This summer, China implemented the Personal Information Protection Law, its own version of the GDPR. The law requires companies that store personal information have a good purpose to hold the data. The personal data that can be retained is restricted to the extent it is necessary for stated aims for the data collection.

The Personal Information Protection Law also has measures to ensure that personal data transferred outside of China is protected.

Companies storing personal data must conduct regular self-reviews to guarantee that personal data is properly protected.

Data subjects must explicitly agree to have their health, financial, and location data processed. The PIPL also has provisions which allow consumers to reject targeted online ads.

While the law allows companies to conduct their own audits, a regulator can order an audit if complaints are made.