In mainland China, various sports and fitness service facilities are enforcing mandatory facial recognition for consumers to enter, raising concerns about the arbitrary collection of facial information and the risk of privacy leakage.
On social media platforms and third-party complaint platforms in China, the practice of sports and fitness service facilities requiring the collection of biometric information such as facial recognition and fingerprints has drawn criticism from many consumers.
According to a report by the “Legal Daily,” in July of this year, Ms. Wang, a resident of Shanghai, purchased 20 street dance classes. However, when she went to the dance studio for her first class, she was informed that she had to sign in using a facial recognition system, and even the shower area for rinsing after dancing required facial recognition for access.
The businesses justified this requirement by stating that facial recognition for attendance was for the convenience of taking attendance, confirming the identity of customers, preventing others from taking classes on behalf of someone else, and that “without facial recognition, one cannot attend classes.” Ms. Wang found this reasoning unacceptable, and the two parties are currently in negotiations for a refund.
Recently, Mr. Zhang, a Beijing resident, purchased a single-entry voucher for a swimming pool but was informed upon arrival that he needed to register as a member to enter. Not only did he have to provide his name and ID number, but he also had to undergo facial recognition to receive an entry bracelet; otherwise, he would be denied entry to the swimming pool.
This left Mr. Zhang dissatisfied, questioning, “Can the swimming pool require consumers to ‘scan their faces’ to enter? I just wanted to use the experience voucher to swim, why do they need to collect personal identity information and even facial information? Isn’t this an invasion of personal privacy?”
Mr. Zhang’s experience is not isolated. Reports indicate that many consumers have been required to provide facial information when entering sports venues such as gyms, swimming pools, and tennis courts. Staff on-site explicitly stated that “without facial recognition, access to the venue and subsequent services cannot be enjoyed.”
Ms. Liu, a resident of Chongqing and a university teacher, was recently denied entry to a gym for refusing to provide facial information.
“Only by voluntarily linking to the facial recognition system can one enter the gym and verify course attendance. I questioned the store’s authority to collect members’ facial information at the time. What if the information leaks?” After some negotiation, the gym agreed that Ms. Liu did not have to link to the facial recognition system to access the gym’s public areas. However, “facial recognition is required to attend private lessons as the private lesson area is separate from the public area.”
Ms. Liu is unsatisfied with this resolution, and after failed negotiations, she is preparing to file a lawsuit.
Visits to various sports venues such as gyms, swimming pools, and tennis courts in Beijing and Tianjin revealed discrepancies in rules regarding the collection of facial information and biometric data. Some require facial recognition for entry, while others only require scanning a membership card or code. Some venues only use facial recognition in specific scenarios, such as attending private lessons or using personal lockers.
Can sports venues such as gyms and swimming pools collect biometric information such as facial recognition or fingerprints?
Interviewed experts believe that consumers, as the subjects of personal information, have the right to decide whether to disclose sensitive personal information to others and can refuse businesses to collect their biometric information.
Sun Ying, a professor at the School of Civil and Commercial Law at Southwest University of Political Science & Law, stated that facial recognition, fingerprints, and other biometric information are considered sensitive personal information. According to Article 28 of the Personal Information Protection Law, these service facilities can only process such sensitive personal information if they have specific purposes, essential necessity, and strict protection measures.
Zhao Jingwu, an associate professor at the School of Law at Beihang University, believes that if the collection of facial information leads to user information leakage, the service facility bears fault and should be liable for damages. If the service provider deliberately discloses or negligently manages information security, the service facility and relevant personnel may face administrative penalties, and in severe cases, it may constitute a crime of infringing on personal information of citizens.