China’s new law protecting online user data privacy took effect on Monday. The law was passed by the National People’s Congress, China’s legislative body, in mid-August.
The new law, called the Personal Protection Information Law, carries the strongest consumer protection requirements globally to date. Fines can reach 50 million Chinese yuan (about $7.8 million U.S. dollars) or 5 percent of a violating company’s annual revenue.
The law contains opt-out rights for users who receive targeted advertising, requiring companies to allow users to opt out. Moreover, companies are required to receive consent from users before collecting personal information. They must notify users when the company seeks to share their personal data with other companies. Those third companies must also receive explicit consent from the user.
The new law defines personal information broadly, including biometric and location data. Biometric data, including facial recognition, has also been the subject of regulation by the Supreme People’s Court, which recently ruled that individuals have the right to opt out of facial recognition technology and companies must receive consent before collecting such data.
Beyond consumer protection, the law also creates new requirements for businesses operating in China. Personal information must be stored on servers physically located within China. This is an extension of China’s 2019 data security law, which mandated that other forms of company information must be stored in China. Cross-border data transmission will require both governmental approval and user approval.