China’s data protection regime has made significant progress in recent years. The Personal Information Protection Law (个人信息保护法) (the “PIPL”) took effect on November 1, 2021 and is China’s first comprehensive personal information protection law.
The China Personal Information Protection Law establishes the mechanism of personal information protection in China. Other laws and regulations were also established / updated in recent years that aim to address data privacy and personal information as well, including the Civil Code of the People’s Republic of China (民法典) , Cybersecurity Law (网络安全法), Data Security Law (数据安全法), E-commerce Law(电子商务法) and Law of the People’s Republic of China on the Protection of Consumer Rights and Interests(消费者权益保护法).
The regulatory policies in China are tightening when it comes to personal information. Digital advertisers are faced with an impasse when it comes to collecting users’ personal data, especially given the fact that a major driving force behind the rise of the digital advertising industry was historically based on the analysis of the users’ data. Brands and companies need to act one step ahead in this current environment.
What Does China’s PIPL Means for Advertisers
Advertisers need to be keenly aware that Personal Information Protection Law has exterritorial effect, which means that the law will apply to you even if you are located outside of China. Specifically, advertisers outside of China are subject to the PIPL (i) where the purpose is to provide products or services to natural persons inside China; or (ii) where analyzing or assessing activities of natural persons inside China.
Therefore, for advertisers who want to enter the Chinese market or target consumers in China, whether for B2B products or services, cross-border e-commerce, gaming, luxury brands, they need to evaluate carefully whether the processing of personal information during their advertising campaign and their marketing efforts complies with the PIPL.
The definition of personal information and sensitive personal information
According to the PIPL, the definition of “personal information” is broad and expanded upon the prior understanding of such meaning, and refers to various information related to an identified or identifiable natural person recorded electronically or by other means. On the other hand, the previously commonly understand meaning of personal information, which are information related to biometric identification, religious beliefs, specific identities, healthcare, financial account, individual location tracking, etc., as well as personal information of minors under the age of 14, are now newly defined as “sensitive personal information” under the PIPL.
As such, the definition of “personal information” will include personal device tracking identifiers (Device ID) that are commonly used in the programmatic ads industry, including Cookie ID, IMEI, IDFA, IDFV, and users ID registered under different websites and apps. This also means that for such identifiers to be used for advertising and marketing purposes, advertisers will need clear consent from the consumer.
Given the foregoing, practices and decisions of the past may no longer be applicable or suitable under the Personal Information Protection Law. For example, in the “Baidu Cookie Privacy Invasion” case of “Zhu Ye (Appellant) v. Baidu Netcom Science and Technology (Respondent)” a few years ago, the Jiangsu Nanjing Intermediate People’s Court determined that the personalized recommendation services provided by the network provider and with explicit notification to the user did not constitute an infringement to the user’s right of privacy. To the extent such case is brought again today, there may be a different outcome as Cookie ID are now considered to be “personal information”.
It should be noted that an argument can be made whether the information obtained by encrypting the above types of personal device tracking identifiers (such as MD5 encryption) is considered “personal information” or not, as the PIPL provides that “anonymized information” are not “personal information”. However, theoretically speaking, even though encrypted information is irreversible, it is still possible to trace and identify specific natural persons based on such information, and will thus continue to fall under the definition of “personal information”.
“Anonymized information” are information that has undergone anonymization, the process of processing personal information to make it impossible to identify specific natural persons and impossible to restore. So for example if only part of the encrypted identifier (such as the middle 10 digits) is extracted and used as the basis for attribution and targeting in programmatic advertising and is thus impossible to identify back to a specific individual (given there could be many individuals with the same middle 10 digits), it ca be considered as “anonymized information”. However, at the same time, such approach restricts the accuracy of marketing impact analysis and advertising distribution and may limit the effectiveness of certain marketing campaigns.
How Should Marketers Adapt to Changes resulting from the PIPL?
The digital advertising landscape is becoming less precise with a greater focus on protecting personal information and shifting to a cookie-less world. As an advertiser, how do we perform precise and successful marketing campaigns while complying with personal information privacy protection?
First and foremost, it is essential for advertisers to have a clearer concept of data asset boundaries, as well as clear knowledge of the definitions of first, second and third-party data and the rights and responsibilities of utilizing these data.
First-party data is the data that the client / brand collects directly from their users or customers, including: data from the company website, app, or data from users’ behaviors in the mini programs. It also includes offline purchase details, contacts, leads, and other business data. These pieces of information should be stored and processed in a safe and stable data processing system.
Second-party data is data accumulated and gathered from trading desk or media by analyzing individual users’ browsing behaviors and interests, to assist and strengthen the advertisers’ insights to deliver personalized advertisements.
Last but not least, third-party data refers to the aggregated data collected by third-party providers such as DMP or publishers that provide external data exchange. In the process of programmatic advertising, third-party data are often used as a supplement to the first and second-party data to further enrich the advertising inventory and its tagging capability for audience segmentations.
For advertisers, it is necessary to start constructing ground rules.
A legal and reasonable collection of personal information will be the first issue that we need to address. According to the PIPL, consents must be obtained when collecting personal information. To meet the data privacy needs of consumers, advertisers must provide selective choices for users for them to accept or reject the request of data collection, as well as setting a clear guideline for publishing personal information and the withdrawal mechanism.
