scan where a non-biometric alternative exists.
That is a better rule than most observers of Chinese surveillance policy would expect. It is also a useful test of a principle this publication defends: regulation should be judged by whether it is proportionate and evidence-based, not by which government writes it.
The rule that actually matters
The enforcement campaign does not invent new law; it operationalizes the Measures for the Security Management of Facial Recognition Technology Applications, jointly issued by the CAC and MPS and in force since June 1, 2025. Article 10 of those Measures is the substantive core: "Where methods other than facial recognition technology exist that could realize the same purpose or achieve equivalent operations requirements, facial recognition technology must not be made the sole method for verification." Article 11 goes further, encouraging organizations to route identity checks through state databases "to reduce the collection and storage of facial information," and Article 15 requires any handler storing facial data on more than 100,000 people to file with the provincial cyberspace authority within 30 working days.
Strip away the geography and this is textbook data-minimization. A clinic, a bank or a school does not need a permanent biometric template to confirm who you are; a password, an ID card or a one-time code usually does the job. Making the most intrusive method optional rather than default is exactly the proportionality test that European data-protection regulators, and privacy advocates everywhere, have urged for a decade.
Give the regulator its due
The strongest case for the campaign is straightforward. Commercial facial recognition in China had metastasized — hotels, residential compounds, gyms and retail checkouts collecting face data with no necessity and little security, creating vast honeypots of immutable biometric identifiers. A leaked face template cannot be reset like a password. China's Supreme People's Court has already backed residents who refused face scans to enter their own buildings, and the 2026 campaign extends that logic to the sectors where coercion is most acute: you cannot meaningfully "consent" to a face scan when the alternative is being denied medical care or a bank account. On the merits, constraining forced biometric capture at the point of service protects ordinary people from genuine harm. That deserves to be said plainly.
The asymmetry the campaign is built around
The problem is not the rule; it is the institution writing it. The same Ministry of Public Security co-authoring a ban on coerced commercial face scans operates the world's largest state surveillance apparatus — the nationwide public-security camera networks built under the "Skynet" and "Sharp Eyes" programs. Nothing in the 2026 campaign touches any of it. Article 11's preferred alternative is telling: instead of private firms each hoarding face data, identity verification should flow through the "State Online Identity Verification Public Service" and the national population database. Distributed commercial collection is discouraged; centralized state collection is the recommended substitute.
This is the move to watch. A genuine privacy reform reduces the total quantum of surveillance. This campaign redistributes it — pruning the private sector's biometric sprawl while channeling identity data toward state-run infrastructure that the same enforcing ministries control. The citizen gains real protection against a gym or a landlord, and loses nothing against the state, because against the state there was never any protection to lose.
Campaign-style governance has its own cost
There is a second, more familiar concern for businesses. China governs through periodic enforcement "campaigns" rather than steady, predictable supervision, and the regulators explicitly reserve the right to "dynamically adjust priorities according to actual work needs." That ambiguity is a compliance tax. A firm cannot plan biometric systems around a rule whose enforcement intensity arrives in unpredictable bursts and varies by province. Proportionate regulation is not only about the substance of a rule but about whether companies can rely on it — and campaign governance trades legal certainty for deterrence-by-surprise.
The exportable part, and the cautionary part
The right reading, then, is split. Article 10's principle — facial recognition must not be the default where a less intrusive method works — is sound, evidence-based and worth borrowing; democracies drafting AI and biometric rules should note that even Beijing has conceded coerced face scans in everyday commerce are indefensible. But the institutional design around it is a warning. A privacy regime that disciplines only private actors while exempting and even feeding the state's own surveillance machine is not a model of restraint; it is surveillance reorganized for the convenience of the surveilling. Good rules can serve bad architectures. China's 2026 campaign is the clearest current illustration of both halves of that sentence at once.