The “Costs” and “Assets” of Data Compliance: Calculating the Economic Impact of Personal Information Protection for Businesses
On November 1, 2021, the Personal Information Protection Law (hereinafter referred to as the “PIPL”) was officially implemented. As the first systematic and comprehensive law in China specifically targeting personal information protection, the PIPL explicitly requires personal information processors to follow principles of legality, justification, necessity, and integrity when collecting, using, processing, transmitting, and storing others’ personal information. One of the focuses of this law is its impact on businesses, such as stipulating that relevant data platform enterprises must establish a compliance system and clarify a series of legal obligations, including protecting personal information and regularly publishing social responsibility reports on personal information protection.
Is conducting personal information protection and data compliance an “increased cost” or an “asset appreciation” for relevant enterprises? Several interviewed enterprises stated that from a macro perspective of long-term enterprise development, consumer rights protection, and government regulation and policy orientation, personal information protection is actually an important measure that can bring numerous benefits and promote multi-win situations. It can not only regulate market order but also win user trust for enterprises, which is a huge “invisible asset” for them.
Consumer Perspective on the PIPL: Specialized Enforcement in Shanghai for Two Years Enhances Trust in Consumption Scenarios
Personal information protection has always been a focus of attention for all sectors of society. Especially in the context of the accelerated development of artificial intelligence, many scenarios are increasingly facing the risk of personal information being overused, misused, or even leaked.
In response to issues such as personal information being “excessively collected, forcibly requested, induced to provide, and used illegally,” in June 2023, under the guidance of the Cyberspace Administration of China’s Network Enforcement and Supervision Bureau, the Shanghai Cyberspace Administration and the Shanghai Market Supervision and Administration Bureau, along with some industry regulatory departments, launched the “Sword of Justice: Specialized Enforcement Action for Personal Information Protection in the Consumption Field” targeting eight daily consumption scenarios, including scan-to-order dining, scan-to-pay parking, children’s learning and training, online financial management and micro-loans, real estate agencies, charger rentals, supermarket shopping, and automobile 4S dealerships, through phased, focused, and sector-specific enforcement actions.
In 2024, the specialized enforcement action was deepened, focusing on key scenarios such as scan-to-order dining, scan-to-pay parking, ticket purchasing services at scenic spots, abuse of facial recognition, and protection of minors’ personal information. It distinguished specific application scenarios and proposed a system of regulatory guidelines tailored to the risks and compliance costs, covering the entire process of personal information collection, storage, use, processing, and transmission.
What are the results of the two-year enforcement action? Recently, reporters from The Paper visited multiple consumption scenarios in several districts of Shanghai, including Jing’an, Xuhui, and Putuo, and found that significant improvements have been made in the compliant handling of personal information in most consumption scenarios, and citizens’ sense of security in the consumption field is gradually increasing.
In the shared power bank rental scenario, multiple different brands of power bank rental stations in shops near Weihai Road in Jing’an District, Shanghai, can be rented directly by scanning a QR code with WeChat or Alipay without the need to log in or provide a phone number.
In the coffee ordering scenario, after scanning the QR code of the “Manner” coffee chain, customers need to select and agree to prompts such as the “Privacy Policy” and “User Agreement” before placing an order. The subsequent page displays two buttons: “Start Order” and “Membership Points Code,” with the “Start Order” button being more prominent, and clicking it directs the user to the payment page. At the “Luckin Coffee” chain, scanning the QR code also redirects to a page stating “I have read and agree to the content of this warning and related agreements,” which includes options such as “Enable location permissions to obtain location information” and “Provide more tailored page displays based on location information.” The Paper found that besides selecting “I have read and agree to the related agreements and privacy policy,” there are three buttons from top to bottom: “WeChat One-Click Login,” “Login with Phone Number,” and “Login-Free,” any of which can be clicked to proceed to the order page.
In the scan-to-pay parking scenario, at the underground parking lot of “Xingye Taiguhui” in Jing’an District, Shanghai, reporters from The Paper found that there are payment options inside the parking lot: “Register as a Member” and “Immediate Payment.” By clicking “Immediate Payment,” drivers can enter their license plate number to immediately pay the parking fee and quickly leave.
