TLDR; Businesses that use popular e-commerce platforms like Shopify or Salesforce Commerce in China should be aware of China’s new Personal Privacy law. In Nov. 2021, China put into law the Personal Informational Protection Law (PIPL). This article describes how the PIPL impacts your business in China. Then provides a solution to ensure your e-commerce storefront is fully compliant with China’s cross border data transfers.
On November 1, 2021, the Cybersecurity Administration of China (CAC) implemented the Personal Information Protection Law (PIPL).
Similar to the European Union’s GDPR, the PIPL’s Article 1 describes its purpose to:
“…protect personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information.”
What if My E-commerce site is out of Compliance with China’s GDPR?
Since implementing the PIPL, 21YunBox has received several inquiries from international e-commerce agencies looking to help keep their clients compliant with the new law. We keep hearing consistent questions regarding PIPL’s Chapter III compliance, which requires personal data to be localized in mainland China.
On the surface, localization of sensitive data on servers in mainland China may seem simple. However, many international businesses operating an e-commerce store in China find it challenging to stay compliant due to their favorite e-commerce platform’s architecture.
For example, several of the popular platforms (ie. Salesforce Commerce, Shopify, etc) don’t work out-of-the-box in China. To validate this, we ran hundreds of case studies on international companies using these platforms in China. The results showed that they don’t work in China because they utilize servers outside of mainland China to host their platforms and store the backend data.
How to make your E-commerce Storefront Compliant with China’s GDPR?
If you find your company in the situation described above, let’s look at a few of the options to get your e-commerce site working compliantly in China.
Option 1: Migrate to a New E-commerce Platform
Sure, migrating to a new platform might be a viable option.
If you have ever set up an e-commerce store, you may know the level of effort and overhead required. If not, you can expect to pay at least $100k+ just to set up the new storefront. And for a site customized for China, plan to pay a premium.
In addition to the upfront capital costs, you should budget for the overhead to fully retrain your staff, which can be painful and take years.
Option 2: Utilize Near China Servers to Host your Platform
In the early days of the ICP licenses, people were looking for ways to avoid the new law. You may have received recommendations from “experts” or read articles online saying that you should host your site on “near China servers”, in places like Hong Kong or Singapore to avoid the ICP.
Avoiding regulations might be okay for small businesses and personal projects, but if you are operating a legitimate business, breaking the laws brings a risk that most reputable companies are NOT willing to accept.
The risk of being out of compliance with the ICP, can permanently get your site blocked in China. The risk for being non-compliant with the PIPL caries an even stiffer penalty.
A breach of the PIPL would put a company at risk of losing its business license and significant financial penalties of up to 50 million RMB or 5% of its yearly turnover. So if you are working for a legitimate business, your shareholders may not be willing to accept this risk.
Option 3: Fill Out Some Paperwork and Continue using your Favorite Platform in China
If you are operating a legitimate business in China and have an ICP, China will work with you to succeed.
Remember, the PIPL’s Article 1 says that the Chinese government actively promotes the rational use of personal information. CAC had the foresight and knew that many international businesses operating in China would need an option to move data across borders, legally.
To provide businesses like yours the ability to succeed in China, the Chapter III of the PIPL gives you a compliant avenue to move personal data out of mainland China.
If you want to ensure your e-commerce platform and architecture are compliant, the security assessment mentioned above provides you with a clean and legal avenue.
You can think of a security assessment, like getting a business or ICP license. If you are operating an honest business and the data is for legitimate business purposes, the security assessment should be straightforward.
Once approved, you will have the ability to legally transfer business-critical information to your favorite e-commerce platform’s backend services located outside of mainland China.
We recommend this option because it provides your business with the least invasive way to ensure compliance with the PIPL. Yes, it may take some effort up front to get the paperwork approved. Still, it avoids the pain and cost of platform migration and sets up your business to operate legally in China for the foreseeable future.
How Can 21YunBox Help You Get your Storefront working Fast and Compliant in China?
If you want your e-commerce store working compliantly in China but don’t want the overhead required to migrate platforms, 21YunBox can help.
21YunBox’s Website Performance Optimizer provides a mirror service for sites using your favorite e-commerce platform (ie. Shopify, Salesforce Commerce Cloud, etc).
We can support you through the security assessment from the technical end of the data transfer. Then once the paperwork is approved, Yammo’s optimized cross-border network and mirror service will ensure that your site created with your favorite platform (ie. Salesforce Commerce, Shopify, etc) is working fast and compliant in China.
Yes, even if your platform is hosted outside of China, Yammo ensures that it provides your prospective customers the same purchasing experience whether they are in London, New York, or Shanghai.
If you need help going to China, please contact us, we are happy to help.