China has released a national standard on notice and consent regarding the processing of personal information. This article provides a summary of the standard which took effect from 1 December 2023.
The standard divides the consent methods into general notification, enhanced notification, and prompt notification and defines their respective characteristics and usage modes. According to the characteristics and steps of consent implementation, this standard distinguishes the concepts of express consent, sole consent, written consent, single consent, refusal of consent, withdrawal of consent, and retention of consent evidence, providing rich ideas for the formulation of consent implementation plans in different scenarios.
The data subject’s consent is considered to be required for the processing of personal information under the PIPL. However, consent is not the only ground for data processing under the PIPL. Other grounds of data processing include the following:
- Processing necessary for the conclusion and performance of the contract;
- Processing necessary to perform statutory duties or obligations;
- Processing necessary to respond to public health emergencies or emergencies;
- Processing to conduct news reporting, public opinion supervision, etc;
- Process disclosed information within a reasonable range;
- Other situations stipulated by laws and regulations.
All of the above grounds of data processing have certain requirements that the organizations must take into account. If consent is relied upon as a lawful ground of data processing, adequate notification must be provided to the data subject before or at the time of collection, processing, and disclosure of personal information. The notification must ensure the following basic principles:
- The notification must inform data subjects of the type of personal data being processed, the purpose of data processing, and the methods and security measures being implemented for the protection of personal data. The notification must be clear, authentic, and aligned with the actual business purpose.
- Various interfaces and mediums can be used for notification to ensure the individual is fully informed, for example, interactive interfaces, emails, phone calls, or text messages. The standard encourages the use of adaptive media and user interfaces (font color, font size, additional vibration, and voice prompts) that are adaptively designed to keep in view the interests and rights of individuals. Notification can be in the form of data protection policies, pop-up prompts, or text descriptions.
- While obtaining the data subject’s consent, default checkboxes are not permitted in order to ensure the data subject’s consent is freely given.
- The notification must be provided in an easy-to-understand language. The language of the notification must be standardized Chinese characters if services or products are provided to Chinese domestic individuals. In the case otherwise, the notification must be in a language that the individual can understand. In all cases, general and broad expressions must be avoided.
- The scope of consent should not exceed the content of the notification.
The standard has clarified that notification provided to the data subject can be of three types: general notification, enhanced notification, and instant reminders, each with its features and requirements.
- The personal information protection policy is considered to be a general notification, and it can be issued in the form of an announcement if the cost of informing individuals one by one is too high or there are obvious difficulties. However, the standard has encouraged the use of interactive interfaces to display the personal information protection policy.
- The general notification method is usually used when collecting an individual's personal information for the first time - for example, by formulating and publishing a personal information protection policy and other mechanisms.
While the general notification requires individuals to check and click certain links or buttons to read, an enhanced notification, on the other hand, uses pop-up windows or other special interfaces to directly deliver the information to individuals so that the information cannot be bypassed by the individual. This includes pop-up windows, floating windows or floating layers, status bar prompts or prompt boxes, prompt sounds, or short messages. The enhanced notification generally requires the individual to make a decision (e.g. to agree or disagree) or take specific steps.
The standard has clarified that the language of the enhanced notification must be concise and precise as well as easy to read. For processing activities that may have a significant impact on the personal rights and interests of individuals, phone calls and voice prompts can be used in order to ensure that the content of the notification is delivered to relevant individuals. Instant reminders are also a kind of enhanced notification - their main function is to timely and effectively communicate the content of the notification to the individual. Instant reminders must be concise and clear and not be misleading or biased.
If the processing of data involves special circumstances such as cessation of operation of certain types of business functions or cessation of operation of products or services, mergers, divisions, dissolutions, declarations of bankruptcy, etc, enhanced notification methods must be used such as emails, text messages, and site messages to ensure that individuals can check the notification content at any time.
Enhanced notifications may be used before the basic business functions of the product or service are launched (such as personal initial installation, first use, account registration, etc). If you only display the personal information protection policy and other rules in the form of links, you can take the initiative to inform individuals of the key rules through enhanced notification methods.
Instant reminders play a pivotal role in improving individuals' understanding of the purposes behind collecting personal information and fostering a clear understanding during their use of products or services.
- Instant reminders are employed in the processing of personal information.
- The content of these reminders should be both concise and clear. The method of reminder should be flexibly chosen based on the characteristics of the product or service. Options include pop-up windows, floating layers, text descriptions, status bar prompts, prompt bars, prompt boxes, prompt sounds, short messages, etc.
