China says apps should get user consent before tracking

Chinese regulators might follow the European Union’s lead to make life harder for internet companies such as Douyin (TikTok’s Chinese version) that closely track behavior of their users in a move that could significantly hurt their revenue.

Last week, Beijing proposed a new set of measures to enforce data security for individuals and the nation overall. According to Article 23 of the draft (see translation from China Law Translate), companies that are “using user data and algorithms to deliver news information or commercial advertisements shall conspicuously label them with the words ‘targeted’ and provide users with functionality to stop receiving information from targeted delivery.”

This is good news for users in China, who could potentially take more control over what they are shown and what tech companies collect about them.

On the flip side of the coin, stepped up data protection will “definitely have an impact” on companies that rely heavily on data crunching business, Michael Tan, partner at law firm Taylor Wessing specializing in data policies, told TechCrunch.

Advances in artificial intelligence have helped adtech players get better at predicting people’s clicks, and, boost their income. Few have done it better in the Chinese mobile age than Bytedance, the startup that operates TikTok and the popular Chinese news app Jinri Toutiao. In between viral videos and news are customized ads that help the eight-year-old company, which was last valued at a whopping $75 billion, make money.

Bytedance’s success with programmatic ads prompted more entrenched tech giants to follow suit. Baidu, which is China’s answer to Google with a lucrative ad business, added a personalized news feed to its search app in 2016 as Toutiao hit the mainstream. Tencent and Alibaba also incorporated customized feeds into their main products.

“Data is too important for internet companies,” a product manager at a Shenzhen-based tech firm told TechCrunch. A lot of businesses, he said, including Bytedance, are well-prepared for regulatory scrutiny so they have plenty of backup plans and have explored alternative revenue streams.

“For instance, the apps might trick you into giving them access to your data,” the person added. “Even if you consent, you still don’t know how your data is being used.”

Traffic control

In mid-2017, China introduced a sweeping Cybersecurity Law as Beijing sought more control over how data flows within its online borders. A lot of the clauses are broad and vague, but the government has taken incremental steps to solidify them overtime, including efforts like the proposed measures for data protection.

“So far there is no unified data protection legal framework in place, though the topic is addressed by various laws and regulations including the PRC Cybersecurity Law,” explained Tan. “This is quite different from many other jurisdictions like that of the E.U. where there is unified protection framework in place with primary focus on personal data and privacy protection.”

While the set of data regulations touch on individual privacy, Tan noted that the laws’ real focus is on topics “relating to national security protection.”

For example, Article 29 of the proposed data policies stipulates that “where mainland users visit the mainland internet, their traffic must not be routed outside the mainland.” The authority does not elaborate on what counts as “routing,” though some speculate that it might be targeting people accessing overseas websites through a VPN, the tool that allows them to get around China’s censorship apparatus.

Tan suggested otherwise. For one, VPNs are within the purview of the Ministry of Industry and Information Technology, China’s telecoms regulator, rather than the Cyberspace Administration of China, the country’s top internet authority that published the draft measures for data security.

Second, Tan argued the clause might be introduced “with good intention to prevent fraudulent cases including conscious or unconscious visits to overseas websites which promote illegal business under Chinese law, for example, gambling sites,” although doing so may “inadvertently hurt China-based multinational companies that have their I.T. facilities deployed globally.”

The proposed data protection policies are currently soliciting public comment until June 28.

Added more details about VPN regulation and clarified that TikTok’s Chinese version is called Douyin.