Disclaimer
We are a Chinese digital marketing agency and frequently address questions related to PIPL compliance and implementation. However, we are not legal advisors. All recommendations and information provided on this page are based on our interpretation of these laws and should not be considered as legal advice. We advise our readers to use this information as an initial reference and consult with a qualified Chinese lawyer for comprehensive legal guidance.
Need legal help? We’ve got connections! We can hook you up with Chinese law firms that have staff who speak English and German. Just let us know if you need contact details—we’re happy to help you get the right advice.
Protecting personal data is super important for both businesses and individuals, especially nowadays with all the data breaches and privacy issues popping up. A lot of countries have put in place strict data protection laws to make sure personal info stays private and secure, especially when it’s collected and processed online. For online marketers, following these rules is a must if you want to keep people’s trust and avoid getting hit with big fines.
Let’s dive into some of the key global data privacy laws that tell us how personal information should be handled:
- General Data Protection Regulation (GDPR) – Europe
- Sets a high standard for data protection and privacy for individuals within the European Union.
- Datenschutzgrundverordnung (DSGVO) – Germany
- The German implementation of GDPR, with additional local nuances.
- Personal Information Protection Law (PIPL) – China
- China’s comprehensive data protection law, emphasizing explicit consent and stringent cross-border data transfer regulations.
- Personal Data Protection Act (PDPA) – Singapore
- Regulates the collection, use, and disclosure of personal data by private organizations.
- Lei Geral de Proteção de Dados (LGPD) – Brazil
- Brazil’s data protection law, modeled after GDPR, ensuring consent and data subject rights.
- Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada
- Governs how private sector organizations collect, use, and disclose personal information in commercial activities.
- Personal Information Protection Act (PIPA) – South Korea
- One of the strictest data protection laws, requiring explicit consent and robust protection measures.
- Australian Privacy Principles (APPs) – Australia
- Part of the Privacy Act 1988, regulating the management of personal information.
- Act on the Protection of Personal Information (APPI) – Japan
- Japan’s main data protection law, focusing on consent and data subject rights.
For businesses targeting the Chinese market, compliance with PIPL is particularly critical.
This article will focus on PIPL, as our company helps Western businesses with their marketing efforts in China, ensuring they are compliant with these stringent regulations.
What is PIPL?
Imagine you’re browsing through the endless websites and apps out there, each one trying to grab your attention and, more importantly, your personal data. Sounds pretty hectic, right? Well, to tame this wild digital jungle, China rolled out the Personal Information Protection Law (PIPL) on November 1, 2021. This law is like a superhero for your data, making sure that your privacy is safe and your info is handled with care.
But here’s the kicker: PIPL isn’t just for China. It’s got a long arm that reaches across the globe. That means any business, anywhere—whether it’s a tech startup in Silicon Valley or a big e-commerce player in Berlin—if they handle Chinese personal data, they’ve gotta play by PIPL’s rules. So, if you’re dealing with data from Chinese nationals, PIPL is your new guidebook.
When it comes to data privacy, the PIPL and the European Union’s General Data Protection Regulation (GDPR) are the titans of their respective regions. Let’s dive into their key differences and similarities, but with a twist—imagine this as a showdown between two powerful champions:
- Global Reach:
- GDPR: The European heavyweight that extends its protective arm across the globe, covering any entity processing the data of EU residents.
- PIPL: Not to be outdone, PIPL asserts its dominance by requiring compliance from any entity processing the personal data of Chinese nationals, regardless of location.
- Consent Mechanics:
- GDPR: Think of GDPR as the consent gatekeeper, demanding clear, informed, and revocable consent for data processing.
- PIPL: PIPL raises the stakes, emphasizing explicit consent for regular data and double-checking for sensitive information and minors’ data. It’s like a consent double-lock.
- Data Subject Rights:
- GDPR: Equips individuals with a powerful suite of rights—access, correction, deletion, and portability, ensuring they are in control.
- PIPL: Mirrors these rights but adds its unique flair, making sure individuals know how, why, and by whom their data is being used, and giving them the power to correct or delete it.
- Data Localization:
- GDPR: Focuses on regulating data transfers outside the EU, without strict localization mandates.
- PIPL: Takes a more protective stance, mandating that certain data, especially from critical sectors, be stored within China’s borders. It’s like a data homebody.
- Cross-Border Data Transfers:
- GDPR: Facilitates international data flows through standard contractual clauses and adequacy decisions, ensuring recipients outside the EU are up to the GDPR mark.
