Inside China’s Personal Information Protection Law: how will it impact businesses?

PIPL will likely be a welcome move for consumers in China, as they are not currently presented with a CPRA or GDPR selector for their marketing preferences. At the same time, this allows Beijing to tighten controls on how the country’s big tech uses data and curtail how private data is moved overseas.

Jacob Cooke, co-founder and chief executive officer of WPIC Marketing + Technologies, predicts the law will likely have a significant impact on marketing in China. He says the major e-commerce marketplaces will perhaps need to modify their advertising products that help brands target specific demographics on their platforms.

“These products will likely still exist because many online shoppers want to receive personalized product recommendations based on their shopping history and other personal characteristics,” Cooke explains.

“However, across the entire market, enough consumers will opt out to render these targeting tools somewhat less effective. Moreover, if brands have less information about their customers, it will make retargeting more difficult. Overall, once the law is enacted, brands will need to be creative in how they reach their target audiences.”

However, Humphrey Ho, managing director at Hylink Digital, points out before the passing of PIPL, some apps were collecting over 100 points of data from a user, when clearly they had no need.

Therefore, he stresses this does not impact advertising in China as much as one might think, as it merely protects the consumer by providing them with choices regarding the collection of their data and gives consumers options as they touch multiple apps on mobile devices.

“Advertisers are capable of gathering multiple data points, as well as a user’s consumer journey and, in China, the consumer journey is more valuable. PIPL was the first step to improving Chinese consumer privacy – with the recently-removed link-blocking between rival tech companies to the consumer’s journey across multiple apps in different walled gardens, this is seen as more valuable than an individual advertising opportunity within a particular app or a particular website,” explains Ho.

“This also paves the way for the China Advertiser ID (CAID) that was announced back in 2019, of which Hylink is a founding member. Furthermore, it helps aid decision paralysis for many marketers and brands, who are suffering from data-analysis overload due to the over-collection of publisher data at the moment in China, and has created a lot of unnecessary data crunching.

“Now if the consumer chooses to share their consumer journey with you, and with the removal of link-blocking, we will see better marketing decisions from advertisers in China. This will not likely impact advertising prices, given that the removal of data collection points does not impact inventory. It might do for some of these apps to reduce the number of unique in-app resources (aggregate source), for example open-screen custom targeting or custom message targeting, but we don’t see that to be a problem for advertisers.”

Accessing sensitive types of data

The new law also places requirements on data processors to obtain consent from individuals to be able to process sensitive types of data, such as biometrics, medical and health data, financial information and location data.

Laura Quigley, senior vice-president for Asia Pacific at Integral Ad Science, notes marketers everywhere, including in China, will need to be very clear about how consumer data is used, shared and stored, as well as with whom and for what purposes.

“It is a new era of transparency that gives people more control to build trust. It makes sense for marketers to request permission upfront from consumers regarding their data,” she says.

Ho explains while China has always led the way in terms of biometric, face, fingerprint and multi-factor authentication, biometric data currently resides with publishers and individual app owners or media platforms.

This creates a security risk for the consumer, whereby due to the proliferation of biometric payment points online and offline, over-collection can be an issue, he warns.

For example, what if the biometric data was intercepted? What if someone attempts to circumvent? Media publishers are by no means uniform in their security practices or cyber security practices. Furthermore once biometric verification is put in place multi-factor authentication becomes less secure.

“Limiting it to transactions such as banking or buying things in-app or to potentially your mobile and standard biometric verification such as a fingerprint is better than the over-collection some apps require (such as in gaming or small purchases). Health records and medical records should also reside with you and your doctor and/or your medical provider,” says Ho.

“Personal medical data is frequently shared on social media apps given the lowered security awareness of the average user in China. This would be a positive step in ensuring that medical and health-based applications, vendors and providers follow standard rules on collection similar to how they are with Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules in the US or abroad.”

New regulatory requirements for foreign businesses

Foreign companies will now face regulatory requirements such as the need to assign local representatives and report to supervisory agencies in China because of the new law.

Greg Paull, co-founder and principal at R3, says marketers and agencies should already have this in their line of sight as data privacy is a global issue.

“Being ready to correctly use data on a domestic scale in any country should be best practice for companies looking to expand,” he adds.

While regulatory requirements will impact growth brands and cross-border brands that have recently expanded into China, Ho notes that brands in the country for many years most likely have a Chinese joint venture, a Chinese board of directors and a Chinese legal representative. This means they will most likely not have any issues.