- The primary function of instant reminders is to promptly and effectively communicate notification content to individuals and help them understand the personal information processing rules.
- Instant reminders must be based on the protection of personal rights and interests. The content of these reminders should not be misleading or biased.
Content of Notification
While collecting personal information from data subjects, the content of the notification must ensure the following:
- Identity and contact information;
- Processing purpose and method of personal information;
- Types of personal information processed;
- Storage period;
- Security measures and other rules;
- Individual rights and exercise methods and procedures, channels and mechanisms for handling personal inquiries and complaints, etc.
The personal information protection policy must describe personal data processing as comprehensively and clearly as possible, and the following content can also be considered using general notification methods:
- The types of personal information that may be collected by all business functions within the service can be categorized and described in accordance with the instructions provided for the collection of personal information in the standard.
- Differentiate the different business functions provided by products or services.
- Clarify the basic business functions, explaining the personal information collected by each business function.
- Disclose the type of personal information involved in the processing or explain the purpose and method of processing each type of personal information one by one.
- If processing involves automatic collection of personal information, explain the method, timing, and frequency of automatic collection of personal information.
- If the collected PI involves sensitive personal information, explain the necessity of processing sensitive PI and the protection of personal rights and interests.
- When collecting PI involving cookies and other similar technologies: a brief description of the relevant mechanism, the purpose of collecting PI, types, and methods of rejecting or clearing records.
- When two entities are jointly processing PI, explain their respective responsibilities and obligations.
- When using embedded third-party cookies and plug-ins (such as SDK, etc) to collect PI, explain the identity of the third party, the collected PI, the type, purpose, method, etc. of collection of information.
- Providers of third-party codes and plug-ins need to actively disclose the specific types of PI collected and processing rules to entities processing personal information to avoid any lapses in notification.
- Describe rules on how to delete or anonymize PI when the retention period expires, when certain types of business functions are stopped, or when products or services are stopped.
- Describe the realization mechanism of individual rights, step by step, from the perspective of personal operation.
- Explain the basic principles of automated decision-making and the significant impact on personal rights and interests.
- Provide information on the transfer/disclosure/recording of personal information.
- Specify rules for minors under the age of 14 - if the business products/services are mainly for minors - it is necessary to formulate a special policy for the protection of the personal information of minors.
- Describe the method and path for individuals to review the general notification content again.
- If the product or service involves the specific circumstances of exemption from obtaining consent, it can be explained.
- Clearly indicate the types of personal information that must be collected in order to perform statutory duties or obligations, respond to public health emergencies, comply with laws and regulations, etc.
Choice of Consent Mechanism
The standard also explains the various facets of the consent mechanism: express consent, presumed consent, withdrawal dynamics, retention of evidence of consent, and other pivotal elements for the processing of personal information.
When seeking consent for personal information processing, it is crucial to prioritize express consent. This entails individuals independently providing specific, clear, and definite expressions of willingness. It is essential that they understand the purpose of collection and related processing rules, thus eliminating the potential of passive acceptance. The consent collection method should not lead individuals to overlook concerns about how their personal information is handled. This can be achieved through various methods including but not limited to:
- Users actively engage with interfaces, clicking buttons like "Agree" or "Continue."
- Consent is expressed through actively filling in or uploading personal information.
- Enabling APIs, permissions, or sensors that collect personal data.
- Traditional consent collection through written statements, either on paper or electronically.
- Consent is confirmed through actions like fingerprint scanning or facial recognition.
- Individuals express consent by actively responding to emails or messages.
- Consent is signified through electronic signatures.
- Consent is obtained through recorded phone calls or video recordings.
Other Consents: Presumed Agreement under Specific Conditions
When obtaining express consent is challenging, certain conditions, if met at the same time, allow for presumed consent:
- There are significant difficulties in obtaining explicit consent, for example, in case of limited network conditions, or the display interface or channel of the product or service and the way of personal feedback are limited, or challenges in interacting with individuals with different physical functions.
- When refusal may seriously impact the security of personal use of products or services (account security, property security, etc.), legal rights, or public interests.
- The personal information protection impact assessment confirms that the processing of personal information will not adversely affect the rights and interests of individuals.
- Individuals are notified of personal information handling rules in an adequate manner.
- Presumed consent does not impede the individual's right to withdraw consent.
Implementation of Consent: Key Steps
- Clearly define all activities requiring the obligation of disclosure.