- PIPL: Demands rigorous security assessments and strict contractual obligations, ensuring foreign data handlers meet its stringent standards. It’s like an international data passport control.
- Penalties and Enforcement:
- GDPR: With fines reaching up to €20 million or 4% of global turnover, GDPR’s penalties are designed to pack a punch.
- PIPL: Matches this intensity with fines up to RMB 50 million or 5% of the previous year’s revenue, along with potential business suspensions for severe breaches. It’s a financial knockout if you step out of line.
By understanding these nuances, businesses can better navigate the global landscape of data privacy laws, ensuring they not only comply but also build trust with their users in every market they operate.
Key Provisions and Requirements of PIPL
A. Consent and Rights of Individuals
Obtaining Consent
Consent under PIPL is not just a formality but a fundamental requirement. It must be informed, voluntary, and explicit. This means that users should clearly understand what data is being collected, why it’s being collected, and how it will be used. For example, if a website collects email addresses for a newsletter, it must inform users about this purpose and obtain their explicit consent before collecting their email addresses.
- Sensitive Personal Information: This includes biometric data, religious beliefs, specific identities, medical health, financial accounts, and data of minors under 14. For such data, PIPL requires even more stringent measures, including explicit, often written, consent (WireWheel).
Transparency Requirements
Transparency is critical under PIPL. Businesses must inform individuals about:
- The identity and contact information of the data controller.
- The purpose, method, and scope of data processing.
- The types of personal data being processed.
- The retention period of the data.
- Users’ rights and the methods for exercising them.
For instance, if a website uses cookies to track user behavior, it must disclose this practice, explain the purpose (e.g., improving user experience), and provide a clear option to opt-out.
Practical Examples
- App Deletions: If users delete an app, PIPL suggests that this action should ideally revoke any previously given consent for data processing. However, businesses must explicitly provide a means to withdraw consent.
- Auto-Ticked Boxes: Practices like pre-ticked consent boxes are prohibited. Users must actively give consent.
- Vague Terms: Consent terms must be clear and straightforward. Lengthy, complicated terms that confuse users are not compliant with PIPL (Pandectes, TRUENDO).
B. Personal Data Storage and Protection
Encryption and Anonymization
To protect personal data, businesses must implement encryption and anonymization. This means converting data into a secure format that cannot be easily understood if accessed without authorization.
- What Needs to Be Anonymized: Any personal data that can identify an individual should be considered for anonymization. For instance, data used for statistical analysis should be anonymized.
- IP Addresses: Under PIPL, IP addresses are generally not considered personal data unless they can be directly linked to an individual (China Briefing).
Internal Responsibilities
Organizations must appoint specific personnel responsible for data processing activities. These roles must be clearly defined to ensure accountability. For example, a Data Protection Officer (DPO) should oversee compliance and address data protection concerns (China Briefing).
Third-Party Contracts
When engaging third-party services like Google Analytics, businesses must ensure these services comply with PIPL. Contracts should specify:
- The purpose and scope of data processing.
- The data types processed.
- Security measures in place.
- The duration of data processing.
For instance, using Google Analytics requires ensuring that Google processes data in compliance with PIPL, including data minimization and securing user consent (WireWheel).
Data Handling During Restructuring
During corporate changes like mergers or bankruptcies, personal data must be managed securely. This means:
- Transferring data to the new entity under strict security measures.
- Deleting data that is no longer needed.
For example, if a company is acquired, it must ensure that the new owner continues to protect personal data as per PIPL standards (Usercentrics, Deloitte United States).
Marketing Automation and Price Discrimination
PIPL prohibits price discrimination based on data insights. For instance, if data analysis shows a user has higher purchasing power, the business cannot charge them more for the same service. Also, users must have easy options to opt-out of automated marketing decisions (China Briefing, Pandectes).
Sensitive Data
Handling sensitive personal data requires additional safeguards. This includes:
- Biometric Data: Fingerprints, facial recognition data.
- Health Records: Medical histories, health conditions.
- Data of Minors: Special consent requirements for data related to individuals under 14.
Businesses must ensure robust security measures and obtain explicit consent for processing such sensitive data (Pandectes).
C. Cross-Border Data Transfers
Localization Requirements
Certain data must be stored within China, especially data deemed critical for national security or large volumes of personal data. For instance, companies like Tesla must store Chinese user data within China to comply with localization requirements (Transcend, TRUENDO).
Consent and Security Assessments
Before transferring data out of China, businesses must:
- Obtain explicit consent from users.
