What Does China’s New Personal Information Protection Law, PIPL, Mean for International Companies?
October 18, 2021 | Danielle Sumerlin
What is the PIPL?
China's Personal Information Protection Law, which protects individuals’ rights over their data and regulates how their data may be used, has been in effect since November 1, 2021.
Privacy acts are happening all over the world in 2021; in the APAC region, there are a dozen laws from different countries already. The PIPL is distinctly different from China's data residency regulations: the former is about user rights, while the latter aims to keep data processing domestic for certain critical industries and volumes.
Similar to the European Union's GDPR and California's CCPA, the PIPL’s focus is allowing for certain user rights related to privacy, protection of those rights, and the usage of that data. However, the PIPL is fundamentally different than the GDPR in the granularity and parameters of the consent required. Therefore, the one phrase that perhaps captures the PIPL’s effect on companies is consent.
While the full complexities of the PIPL are certainly not covered here, this post summarizes some of the law's basic elements and consequences.
What are the basic elements of the PIPL?
The PIPL applies to all individuals and organizations, in both public and private sectors, handling the personal data of people in China's borders.
Notably, the PIPL expands the definition of Personally Identified Information to Personally Identifiable Information. Meaning that if through profile stitching of non-identified data, a company can put together identification, that is PII.
For example, a person’s buying habits and locations are collected along with other behavioral data, and then can be triangulated using third-party-appended data to profile the actual identified user – that is PII even though their email or phone number wasn't collected.
Six legal principles form the basis of personal information processing in the PIPL:
Lawfulness, Fairness, Necessity, and Good Faith
Purpose Limitation (through consent management)
Data Minimization (now mandated for most brands)
Openness and Transparency
Accountability and Security
To be PIPL compliant, a company must have a lawful basis for handling personal information from one of the following:
Get necessary consent from the personal information subject
Performing a contract
Necessary for response to emergencies
Reports and public opinion supervision necessary for public interest
Personal information legally disclosed
Other circumstances stipulated in laws and regulations
For most international brands, they’ll be operating under the first: getting necessary consent. Along with this, other conditions include conducting risk assessments, keeping records, satisfying other security controls (see below), and passing a security assessment or being certified by a specialized agency.
Necessary security controls that personal information processors must meet include following set policies and procedures, classifying personal information, obtaining operational awareness and permission training, encryption and de-identification, incident response, and passing regular compliance audits.
Users have Data Subject Rights (DSR), similar to GDPR:
Right to information
Right to access
Right to correction/rectification
Right to erasure
Right to object to the processing of data
Right to data portability (must satisfy conditions set by the Cyberspace Administration of China)
Right to not be subject to automated decision-making (like profiling and personalization)
Right to withdraw consent
Right to lodge a complaint
While the PIPL does not specify an exact compliance time, requests must be honored within a reasonable business time frame.
How does user consent work under the PIPL?
Getting the necessary consent is defined by the type of data being collected and the intended use of that information. For example, if the data is classified as Sensitive Personal Information or if it will be used for fulfilling a transaction, marketing, or profiling.
Sensitive Personal Information as defined by the PIPL, which requires clear and express consent (beyond implied consent – more on that later), includes a person’s specific identity and location, along with other factors like religion, health conditions, financial accounts, and personal information about children.
Consent can be requested in four main levels:
Operational (transactional, commerce, and subsequent service)
Subscriptions (like a membership)
Marketing (for sending promotions and similar communication)
Profiling (all AI and personalization for user experience improvement)
Overall, four other questions must be considered when obtaining consent:
Who is getting the data? Internal brand processing only, or is a third party involved (third parties include brand headquarters outside of Mainland China)?
What will the data be used for? This is where the levels of consent come in. Is it just so that the product can be delivered, is to personalize the promotions the user receives?
When? Or, what is the duration? For example, will the data be kept for a month, for a year after the last contact?
Where? Cross-border consent.
Consent must be intentional and clear. No longer can it be buried under legal jargon, or in the fine print. It must be readable and easily understood.
There are special consent requirements for certain situations. For example:
Express consent is needed for sensitive information (like location)
Parental consent for children
Cross-border data transfer requires express consent
What does this mean in practice for global brands in China?
Most importantly, the PIPL now means that consent is no longer binary. For example, a user may have consented to marketing, but not to profiling (so no more personalized advertisements for them!). Plus, a brand likely has different consent levels obtained from a single user on different platforms. From WeChat to Tmall to JD, each could be different.
So let's take a common scenario: a brand is holding an event in Shanghai and wants their weekly WeChat Official Account content to promote the event to all their followers in the city. Though this was possible before, it's now not so straightforward. Does the brand have the express consent of each user to market using sensitive information (location)?
Here's where it gets messy. With the PIPL, some historical data will now be under-consented. Sure, a brand may know they have 5K followers in Shanghai, but they likely don’t have the express consent from each one to use that information. This is where de-identification of data comes in (and once the consent is obtained, re-identification of that same data).
Every action conducted by the brand going forward needs to ensure that it’s consent-compliant. Everything related to a transaction, everything related to marketing, and everything related to profiling. Brands need to look at a user’s current consent status across these three attributes to make sure any activity they’re doing is actually compliant.
A consent check must be run against every campaign and every action. And, as mentioned above, different data sources may be coming in at different consent levels, so data sources dictate consent fragmentation. This is what requires that granular access control: a brand must look at the user list and confirm the current consent access, real-time, across everybody before sending out promotional material or re-targeting or taking other action. Every time a brand runs a campaign, it has to go back and say, "Okay, who consented to receive re-targeting/etc. here?” It changes the whole model.
Moreover, it’s not as simple as just getting maximum consent from each user. Brands that try to get full express consent, including cross-border, end up with an about two percent uptake. Ouch. Brands will need to do consent A/B testing to see which consents people are willing to do. Every software solution that brands use must have consent in mind.
Consent must now be obtained and assessed at a much more granular level, and personal information handlers – especially international brands with offshore headquarters (e.g. cross-border issues) – must give consent a central role both in their customer interactions and tracking, and in their back-end data handling, ensuring security control and DSR compliance.
Chat with us to see how your company can stay compliant with the update in PIPL
Driving Sales on WeChat in a COVID19 World w/ Mini Program & WeChat Work
Co-hosted with innovation agency Fabernovel and digital agency 31Ten, this webinar will explore how WeChat’s role as a sales channel has grown as a result of COVID-19 and share some of the best practices for using commerce mini programs and WeChat Work; and shared key business scenarios where it can accelerate a brand’s success in China as well as showcase some best practices.