Kendra Schaefer 凯娜

2. You must give users a way to opt-out of having their personal information used in algorithmic decision-making / marketing. 4/

3. If you process the personal info of a minor under 14, parental / guardian consent is required, and the processor has to formulate special processing rules for the personal info of minors. 5/

4. Cue the geopolitical bickering: "Personal information processors shall take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in this law." 6/

What that means: if sending personal information to locations outside of China, the information has to be protected to the same standards the PIPL provides. 7/

That might be done several ways: 1) China could whitelist transfer to certain countries with strong personal privacy laws, 2) Companies could sign data privacy contracts with data recipients 3) International treaties could be signed. 8/

5. Data portability: if individuals want to move their data from one info processor to another, info processors have to provide means for them to do that, providing no other data laws or regulations are being broken in the process. 9/

What's interesting to me about that in the Chinese context: Regulators have been trying to lower big tech's "walled gardens" - allowing users to move data more fluidly from one ecosystem to another might serve China's anti-monopoly aims to some extent. 10/

6. "Close relatives [of the deceased] may, for their own lawful and legitimate interests, exercise the rights of access, copy, correction, deletion, etc., to the relevant personal information of the deceased unless otherwise arranged by the deceased during his lifetime." 11/