However, he says cross-border e-commerce, fashion and luxury, beauty brands, startups or direct-to-consumer (D2C) brands are likely to be affected as their presence in China is relatively thin.

This is because one of the regulatory requirements requires foreign businesses to have a Chinese agent, and a local Chinese advertising agency or sales distributor can act as their agent and representative.

“Every foreign business needs to remember three things because of PIPL. The first is to have your servers and your data in China, and not have it cross borders. Secondly, when doing any form of campaign reporting or user data analytics such as sales data, consumer behavior and consumer journeys, do conduct that with vendors that have platforms and or services located inside mainland China,” explains Ho.

“If the company is headquartered in APAC, regional or has global offices located outside of China, do remember to have facilities such as VPN or virtual machines available to individuals outside of China to conduct any form of user data analytics, campaign performance, reporting or exporting.

“This will ensure that the data does not leave mainland China. PIPL’s main concern is that excessive amounts of data from the simplest things such as an IP address, user’s hardware ID, biometric or fingerprint data are zipping around outside mainland China. This is not unlike other countries; the US has laws that limit data being shared outside of the country, i.e. General Data Protection Regulation (GDPR). Start working on that PII handbook.”

How does PIPL impact China’s big tech?

For a very long time, big tech firms in China including Alibaba, Tencent, Baidu and Xiaomi have overreached in data collection of Chinese consumers and unregulated the over-collection of data.

Similar to how Facebook is in support of updated regulations regarding user security and safety, PIPL will ultimately form uniform advertiser ID (CAID), data-collection and data-sharing rules around tech companies in China, which lag behind their US counterparts when it comes to self-regulation around data privacy and user rights.

“Given that PIPL also limits data from traversing outside of China, it will create new opportunities for the Chinese tech sector that previously did not exist. For example, in China, data analytics and consumer reporting have been fragmented due to link-blocking and are not as robust or accessible as what we see in the US or Europe. This is the result of the entire sector being governed by mostly large and monolithic players that formed data partnerships with select marketers or brands, and did not do so uniformly,” explains Ho.

“Therefore, the new regulations will also create more competition in the data analytics and processing space such as data onboarders, CRM solutions and CDP/DMP offerings, because more firms will be interested in helping to develop data processing, data privacy and onboarding hashed data. This is exactly what happened after GDPR became a global regulation when a watershed industry of data processing and analytics firms came of age.

“This is also a win for the tech sector because this level of governance creates data transparency that marketers have always wanted. It also helps marketers avoid the excessive amount of non-compliance resulting from an excessive amount of mobile data collection.”

Overall, Paull says the new rules will impact all industries, as even the automotive sector, which is regarded as retailing high-value durable goods, is not exempt. Under PIPL, automotive brands are not allowed to track a consumer’s address or purchasing, loan or financing data.

“This will be challenging when it comes to determining media placements and leveraging CRM databases. Marketers are just going to have to build on private traffic to build their first-party data pools to better inform decision-making.”

Will PIPL have an impact outside of China?

Out of all the privacy laws around the world, China’s new regulation most closely resembles GDPR in terms of scope and basic definitions.

Quigley notes both PIPL and GDPR are extraterritorial, and just as GDPR applies to any company that handles the data of EU residents, PIPL applies to any company that processes the personal data of Chinese citizens, regardless of whether that happens in China or outside the country.

Unlike the California Consumer Privacy Act of 2018 (CCPA), which draws a somewhat confusing distinction between third parties and so-called service providers, PIPL relies on the more familiar concepts of data controllers and data processors. In addition, just like under GDPR, PIPL gives individuals the right to access, request, correct, delete, transfer and restrict the collection and use of their data.

“However, there are a few big differences between PIPL and the GDPR. The first is PIPL’s requirement that any company located outside China involved in processing the personal information of Chinese citizens designate a dedicated in-country representative to support compliance. PIPL also diverges from GDPR through its lack of the concept of legitimate interest,” explains Quigley.

“Under GDPR, legitimate interest allows companies, in certain cases, to process personal data without consent as long as it’s collected legally and there’s a justifiable reason for its use. The absence of legitimate interest makes PIPL even more strict in some regards than GDPR.”

Ultimately, Cooke says the PIPL goes beyond GDPR in terms of empowering people to protect their privacy.

“I think China has set a new model for data policy, which other countries may look to emulate,” he says.