In the facial recognition technology application scenario, at an exit of Zhenping Road Subway Station in Putuo District, an automatic vending machine operated by “Beijing Taihe Ruitong Yunshang Technology Co., Ltd. Shanghai Branch” has a “Face Scan to Pay” sign, but in actual use, this option has been removed, and consumers can directly scan the QR code to open the cabinet door and retrieve the desired items. “I used to feel that it was not worth giving up my facial information just to buy a bottle of water. So, I would prefer to walk out of the subway station and buy it at a convenience store to feel at ease. Now, I don’t have to worry about that anymore,” said a passenger who bought water from the vending machine in the subway station, comparing the change in their mindset.
Xiaozhou, a Shanghai resident living in Putuo District, said that last year, when ordering coffee from a certain brand, it was impossible to skip the “login” option, and she was often asked for her WeChat or phone number. Even though she eventually chose to log in, she felt uneasy about her personal information being requested. However, this year, she found that many scan-to-order consumption scenarios, including coffee ordering, no longer require WeChat or phone login. “The ‘login-free’ option saves time and gives me a little more security,” she said.
The feelings of consumers are also echoed by third-party assessment agencies. The Paper learned that to objectively present and comprehensively evaluate the effectiveness of the “Sword of Justice: Pujiang” specialized enforcement action, East China University of Politics and Law, as a neutral third party, was continuously invited to establish an assessment project team to conduct research and evaluation. For the 2024 specialized enforcement action, the assessment project team believed that the action covered the entire process of personal information collection, storage, use, processing, and transmission, achieving comprehensive governance at both the “front end” and “back end.” Especially for the coffee sector, which highlights Shanghai’s characteristics, and the highly sensitive field of facial recognition technology application, it proposed a system of regulatory guidelines tailored to the risks and compliance costs, using specific examples to drive overall improvement in Shanghai’s personal information protection status.
Enterprise Perspective on the PIPL: Increased Compliance Costs, but “Invisible Assets” Are Expected to Appreciate
The collection of personal information should be limited to the minimum scope necessary to achieve the purpose of processing and shall not be excessively collected; individuals shall not be subjected to unreasonable differential treatment in terms of transaction prices or other transaction conditions; and personal information processors providing important internet platform services, with a large number of users and complex business types, shall establish and improve a compliance system for personal information protection and regularly publish social responsibility reports on personal information protection… As the first specialized law in China on personal information protection, the PIPL fully addresses social concerns and provides strong legal safeguards for resolving hot and difficult issues in personal information protection.
For consumers, enterprises’ compliance with data regulations can further protect personal information security and reduce the risk of privacy breaches. So, how should enterprises calculate this “ledger”?
Relevant staff from Meituan’s power bank service told The Paper that in 2023, Meituan’s power bank service was fully integrated into Meituan App’s privacy registration management platform, strictly implementing the principle of “minimum necessity” in collecting user privacy data.
“When users use Meituan’s power bank service, we will inform them of the ‘Privacy Policy’ and the privacy permissions required for providing the service through privacy pop-ups, clearly stating the specific rules for collecting and using personal information or privacy permissions, and obtaining users’ active consent to protect their right to know and choose,” said the staff. In terms of data security, Meituan’s power bank service has established strict data security management systems internally, adopting measures such as access control, confidentiality classification, data encryption, and desensitization to prevent unauthorized access, disclosure, improper use, and other违规 handling of data and personal information.
Does data compliance inevitably lead to increased enterprise costs and higher customer acquisition and marketing costs? How should this increase in costs be viewed?
“Costs can be divided into two dimensions. One is the increased cost of user understanding due to additional steps, leading to the loss of some users, which requires enterprises to invest more in customer acquisition. The other is the research and development costs invested in personal information protection projects and the subsequent costs of reviewing the reasonableness of related positions,” said relevant staff. They added that these increased costs are necessary, and Meituan’s power bank service is actively cooperating with relevant departments to ensure data compliance.
“The power bank industry has a low entry barrier, and with the market expanding and more brands entering, disorders are inevitable,” emphasized the staff. As a leading brand in the industry, Meituan’s power bank service has a greater need to cooperate with relevant departments to protect personal information and avoid risks, “which has a positive effect on the enterprise itself
