What China’s New Data Privacy Laws Means for Marketers

China’s new data privacy law, the Personal Information Protection Law (PIPL), went into effect on November 1. Penalties for noncompliance are steep: fines of more than $7 million or up to 5% of a company’s revenue, the loss of business licenses, and even demands to close a business entirely.

PIPL is part of a larger trend toward data regulation, joining other data protection laws such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) recently implemented by countries or regions around the world. Additional data privacy laws are proceeding towards full enactment in other countries, including Brazil and India.

All of these laws make companies that store and manage customer data on SaaS platforms such as Salesforce responsible for complying with the laws, otherwise they face stiff penalties or must cease operations in regulated countries.

PIPL, in particular, was modeled after GDPR, and, generally speaking, regulates companies’ use of consumers’ personal information to market to them and prevents moving this information outside of China to countries that may have a lower standard of protection for personal data.

Marketing Technology News: DoubleYard and Laserfiche Partner to Provide AI OCR Technology for Both Digital Print and Handwritten Content

Specific requirements for PIPL

Specifically, PIPL has the following effects on marketers:

• Applies to data processing activities outside of China: Like GDPR, PIPL applies to the processing outside of China of personal information of persons residing in China where the information is used to market to people inside China or to assess or analyze the behavior of Chinese residents. It’s not necessary to have a physical presence inside China for the law to apply.
• Requires consumer consent: Consumers must consent for their data to be collected and used by a company and can rescind that consent at any time. There are a few exceptions where consent is not required, but they’re fairly limited. And if a company wants to transmit consumer information to another company, that requires additional, separate consent.Sensitive personal information such as medical health data, financial details and religious beliefs requires special handling. The company has to notify the consumer, specifically, and get their consent — for this special category of data, there are no exceptions.
• Mandates transparency in data collection: When collecting data from consumers, they must inform the consumer why they’re doing so and how it will be used. Companies don’t have carte blanche to collect data “just because” or to retain it indefinitely. PIPL requires organizations to delete consumer data once the original purpose has been accomplished or determined to be impossible to achieve.
• Requires secure handling of data: Organizations handling consumer data must have internal management protocols and procedures specific to securing it through encryption, de-identification and other measures. They must also have regular training of employees around secure handling of data
• Restricts automated decision-making: Consumers can refuse automated decision-making with their data, though it’s still unclear exactly what this expansive rule would cover. Most likely, it will apply to financial decisions around credit, as well as targeted advertising and custom pricing, but we won’t know for sure until additional regulations clarify it.
• Prohibits unreasonable price differentiation based on user data: Certainly, if the data indicate that a customer is a bigger risk for, say, an insurance product, the carrier could charge more. But a carrier couldn’t charge more simply because users’ financial data shows that they make more money than another customer.
• Limits data storage of consumer information to China: Consumer data cannot be transferred outside of China if the volume of data surpasses a certain threshold; In addition, the company needs to get a separate consent and go  through a security assessment from the Chinese government.

SaaS challenges

PIPL and laws like it pose some specific challenges for companies who manage and store consumer data in SaaS platforms such as Salesforce. Most of these platforms operate under a shared responsibility model, which means that the SaaS provider ensures the platform is available, stable and secure, but customers are responsible for protecting and managing their data. So, for instance, Salesforce customers who do business with customers in China are responsible for complying with PIPL. The regulations affect the companies who use these SaaS platforms, not the SaaS provider.

PIPL did not give companies much time to bring their data into compliance. Passed on August 20, 2021, it came into force less than three months later. Thankfully, because PIPL was modeled after GDPR, marketers can apply much of the same governance they used for GDPR for PIPL. But the residency requirements are a different kind of hurdle. To bring SaaS data into compliance quickly, companies can take advantage of residency-as-a-service (RaaS) solutions.

RaaS is designed and built to solve data residency problems without creating a major disruption to business operations. It enables organizations to preserve a global operating model without risking non-compliance. As noted above, in China, different regulations apply to different types of data. For example, data labeled as important to “Critical Information Infrastructure” — meaning it impacts important systems such as energy, transportation, and finance — is required to stay in China. To accomplish this, organizations must have the capability to understand, map, and classify data.

With RaaS, classified data can be stored and processed locally, while keeping all other data centralized and delivering a seamless experience to end users. Users can typically choose from several different levels of data residency, from replicating data to a local data center to limiting all storage and processing to a single nation. And as new data regulations come online in major international markets, this flexibility will be essential.

PIPL doesn’t have to become a barrier to doing business in the world’s largest emerging market. RaaS can play a large role in easing the burden of compliance.

Marketing Technology News: MarTech Interview with Amy Heidersbach, CMO at Persado