China Imposes New Data Privacy Regulations

The Chinese government in late August passed what many consider to be the strictest data privacy law in the world. The Personal Information Protection Law, which will take effect Nov. 1, requires all organizations to minimize the collection of Chinese citizens' personal data and to obtain prior consent.

The move is significant, considering that China is the world';s second largest economy and many U.S. businesses either already have business arrangements in China or are looking to establish them.

The national privacy law is essentially a stronger version of Europe's General Data Protection Regulation (GDPR), which was enacted across the European Union in 2018.

Consenting to collection of data is at the core of China's legislation, which requires full consumer consent before any data can be collected. Parties gathering data cannot require more information than what is absolutely essential nor refuse products or services if the individual disapproves. The individual whose data is collected can withdraw consent, and death doesn't end the individual's rights. Upon death, the right to control the data passes to the deceased person's family.

Information processors must also take necessary measures to ensure the security of the personal information and set up compliance management systems and internal audits.

And if data flows across borders, the data collectors must establish a specialized agency in China or appoint a representative to be responsible for all aspects of data protection. Storing data overseas does not exempt any organization from compliance.

While significant, the move is part of a larger, worldwide effort to address data concerns.

"China's decision to enforce greater data privacy measures for organizations handling Chinese citizens’ personal data is part of a larger discussion about data privacy happening around the world,"; says Charles Farina, head of innovation at Adswerve, "and though it is being compared to GDPR, China's regulation could be one of the strictest policies in the world. If brands and marketers weren't paying attention to all the new legislation popping up in the U.S. and around the world, they absolutely must do so now, especially since China influences one of the largest markets in the world."

In addition to the GDPR, three U.S. states—California, Colorado, and Virginia—have already enacted their own privacy legislation in absence of a larger U.S. national policy.

Farina and others are urging U.S. companies that operate in or advertise to Chinese citizens to solidify their first-party data strategies now.

But it goes beyond what is being pushed out from Beijing. "Consumers are eager for a more transparent, two-way relationship that benefits both parties, and marketers must take advantage of the third-party data extension to get first-party data right. By doing so transparently, advertisers have the opportunity to develop strong, mutually beneficial relationships with their customers that are based on trust," Farina says.