- Conduct thorough security assessments to ensure the foreign entities meet PIPL’s protection standards.
For example, if a company needs to share data with an overseas partner, it must ensure the partner has equivalent data protection measures in place and inform users about the transfer (Transcend, Deloitte United States).
Examples of Affected Companies
Major companies like Tesla and Apple have had to adjust their data practices to comply with PIPL. They now store certain data within China and ensure cross-border transfers meet stringent security standards. These changes highlight the global impact of PIPL and its importance for multinational operations (China Briefing).
This concrete approach to PIPL’s key provisions and requirements emphasizes the practical steps businesses must take to ensure compliance, safeguarding user data and building trust in the digital age.
Legal and Financial Penalties
PIPL is not just a set of guidelines; it comes with teeth. Businesses that fail to comply with its stringent requirements face severe legal and financial penalties. Understanding these potential consequences is crucial for ensuring compliance and protecting your business from significant losses.
Monetary Fines and Operational Penalties
Messing up under PIPL can get you in serious trouble, with huge fines and even business shutdowns. For example, if a company really screws up, they could be looking at fines up to RMB 50 million (about USD 7.7 million) or 5% of their annual revenue from the last year—whichever is higher. This really shows how important it is to follow PIPL’s rules.
But it’s not just about the money. Companies might also have to stop their business activities or shut down completely if they don’t comply. These penalties are there to make sure companies handle personal data properly. So, if a company keeps messing up consent forms or misuses sensitive data, they might have to stop processing data until they get their act together.
Cancellation of Licenses
In severe cases, PIPL allows for the cancellation of business permits and licenses. This means that businesses could be forced to shut down entirely if they are found to be in gross violation of data protection laws. Situations that could lead to such drastic measures include:
- Persistent non-compliance despite warnings.
- Large-scale data breaches affecting a significant number of individuals.
- Failure to implement adequate security measures, resulting in repeated data leaks.
For instance, a company that continues to process sensitive personal data without obtaining explicit consent, even after being fined, could see its business license revoked (Transcend).
Real-World Examples
While PIPL is relatively new, its enforcement is already making waves. Here are some examples of penalties imposed under similar data protection laws, which provide insight into the potential impact of PIPL:
- Didi Global Inc.: Shortly after PIPL’s enactment, Chinese regulators launched an investigation into Didi for alleged violations related to its handling of user data. Although specific penalties are still pending, the investigation has already caused significant business disruptions and financial losses.
- Alibaba Group: In 2021, Alibaba was fined RMB 18.2 billion (approximately USD 2.8 billion) for violating anti-monopoly regulations, which included improper data handling practices. This case highlights the severe financial consequences companies can face under China’s regulatory framework.
- Tesla: Tesla faced scrutiny over its data storage practices in China. To comply with PIPL, Tesla announced it would build a data center in China to localize data storage and ensure compliance with the new law. Failure to do so could have resulted in significant fines and operational disruptions.
These examples illustrate the high stakes involved in complying with PIPL. Businesses must prioritize data protection and implement robust measures to avoid these severe penalties.
Sensitive Personal Information
Definition and Handling Requirements
Under PIPL, sensitive personal information is defined as data that, if leaked or misused, could easily harm the dignity or personal and property safety of individuals. This includes:
- Biometric Data: Fingerprints, facial recognition data.
- Medical Health Information: Medical histories, health conditions.
- Financial Data: Bank account numbers, credit card information.
- Personal Location Data: Real-time location tracking.
- Information on Minors: Data related to individuals under the age of 14.
- Specific Identities and Religious Beliefs: Information revealing ethnic or religious identities.
Handling such sensitive information requires stringent protective measures. Businesses must ensure this data is processed only when absolutely necessary and for specific, legitimate purposes. For example, biometric data should only be used when it is essential for security verification (Usercentrics, Pandectes).
Consent Requirements
For processing sensitive personal information, PIPL mandates explicit and often written consent from the data subjects. This means:
- Clear and Detailed Information: Individuals must be fully informed about the nature of the sensitive data being collected, the purpose of collection, and how it will be used.
- Written Consent: In many cases, verbal consent is not enough. The consent must be documented, ensuring there is a clear record of the individual’s agreement.
- Revocable at Any Time: Individuals should have the option to withdraw their consent at any moment, and businesses must provide an easy way to do so.
For instance, if a healthcare app collects medical records, it must obtain written consent from users, clearly explaining how their data will be used for their health management and ensuring they can opt-out whenever they choose (WireWheel, Pandectes).