- Clarify which activities necessitate obtaining personal consent and design plans for obtaining express consent aligned with the mechanism proposed earlier under express consent.
- Ensure compliance with conditions for presumed consent and the results of personal information protection impact assessments have been retained during the processing of personal information.
- Seek individual consent on the same page displaying notification content, avoiding confusion.
- When displaying all personal information processing rules in general notices such as personal information protection policies, clearly explain in prominent ways (pop-up prompts, independent paragraph) that agreeing to the personal information protection policies does not mean all relevant information listed in the policy will be collected at once. Instead, only the necessary personal information required for a specific business function will be collected when individuals actively use that particular service or feature.
- Clearly differentiate consent to personal information processing rules from other matters, such as general terms of service, to avoid confusion.
- Identify the specific types of personal information needed for various processing purposes or business functions and obtain consent gradually to protect the individual's right to express their wishes independently.
- Entities processing personal information must differentiate between information collected for business functions or other specific purposes and that collected for enhancing service quality, user experience, security, and product/service improvement.
- Ensure that refusal or withdrawal of consent does not adversely affect other business functions/services offered to individuals beyond the scope of consent.
- When crafting consent implementation plans, processing entities must thoroughly assess the system architecture design. This involves aligning it with relevant national standards and employing methods like personal information security engineering.
- For personal information processing with a lasting impact on rights or extended privacy concerns, adopt a strategic approach. Limit consent to a specific timeframe or scope, requiring renewal if exceeded. Failure to secure renewed consent should promptly halt processing.
General Implementation Points
For specific personal information processing outlined by laws or with a notable impact on individual rights, entities processing data must fulfill notification obligations and secure individual consent. Granular consent is an enhanced method, and its implementation requires attention to these specific points.
- Entities processing personal data must remain cognizant of which processing activities are required legally or which have a significant impact on individual rights. A continually updated list, based on laws, regulations, and processing activities, serves as a dynamic guide.
- Prior to securing separate consent, processors must communicate circumstances necessitating separate consent through enhanced notifications, ensuring comprehensive understanding. Complex processing rules may warrant specific formulations tailored to the case at hand.
- Entities processing personal information should seek express consent when collecting individual consent.
- Choosing a user-friendly approach, design implementation plans aligned with product or service characteristics, user habits, and privacy preferences. Whether through interactive interfaces or separate pages, the goal is to secure express consent.
- Consent activities must be focused on specific purposes or business functions, avoiding bundling with unrelated consent items. To ensure clarity, entities processing personal data should steer clear of obtaining blanket consent.
- Crucially, if an individual refuses separate consent or withdraws it, the impact should be confined to the business function targeted by the consent. Other functions should remain unaffected unless they pertain to the basic functions of the product or service.
Handling of Sensitive Personal Information
- Unless specified by laws, when handling sensitive personal information, individuals must be informed about the purpose and method. It's crucial to notify them of the necessity and impact on their rights, obtaining their consent before processing.
- To obtain consent for sensitive personal information like religious beliefs and specific identities, individuals must actively select options. An independent interface can be used, and individuals should be notified in a distinct area of the interface. They need to click or check as an affirmative action, indicating their willingness to consent.
- For sensitive information requiring active input, an independent interface can be set up, supporting affirmative actions like clicking or checking for express consent.
- If multiple pieces of sensitive personal information are processed simultaneously for a specific purpose, the entity processing personal data can notify and obtain individual consent at once.
- When dealing with minors under the age of 14, entities processing personal information must ensure that the guardians’ separate consent is collected, ensuring clarity through enhanced notifications. Age verification should be reasonable, and the collection of personal information should be minimized.
- When the product or service has no age restrictions, and it is difficult to determine if the user is a minor, prompt the user to (if they are a minor) inform their parents or guardians for communication of necessary information and collection of separate consent.
- In verifying age and guardian identity, processors must employ reasonable means, strictly limiting the collection of personal information and promptly deleting it after processing.
Implementation of Written Consent
- Identify situations where laws or regulations explicitly require written consent and activities requiring enhanced evidence storage or archival. Create and continually update a list of processing activities that necessitate written consent.
- Before obtaining written consent, it is essential to enhance the notification mechanism and present it in written form. Provide clear and comprehensive information to individuals, ensuring the content of the notification is fully understood by them.
- Choose an express consent mechanism for written consent, ensuring clear text expression. Avoid methods like click confirmation, upload submission, log-in, or picture cooperation.