To adhere to the requirements of the PIPL, it is necessary to set up safety assessment mechanism, personal information protection impact assessment mechanism, and personal information withdrawal mechanism, which consequently might restrict advertisers’ activities of collecting, processing, and transmitting the data while similarly increase the technology associated costs for many of the SMEs. These limitations will undoubtedly hinder data collection processes.
The PIPL is a double-edged sword. It is a requirement, but at the same time, it serves as a threshold. For brands that are able to comply with the relevant requirements when processing personal information and utilize such information in their advertising campaign, they will come out ahead against those competitors that are not able to do so. In other words, the PIPL also serves as an opportunity for brands to further amplify its personalized advertising and retargeting marketing strategies.
For advertising agencies or solution providers, it is thus of the uttermost importance to guide brands and advertisers to thoroughly examine their data strategies and approach. For example, reasonable data review system should be established, data specifications should be standardized, anonymized data processing should be thought through and in place, a data security system should be established, while measures to prevent data breach should be implemented and tested.
When advertisers are handling personal information that involves first, second and third-party data, it is of utmost importance to ensure that these other third parties involved have obtain required consent. Mutual cooperation is needed to ensure that compliance and proper usage of personal information.
Can PIPL be the New Driving Force Innovating the MarTech Industry?
The drive for increased personal information protection is a global one. Many jurisdictions have already established comprehensive regulations, such as GDPR in the European Union and CCPA in California, addressing personal information protection. As a response to such increased regulation and consumers focus on the importance of protecting their own data, technological innovations and changes has also arose that aim to balance personal information protection with personalized advertising.
For example, Google launched “Privacy Sandbox” to introduce a more innovative and private advertising solution. These solutions limit the sharing of user information with third parties and can operate without cross-app identification, and identifiers.
Google shared its three visions about The Privacy Sandbox initiative, aiming to build new technology to keep users’ information private; collaborate with the industry to build new internet privacy protection standards, and last but not least, enable advertisers and developers to keep online content free.
A cookie is a locally stored text file that the webserver can use to determine whether a user is visiting for the first time. However, because of its recording nature, it is also widely utilized by marketing companies and third-party statistics companies to form users’ profiles, and then target these users with personalized advertisements. Of course, Google’s advertising business is also closely related to cookie tracking.
The purpose of the “Privacy Sandbox” is to allow advertisers not to use third-party cookies, and to avoid users being tracked across websites without their acknowledgment, while still allowing advertisers to promote their business and connect with their targeted audiences.
In terms of advertising distribution, Google has introduced two APIs, Topics API and FLEDGE (the exact launch plans of both tools are still unknown so far).
For Topics API, it is a new Privacy Sandbox proposal that analyzes users’ past browsing records to generate interest-based advertising solution.
FLEDGE, on the other hand, is designed to serve remarketing and custom audience use cases, so that it cannot be used by third parties to track user browsing behaviour across sites.
The other example of innovation is Apple’s StoreKit Network and Intelligent Tracking Prevention for advertising attribution, which limits the overall analysis and tracking of individual users to 64 identification codes in terms of app installation and web advertising respectively. It does aggregate attribution analysis on the advertising performance, but cannot specifically track the conversion performance of each user and each advertising event.
In the long run, both Google and Apple, as well as overseas advertisers and service providers, are exploring solutions that could balance both consumers’ privacy protection concern while maintaining ad performances. It is likely that the development of marketing technology in China will follow the same tide.
Furthermore, the trend in advertising has shifted in recent years, with being relevant gradually prioritized over being “precise” or “personalized”. As such, EternityX expects that the future of advertisement distribution will also shift to focus on media content and interest segments. Leveraging on our DMP data, as well as the continued advancement of our delivery algorithm, we aim to further introduce solutions that provide value to advertisers in this changing environment and identify new paths and opportunities.
By understanding the diminishing usage of the unified identifiers and the emerging phenomenon of data silo, EternityX has recently launched its EternityX’s ID Space solution. By collaborating with different brands and with the premises of obtaining the relevant consent and complying with the PIPL, EternityX is integrating first-party data with its proprietary self-learning algorithm to continue the goal of “empowering brands to precisely build rapport with their targeted audience”.
It is true that “privacy computing” is still in its early research stage. We are eagerly monitoring to see how this could be applied in the information authorization use or advertising resource distribution in the advertising industry.
The launch of the PIPL in China stirred up once again the discussion of the future of digital advertising advertising, and it is undoubtedly a hurdle for brands and advertisers to clear. But once the initial shock passes, and advertisers learn to adopt and adjust their strategies in the new and continuously changing environment, there will certainly be a new world of opportunities.
About The Author:
Winmin Tam is the Managing Director of R&D team in EternityX, who leads all the tech projects in EternityX including the hero product EternityX Trading Desk. Tam is passionate about digital marketing technology and has deep understanding on its ecosystems in the China market. He is regularly sharing technology insights on Chinese’s social media platforms including Zhihu and Jianshu.
With 10 years of experiences in digital marketing technology in China market, Tam was previously the Managing Director of Research and Development at BiddingX (Guang Zhou Shunfei Information Technology Ltd.), leading the development of its DSP and increase the system’s ability to handle the increase in daily requests from 100 million to 50 billion. He also previously led the successful development and deployment of customized DMP for China Merchants Bank.