China has passed a new data protection law, according to the country’s . The newly enacted (PIPL) lays out a comprehensive set of rules around how companies collect, process and protect user data. Like GDPR, the law enshrines data minimization, the practice of limiting data collection to only the information needed for a specific purpose. It also mandates companies give users control over how their personal information is used. For instance, they’re allowed to opt out of targeted advertising.
Per , another requirement put forward by PIPL is that companies designate someone who is personally responsible for user data protection. Platforms must also submit themselves to periodic audits to ensure compliance. Any foreign company operating in the country that handles the data of Chinese citizens must comply with those same rules, making the law extraterritorial in much the same way that GDPR is.
PIPL comes as China has worked to rein in its tech giants. The company recently sued Tencent over WeChat’s “youth mode,” alleging the feature violates laws protecting children. What’s more, the country recently aimed at companies like Alibaba, Didi and Tencent. PIPL is slated to go into effect on November 1st.