Anonymizing Personal Data for Brands

Welcome to another edition of the China Tech Law Newsletter. In this newsletter we've talked before about China data privacy regulations. But what are companies really doing to adapt? I decided to pull again from a recent podcast I did, this time with Michel Tjoeng, SVP at ChatLabs. Here's Michel:

"Like in the West, we might discover a brand on Instagram. Then we Google it. We get presented with relevant hits on the brand. Maybe we go through the website and we buy it.

But we're anonymous throughout that journey until we buy something. So brands in the West, their CRM database, their customer database tends to be?people that have bought from the brand and therefore accepted the terms and conditions, etc.

Now, in China, you need to actually take that customer data a level further because there isn't really a traffic buying ecosystem. There is in the West with essentially Facebook and Google where you can buy your audience, but?in China, that's all what we call private traffic. ?And that means that on social media, etc.,?you actually start to build your customer data pool from the moment that they engage with you.

From the moment that they follow an official account on Wechat, for example, you can already go?get their data. So the customer database for brands that do it well in China is far larger than in the West, because it's not, only?the people that have bought from you, but also all the prospective buyers that are there in the market."

Let me set some context here.?The impact of the new Personal Information Protection Law (PIPL) from November 1, 2021 has changed how brands have to collect, process, export and store personally identifiable information (PII) on their consumers.?It also has an impact in the growing awareness of consumers here on how their information is used (or misused). The barrage of specific consents you need to give to brands to comply with PIPL will over time make people to stop to think about the rights they have more and more.?

Side note: I was recently chatting with a friend on Wechat about how I liked the new look of some of the cars coming out from a brand, in the morning, and sure enough by afternoon that brand's ads were popping up on my Wechat Moments feed.?It makes me wonder what other information Tencent sent to advertisers about me pulling from my chats and other sources.?And I remember a friend once sent me a SCREENSHOT (yes, only a screenshot) of an email newsletter software they liked and later that day the newsletter software was appearing in my Linkedin China news feed as an advertisement.?Creepy? I guess everyone has different opinions.?A good friend of mine was surprised that I was surprised by all this.

Back to the bigger picture, where things get more complicated for brands is a combination of the need to export data to a central HQ for analytics and a need to track data, and potentially remove/correct it when a pesty individual actually tries to make of use of their shiny new rights under PIPL to remove or correct it.?And this complication, among others, is causing a lot of brands to store data here locally more than ever.?In fact, many service providers who help our foreign clients publish and run their software here in China take a default position that all storage of data should be local, no provision for export unless there are specific instructions otherwise.

On the one hand if you are a sizeable consumer brand, you likely have large volumes of PII (1,000,000 data subjects or more) where extra government compliance requirements that kick in here are definitely going to put a crimp in your style.?Better to anonymize the data.

If you are a boring mid-sized enterprise SaaS player, you are less likely to be dealing with PII and much, much less likely to be dealing with volumes that trigger special compliance rules.?But on the flip side, you’re probably more likely to be dealing with “important data” from a substantive perspective which per the Data Security Law and Cybersecurity Law triggers another set of requirements.?Data touching on critical information infrastructure, broadly defined to include technology, industrial, economic, energy, finance - basically data with macro/national security-type implications.?Less easy or relevant to anonymize.?And less likely to know what is "important data", as its not clearly defined.

Here's Michel again:

"Do I need to maybe anonymize some of that data before I send it abroad? So that's one of the elements, the marketing element, and then there's also the customer service. How do I make sure that all of my employees being in customer service or in the stores, etc., we can still access the right level of customer data to service our clients because that's of equal importance.

So they're really struggling with the data storage and where it goes. And it's not just one single point where that data is stored, it goes through many different layers. So it will go from maybe a sales associate's phone to the point of sale, then to the global CRM indicating that they might buy something.

Then it goes into their order management system. Then it ends up in their ERP system, and then it ends up in their global analytics platform. So this data isn't in one place, it's all over the shop and it gets copied all over the shop."

Again, if you’re a big consumer brand, you have to do more heavy lifting yourself by getting a full range of separate, specific consents from individuals, and then potentially anonymize before exporting. But at that point there is at least some certainty that you’ve done what you can to comply.?

If you’re a third party enterprise SaaS provider, by contrast, its more likely the consent intake and other burdens fall to your customer as you are working with the data they collected on their behalf as a third party processor. And if you’re running on a server outside of China and contracting with them cross-border, your customer is the data exporter, not you.?

Of course, you can’t just stick your head in the sand and say its your customer’s problem to deal with.?You need at a minimum to help them make sure they understand what they're doing, otherwise their problem can still become your problem. In many ways, you have less certainty because the process is not entirely in-house for you and again, because the scope of what's referred to as "important data" under the law is simply not clear.

As Michel explains, its the local sales teams that need that personal information to pursue customer leads.?Big brands just want the aggregated data to run analytics to see which campaigns are working in which locations, and lessons that can be drawn to and from other markets they are operating in to design new campaigns.?This kind of analytics processing still needs to run through HQ where the scale and IT masters of the universe do their thing.?

Its no surprise then that we see clients and ecosystem partners like Michel helping brands design a system that threads the needle of (1) exporting for HQ analytics with (2) local storage for local CRM purposes while (3) sectioning off particularly problematic information.??

Michel:

"So we've got partnerships with Tencent and Ali. And so that we can store all that data locally in China. So that's a big tick box. So having the consent, having the local storage, and then we've built some innovative technology for companies that still really want to use their global CRMs, but without having the sensitive data in it, whilst keeping the local teams fully operational in so that in China, they can see the data, but in Switzerland they cannot, for example.

So we, what we're doing is before we send that data into the global CRMs, we anonymize that data and all the fields that they deem sensitive, we can anonymize that or hide it or pseudo anonymize it before it goes in. And then when any updates come out we capture that. And when local teams access that data, they basically de-anonymize this, so you Art, might be a consumer in Shanghai and someone in the store that can see, oh, that's Art who bought these things, and he's opted into a marketing. But say a person in Switzerland looks at their global CRM, they may see John Smith from Shanghai with all the same metadata, but without the PII data in it. So we're trying to help customers in that manner."

This is all a delicate game to play because, as Michel and I talked about, all it takes is for one geopolitical falling out to put a huge target on a major consumer brand or one very vocal consumer who makes their case that their data was misused.?But given the treasure of data that is otherwise available here on existing and potential customers, its no wonder that (big consumer) brands are still willing to spend all the resources necessary to maximize data collection while being as compliant as possible with the new regulations.

OK that's it for another edition of the China Tech Law Newsletter, please remember to subscribe if you haven't already. And please don't hesitate to get in touch. In order to write this Newsletter, Linkedin requires me to switch to Followers mode, but if you follow me I'll be sure to send you a connect request back.

See you again in 14 days!