On March 19, 2024, China issued the Regulation on the Implementation of the Law of the PRC on the Protection of Consumer Rights and Interests in an effort to clarify businesses’ responsibilities with respect to consumer data, strengthen online consumer protection, standardize consumers’ claims and complaints, and strengthen protection of consumer’s personal information.
The Regulations clarify that a business may not, directly or indirectly, force consumers to consent to the collection and use of their personal information for purposes that are not related to its business activities, by once-for-all authorization or opt-out authorization.
On March 19, 2024, the State Council of the People’s Republic of China issued the Regulation on the Implementation of the Law of the PRC on the Protection of Consumer Rights and Interests (“Regulations”), which takes effect on July 1, 2024. The Regulations aim to clarify businesses’ responsibilities, strengthen online consumer protection, standardize consumers’ claims and complaints, and strengthen protection of consumers’ personal information.
With the implementation of the Personal Information Protection Law of the PRC (“PIPL”) in 2021, China established a legal framework for personal information protection. Article 23 of the Regulations restates the provisions of the PIPL that require businesses, when acting as personal information handlers, to protect consumers’ personal information, as follows:
Article 6 of the PIPL prohibits the excessive collection of personal information. Similarly, Article 23 of the Regulations states that businesses may not “excessively” collect consumers’ personal information.
Article 5 of the PIPL requires personal information to be handled “when it is necessary, with justified reason, and in good faith” and prohibits handling personal information that involves “misguidance, fraud, coercion, and the like.” In addition, Article 14 of the PIPL requires that the handling of personal information be “voluntary, explicit, and fully informed” if such handling is based on individual consent. Article 23 of the Regulations further clarifies that businesses may not, directly or indirectly, force consumers to consent to the collection and use of personal information for any purposes that are not related to their business activities, whether that consent is given through blanket opt-in authorization or through opt-out authorization, where individuals are deemed to have consented unless they expressly decline consent.
Article 23 of the Regulations also references sensitive personal information (e.g., biometrics, religious belief, specific identity, medical health status, financial accounts, and a person’s whereabouts, as well as the personal information of a minor under the age of 14 years), which is addressed under Article 28 of the PIPL, and requires businesses to handle consumers’ sensitive personal information in accordance with relevant laws and regulations.
Implications for U.S. Higher Education Institutions
As with the PIPL, U.S. higher education institutions that provide products or services in the PRC are subject to the Regulations. In terms of personal information protection, the Regulations largely restate the obligations under the PIPL and do not increase the obligations on personal information handlers. The Regulations’ prohibition of blanket opt-in authorizations for purposes that are not related to a personal information handler’s business activities will not be applicable to U.S. higher education institutions seeking consent for personal information handling that is related to the institutions’ activities. Under PIPL and the Regulations, a higher education institution may continue to obtain consent for multiple purposes at once, when such consent is related to the institution’s activities, but should continue to seek separate consent when required by the PIPL, such as for cross-border transfer of personal information and the handling of sensitive personal information.
U.S. colleges and universities that are already in compliance with the PIPL therefore should not need to take additional measures in order to comply with the Regulations. It is worth noting, however, that although the Regulations only address certain of a personal information handler’s obligations under the PIPL, U.S. institutions should ensure that they are in compliance with all of the PIPL’s provisions when handling the personal information of persons within the territory of the PRC.