Operators of e-commerce platforms, websites and apps in China, and those using third party e-commerce, social media or livestreaming platforms to sell their products and services in China, must update their operations, services and systems in advance of wide-ranging new rules.
The Measures for the Supervision and Administration of Online Transactions (“Measures”) will come into force on 1 May 2021. The Measures provide detailed guidance supplementing the PRC E-Commerce Law, the PRC Consumer Protection Law and the PRC Cybersecurity Law.
Issues to be addressed include:
- Data privacy: compliant privacy notices/consents must be given to/obtained from customers using or buying via e-commerce or livestreaming platforms, sites, apps and services on or before collection or use of personal data, including appropriate direct marketing opt-ins and unsubscribe functions.
- Separate consent for sensitive personal data: if and to the extent an e-commerce operator or seller collects sensitive personal data (which is defined differently in China, and includes by way of example (this is not a comprehensive list) “biometric data”, “health data”, “financial account data” and “personal tracking data”), separate explicit consent must be obtained from the data subject for each category of sensitive personal data collected. This is on top of general consent to processing of personal data obtained from the data subject.
- Transaction and livestreaming records retention: certain records must be kept for at least three years.
- Reasonable limitations of liability in user Ts&Cs: sellers may not include certain limitations and exclusions of liability clauses – such as excluding liability for repair, replacement or refund – in customer terms and conditions. Any such clauses would now be unenforceable.
- Disclosure to regulators: certain customer and transaction data must now be provided by e-commerce operators and sellers to the State Administration of Market Regulation (“SAMR”) on request.
- Other requirements: these include (this is not a comprehensive list):
- rules around content of advertising on e-commerce or livestreaming platforms, sites and apps;
- compliance with competition laws; and
- business registration for operators or sellers above specified annual transaction activity thresholds.
Failure to address these could result in rectification orders and fines, and we also anticipate sites may be blocked or taken down for non-compliance.
Finally, draft TC260 data security guidelines for online shopping services have also recently been released, including notably data localisation requirements for all data of e-commerce platform, site and app operators, and those using them to sell their products and services. While this could have a substantial impact on international businesses selling goods and services online in China, it appears contrary to other recent draft data privacy regulations (in particular the Draft Personal Information Protection Law) which do not impose strict data localisation.