Real-World Cases
PIPL is still in its early enforcement stages, but there have already been notable incidents highlighting its impact:
- Didi Global Inc.: As previously mentioned, Didi faced an investigation shortly after PIPL’s enactment due to concerns over its handling of sensitive user data, particularly location information. This investigation underscores the regulatory scrutiny on companies managing sensitive personal data.
- Alibaba Health Information Technology Limited: This subsidiary of Alibaba was scrutinized for its management of health-related data. The company had to ensure its data handling practices were in strict compliance with PIPL, including obtaining explicit consent from users for processing their medical information.
- Tencent: In response to regulatory requirements, Tencent implemented more robust consent mechanisms for its apps that handle sensitive data, such as WeChat. This included clearer privacy notices and more straightforward consent processes, ensuring users are fully aware of how their sensitive information is used.
These cases illustrate the regulatory environment’s vigilance in protecting sensitive personal information and the necessity for businesses to implement rigorous data protection and consent processes.
Role of the Chinese Government in PIPL
The Chinese government enforces PIPL through stringent regulatory measures. The Cyberspace Administration of China (CAC), along with other relevant authorities, handles violations and complaints. When a breach is reported or detected, these authorities launch investigations that can include on-site inspections, documentation reviews, and interviews. Confirmed violations can result in fines, mandatory rectifications, or even business suspensions (TRUENDO).
Collaborative Regulation
Enforcement of PIPL involves coordinated efforts among various government departments. The CAC collaborates with agencies such as the Ministry of Public Security and the Ministry of Industry and Information Technology to ensure consistent application of the law across sectors. Special rules are developed for emerging technologies like AI and facial recognition to address unique privacy concerns (Deloitte United States).
Powers of Regulatory Authorities
Regulatory authorities have extensive powers under PIPL to ensure compliance:
- Inspections: Authorities can conduct scheduled and surprise inspections of businesses to ensure they comply with PIPL regulations (TRUENDO).
- Compliance Audits: Regular audits assess a company’s adherence to PIPL, covering all aspects of data handling and protection (Deloitte United States).
- Corrective Actions: Authorities can mandate corrective actions, ranging from minor adjustments to major overhauls of security systems. Companies might need to implement new policies, enhance data protection measures, or halt certain data processing activities until they comply (TRUENDO, Deloitte United States).
- Penalties and Sanctions: Beyond fines and operational suspensions, authorities can revoke business licenses or restrict business activities, especially for repeat offenders or severe breaches (Deloitte United States).
These mechanisms ensure PIPL’s effective implementation, protecting personal data and upholding privacy rights.
Practical Implications for Western Marketers
Complying with China’s PIPL is crucial for Western marketers. Here’s a practical guide on what to watch out for:
1. Get Clear Consent
Most websites already have consent forms due to GDPR or DSGVO. However, with PIPL, there are a few extra steps you need to take:
- Active Consent: Ensure users actively opt-in. Pre-ticked boxes are not compliant.
- Explicit Information: Clearly state the types of data collected, the purpose, and how it will be used. Any changes in data processing should trigger a new consent request.
- Withdrawal of Consent: Provide an easy way for users to withdraw their consent at any time. This might require updates to your current consent management system (Usercentrics, WireWheel).
Example: Update your cookie consent banner to include a clear explanation of data usage, ensure all consent is actively given, and make sure users can easily revoke consent.
2. Handle Sensitive Data with Care
Sensitive personal data needs extra protection:
- Enhanced Security: Implement strong encryption and anonymization for sensitive info like biometrics, health data, and minors’ data.
- Explicit Consent: Always get explicit, often written, consent for processing sensitive data (Pandectes).
Example: A health app should clearly explain how it will use health data and get explicit user consent before collecting any information.
3. Keep Data Local
PIPL has strict data localization rules:
- Local Storage: Store critical data within China, especially if it’s from sectors like finance or healthcare.
- Secure Transfers: Conduct security assessments before transferring data abroad and ensure compliance with PIPL standards (Transcend, TRUENDO).
Example: Tesla and Apple have set up data centers in China to store local user data and comply with PIPL’s requirements.
4. Fair Marketing Practices
PIPL impacts how you use personal data for marketing:
- No Price Discrimination: Don’t use data to charge different prices based on user profiles. Be fair and transparent.
- Easy Opt-Out: Make it simple for users to opt out of targeted marketing and automated decisions (China Briefing, Pandectes).
Example: Ensure users can easily opt out of receiving personalized ads or marketing messages.