- Entities processing personal information can adopt a specific implementation plan for written consent based on business features, products or services, and user preferences. This may include handwritten signatures on various interfaces.
- If, in accordance with legal requirements, the personal information processor needs to secure both written and separate consent from the individual, it is essential to establish a distinct consent mechanism, such as a separate signature.
Implementation of Refusal of Consent
When an individual refuses or waives consent:
- Clearly define how an individual can express their refusal or withdrawal of consent, such as by clicking a "reject" button, interrupting the ongoing operation, closing the interface, or navigating back to a previous step. The objective is to make sure that the individual's refusal is unmistakably communicated before they complete the consent process. This ensures that no personal information is collected if the individual chooses not to proceed with the consent operation.
- Explain the consequences to the individual of the refusal of consent, especially if the information is necessary for service provision; obtain consent again if necessary, providing information on the impact of refusal.
- If information is not necessary after refusal, avoid frequent inquiries and requests; consent inquiries triggered by individual choices are not considered interruptions.
- After refusal, handle interfaces appropriately; maintain the original interface rather than exiting all interfaces, and switch to basic business function interfaces or related functions.
- For refusal of basic business functions, switch to a non-personal information processing service mode (e.g., static pages, non-personalized browsing).
Withdrawal of Consent
Mechanism Design for Withdrawal of Consent
Entities processing personal information should design a mechanism for individuals to withdraw their consent, including the following.
- Ensure convenience in the withdrawal mechanism's design. Clearly outline the means for individuals to withdraw consent, mirroring the process of obtaining consent.
- Entities processing personal information can set the granularity of the consent withdrawal mechanism based on individual needs and product/service characteristics.
- Communicate specific scenarios and withdrawal methods to individuals through general notifications in the personal information protection policy.
- After withdrawal, design a mechanism to delete or anonymize relevant personal information. Actively inform individuals of this process, allowing them to choose whether to retain the personal information.
Implementation of Withdrawal of Consent
- The scope of withdrawal is limited to consent-based personal information processing activities and excludes processing activities based on other legal bases.
- The entity processing personal information shall verify the identity of the requester before processing the withdrawal request; it should be confirmed that the requester is the concerned individual or an authorized representative.
- After withdrawal, cease processing activities corresponding to such personal information, and reserve the effectiveness of processing activities based on consent before withdrawal.
- Complete confirmation of withdrawal requests within the promised time limit (not exceeding 15 days).
- After withdrawal, avoid frequent interruptions or reminders to agree to processing.
- If withdrawal involves other entities processing personal information, convey to them the individual's request to exercise their right to withdrawal; provide mechanisms for such other entities to accept individual applications.
- For changes in consent scope, withdraw consent first and then obtain new consent, or directly agree to new processing rules and suspend previous consent-based activities.
- Evaluate the effectiveness of the withdrawal mechanism, gather feedback through channels like complaints and reports, and continuously update and improve the withdrawal mechanism.
Retention of Evidence of Consent
Entities processing personal information should employ technical or management measures to retain evidence of the consent acquisition process, which includes but is not limited to:
- Plans and execution records for personal information protection impact assessments, documented decisions on notification and consent methods, records of composing and approving notification content, and post-implementation verification steps. Recording methods may include internal documents, email records, and third-party opinions from professional consulting agencies.
- Personal identification information, method and time of consent, duration, opinion of consent, and corresponding consent notification content, operation interface, log records, databases, written documents, and electronic signature records.
- Notify individuals of processing rules, including policies requiring consent, rules for providing information to others, and rules for providing information overseas.
- Include the identity of other entities also involved in processing the relevant personal information, processing rules, agreements, contracts, due diligence records, and information related to overseas provisions.
- In some cases, when sharing personal information internationally, additional records may be kept, including the location of the overseas recipient, contact details, any contracts, and relevant certification records.
- In case of sharing personal information overseas, entities processing personal information can decide how long to keep these records, considering legal requirements and their own evidentiary needs. Typically, the retention period is at least 3 years unless specific laws state otherwise.
- These entities sharing personal data overseas must follow the principle of minimum necessity, avoiding the expansion of information collection.
- Strictly limit the use of consent evidence and adopt access controls to prevent misuse.
- Implement technical measures to secure retained data and prevent leakage, tampering, damage, or loss.
- Disclose minimum necessary information to relevant departments or individuals for specified purposes.
- Employ technical or management measures to prevent unauthorized access during disclosure.