On Aug. 20, 2021, China passed the Personal Information Protection Law (PIPL), its latest data privacy regulation. It goes into effect on Nov. 1 and follows the Data Security Law (DSL), passed in June, as the nation expands its cybersecurity legislation.
As with other international data laws, like Europe’s General Data Protection Regulation (GDPR), the PIPL will reach beyond its country’s borders. While the U.S. has no comprehensive national cybersecurity legislation, these international regulations often apply to many U.S. companies.
With that in mind, here’s an overview of what the PIPL entails and how it might affect businesses in the U.S.
What the PIPL Covers
The PIPL is chiefly concerned with protecting the personal information of internet users in China. It requires organizations to have a “clear and reasonable” purpose to collect user data, and the way they process that information should directly relate to that purpose. Similarly, businesses should collect only as much data as necessary for these goals.
The PIPL also requires that personal information handlers (PIHs) inform users of what data they collect and gain their consent before processing it. This is similar to Virginia’s Consumer Data Protection Act, which gives people the right to opt out of some data processing. Like that law, the PIPL also lets consumers withdraw their consent.
PIHs also need to establish sufficient cybersecurity measures to protect the data they collect. What those protections should look like is unclear, but the law mentions technological solutions, handling policies and risk assessments.
How the PIPL Affects U.S. Companies
The PIPL has a lot in common with the GDPR, and that includes its extra-territorial jurisdiction. Just as the GDPR affects foreign companies with European customers, the PIPL applies to organizations outside China if they deal with Chinese data.
Any personal data processing activities that happen within China, regardless of the entity’s national origins, are subject to the PIPL. If they happen outside China’s borders, they may still fall under the PIPL, depending on the data and what they’re doing with it. The PIPL applies to these PIHs outside of China if:
- The PIH is handling the personal information of people within China
- The PIH is processing this data to provide products or services to people in China
- The PIH is analyzing or assessing the activities of people in China or “other circumstances provided by laws or administrative regulations”
Many U.S. companies may fall under those categories. For example, an American business analyzing Chinese citizens’ online history to personalize marketing materials must comply with the PIPL.
How U.S. Businesses Should Respond
U.S. businesses should start preparing for the PIPL since it will apply to many of them. Thankfully, this law’s similarities with the GDPR and similar regulations mean some companies may not have to do much to ensure compliance. Those that are GDPR-compliant may already have the required systems in place.
Setting up systems to inform Chinese users about what data PIHs collect and offering opt-out options is one of the most crucial steps. Some organizations may also have to amend how much information they collect to only process the minimum necessary.
There is some room for interpretation around the required data protection measures. Businesses should follow best industry practices since the law is relatively open about its technological requirements. Existing standards like the NIST Cybersecurity Framework can provide a helpful starting point, and companies can then add additional measures as necessary.
Fines for PIPL violations can surpass $7 million, so businesses shouldn’t take any risks in this area. If there’s a chance organizations may fall under the PIPL, they should take steps to comply with it, just in case.
Data Privacy Regulations Are Growing
The PIPL is the latest example of a growing trend of data privacy laws. Companies must pay attention to collecting and using customer data as these regulations become more common across different nations. Even if they’re compliant with one, they may fall short in another.
If companies implement best industry practices in cybersecurity, they shouldn’t have trouble complying with these regulations. Better privacy controls will protect customers and keep businesses in good legal standing.