5. Manage Third-Party Services
When using third-party services, ensure:
- Clear Contracts: Define data processing purposes, scope, and security measures in your contracts.
- Compliance: Ensure third-party services like Google Analytics comply with PIPL (WireWheel).
Example: When using a CRM, ensure the contract specifies data processing details and compliance with PIPL.
6. Secure Data During Corporate Changes
During mergers or restructuring:
- Secure Transfers: Ensure personal data is securely transferred or deleted if not needed.
- Inform Users: Notify users about any changes in data handling due to corporate changes (Usercentrics, Deloitte United States).
Example: If your company is acquired, ensure the new owner follows PIPL standards and inform users of the change.
Turning Compliance into Opportunity
For Western marketers, understanding and complying with China’s PIPL is crucial—not just to avoid fines, but to build trust with your Chinese audience. PIPL emphasizes the need for clear, explicit consent, strong data protection, and careful handling of sensitive information. It also requires data localization and stringent conditions for cross-border data transfers.
Being proactive is essential. Regularly update your consent management processes, ensure your third-party contracts are solid, and maintain robust security measures. Compliance isn’t a one-off task but an ongoing effort. Embrace it, and you’ll not only stay compliant but also enhance your reputation as a trustworthy brand in the Chinese market.
By making compliance a cornerstone of your strategy, you’ll gain more than just legal security—you’ll earn the respect and trust of your customers. Keep monitoring, keep improving, and turn these regulations into a competitive advantage in the global market.
Hands-on: Implementing PIPL-Compliant Cookie Consent
Creating a PIPL-compliant cookie consent form involves a few critical steps to ensure you meet the stringent requirements of the law. Here’s a practical guide to what you need to know:
1. Consent Before Setting Cookies
- No Pre-Consent Cookies: Unlike some practices allowed under GDPR, you cannot set any non-essential cookies before obtaining explicit consent from users. This means no tracking or analytics cookies until the user agrees.
- Necessary Cookies: Essential cookies necessary for the basic functioning of the website (like those for login or shopping cart functions) can be set without consent. However, users should still be informed about their presence and purpose.
2. Crafting the Consent Form
- Clear and Detailed Information: Your consent form must clearly explain what cookies are being used, what data they collect, why they are used, and how long the data will be retained.
- Active Opt-In: Users must actively opt-in to cookie usage. Pre-ticked boxes are not allowed. Each category of cookies (e.g., marketing, analytics) should have a separate opt-in option.
3. GDPR vs. PIPL Consent
- Adjustments Needed: If your consent form is already compliant with GDPR, it may still need adjustments for PIPL. Ensure explicit consent is obtained for all non-essential cookies and that your form provides clear, detailed information about data usage.
- Ongoing Consent Management: Provide users with an easy way to withdraw their consent at any time.
4. Using Google Analytics
- Explicit Consent Required: You must obtain explicit consent before using Google Analytics. This is similar to GDPR requirements, but make sure your consent form details all the specific data collected by GA.
- IP Address Anonymization: While PIPL does not generally consider IP addresses as personal data, it’s good practice to anonymize IP addresses in GA to align with global best practices.
5. Third-Party Tools
- Web Fonts and A/B Testing: For tools like user behavior tracking for A/B testing, you must obtain explicit consent if these tools collect user data.
- Clear Disclosure: Inform users about these tools and their data usage in your consent form.
6. Server Logs and Other Data
- Inform About Logs: Even server logs, which may capture IP addresses and other data, should be disclosed. While necessary for security and functionality, users should know that this data is collected.
- Minimal Data Retention: Only keep server logs for as long as necessary for security and operational purposes.
Some of the sources we digged into for you are:
- https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm
- https://baijiahao.baidu.com/s?id=1799165927002464338&wfr=spider&for=pc
- https://baijiahao.baidu.com/s?id=1799128699783033296&wfr=spider&for=pc
- https://www.thepaper.cn/newsDetail_forward_27441435
- https://www.thepaper.cn/newsDetail_forward_27223984
- http://www.chinapower.com.cn/dlxxh/cjxx/20240521/246908.html
Still confused? No problem. Although we are not providing any legal advice, our experience enables us to provide quick judgement if your website and online business activities might be in lower or higher risk of violating Chinese law.
We will be more than happy providing you with a quick judgement and if recommended recommendations of lawyer firms in China that have fluent English or German staff to provide legal advice in a language you speak.
Just send us a message asking for “PIPL Quick Evaluation” to hello@jadegital.com