China’s new personal data privacy law - Revinate

China’s new personal data privacy law

A new law has been passed by China’s National People’s Congress regarding user data privacy. The law, called the Personal Information Protection Law (PIPL), will be implemented starting November 1st, 2021 without a transition period. 

The law pertains to the data of Chinese citizens with its core requirements closely resembling those of the General Data Protection Regulation (GDPR) that was passed into European Union Law a few years ago. Much like GDPR, this new law is designed to give citizens enhanced rights over the use of their personal data, calling for user consent and data protection requirements.  

Specifically, the law requires not just consent from contacts in order to collect and use data, but also an easy mechanism for them to retract consent and refuse automated decision making. The rules extend from the collection of traditional contact information to cookie tracking and require active consent across the board. 

Sanctions for violations are serious with fines of up to 5% of the last year’s turnover of the company or up to 50 million RMB (the higher of the two will be selected). 

What this means for hoteliers: 

This law is a continuation of the growing global concern regarding data privacy and protection and it is said that we can expect more compliance requirements down the road for companies within China. While the timeline does not provide for a long transition period, the good news is that the requirements of the legislation follow the same general trends of other data privacy laws that are already in existence and have become standard practice. 

If you have personal data from Chinese citizens, these new requirements apply to your hotel(s). 

As you review the new requirements, there are three roles that are assigned data management responsibility and it’s important to understand the definition of each: 

  1. Data controller: The entity that determines the purpose and method of processing personal data → This is the hotel, group, or brand. 
  2. Data processor: The entity that processes personal data on behalf of the data controller. Often vendors and contractors for hotels → This is where Revinate and other platforms come into play
  3. Data subprocessor: The entity that processes personal data on behalf of the processor in order for them to complete their work → In Revinate’s case, this is SendGrid

For hotel marketers, a big portion of aligning to this new law means prioritizing 3 categories of consent and ensuring you employ data platforms that support them:

  1. Opt-in: When you collect data, ensure that your processes include opportunities for contacts to actively opt-in to the collection of the data and, specifically, the ways in which you intend to use it. Individuals must have clarity into why they need to submit data and what they can expect in return. Your hotel should keep proof of how, when, and what your travelers are opting into to prevent any issues here. Leveraging a double opt-in via email confirmation is a trusted and proven method for capturing proof of consent. You can read more about Revinate’s double opt-in automation functionality here

While ensuring opt-ins exist at all collection points may raise concerns about limiting your data collection, the reality is that the quality and engagement of your list far outweighs the size of it so regardless of data protection laws, there is more value to you in setting expectations with your contacts upfront to ensure they are receptive to your marketing efforts that follow. 

  • Access: The data you collect needs to be accessible to your contacts by request. They must be able to view, update, restrict or remove their data so having a process for your contacts to make these requests and ensuring you can act on them wherever your data is stored is important going forward. 

As a Revinate user, you can export and download your guest data from within the Marketing application. 

  1. Erasure: All contacts should have a clear and simple way to request any and/or all of their data be removed from campaigns and also from the database entirely. In this scenario, data must be removed from all systems and at all of the data processor levels (including processor and subprocessor systems).

As a Revinate user, you can easily remove contact data from within the Marketing application. 

Outside of ensuring you have the proper levels of consent baked into your contact collection processes, we recommend: 

  1. Reviewing and updating your privacy policy
  2. Ensure you have proof of consent for all Chinese residents or citizens

You can do so by identifying these contacts and delivering an updated double opt-in campaign to them. Or delivering a double opt-in campaign to all contacts that have not previously completed the process. Within this campaign we recommend you: 

  • Include your privacy policy
  • Clearly communicate that you are requesting their consent, what data you have, and what the data will be used for
  • Feature a clear unsubscribe link
  • Feature an offer so there is added value for contacts to subscribe

Within Revinate, you can leverage our qualification campaigns to build out your double opt-in campaign, build a custom double opt-in landing page, and automate the process on your behalf. As a result, you will have a double opt-in segment created within your account so that you can identify contacts who have completed your double opt-in consent process. Read more about qualification campaigns here

In addition to running a double opt-in campaign, you should ensure that your confirmation, modification, and cancelation emails include an opt-in message and subscription link as well as links to unsubscribe from further communications. 

Privacy Changes Moving Forward

Revinate takes privacy seriously and will continue to take steps to ensure the privacy of personal data that we handle. Although the main focus of PIPL is to protect PII of Chinese citizens, we will continue to ensure our efforts are spent protecting PII of all citizens (just as we have following the release of GDPR regulations).

There are still aspects of this change that are not yet fully understood. As regulations and technology changes continue to raise the bar on privacy, marketers will have to evolve. And as these and other privacy changes continue to shape how you interact with guests and prospects, Revinate will continue to focus on solutions to respond effectively and enable you to continue to create effective, relevant, and personalized marketing communications.