On November 1, 2021, China’s first comprehensive privacy law—the PIPL (Personal Information Protection Law)—went into effect. Chinese users account for nearly one-fifth of internet users around the world. Even if you have no Chinese customers, any personal info you have on any Chinese user visiting your website falls under the PIPL.

What Does the PIPL Say?

The PIPL draws visible inspiration from multiple privacy laws around the world, especially the GDPR. Several principles outlined in the PIPL include:

• Businesses must have a clearly defined, rational purpose for collecting and processing personal data.
• Specific conditions, especially individual consent, must be met before companies can collect and process personal data.
• Businesses must appoint a specific person to manage data collection and processing.
• All personal information collected must be processed as minimally as possible for the business’s purposes.
• Sensitive personal information such as financial or health data requires explicit customer consent.
• Businesses subject to the PIPL must conduct regular privacy audits and risk assessments.
• Businesses that violate the PIPL may be subject to a suspension of services or fines of up to 5% of the previous year’s revenue.
• While not explicitly stated, the PIPL’s requirements for informed customer consent mean that any businesses with Chinese customers must provide a Chinese translation of their data usage and privacy policies.

For a more in-depth look at China’s privacy law, check out this unofficial English translation of the PIPL here. The original Chinese text can be viewed here.

Extent of China’s Privacy Law

Like most privacy laws, the PIPL covers any user who has provided data to a business, whether they’ve made a purchase or not. This means you could be subject to the PIPL even if you don’t strictly have any Chinese customers. Their data is still protected. And you still have to ensure they can read and understand your data policies before consenting.

Keeping Up with New Privacy Laws

China’s new data privacy law bears several similarities to the GDPR. However, it’s also different enough that business owners can’t afford to disregard it. And when privacy laws overlap, it can be tricky to remember which portions don’t overlap and what regions of the world these unique requirements cover.

We have a solution: 4Comply! Its user-friendly system allows your privacy team to easily track every legal requirement you have to follow. Businesses newly subject to the PIPL will find this especially useful. Contact us today for a free demo.