The Challenge
Our client, a well-known American lifestyle brand, had expanded to over 200 retail stores across China. Their digital presence was even larger—a WeChat mini-program with 3 million registered members, a Tmall flagship store, and an internal CRM system tracking purchase history.
When PIPL took effect, their global privacy policy—drafted primarily for GDPR and CCPA—fell short in several critical areas:
- Consent mechanisms didn't meet PIPL's "separate consent" requirements
- Privacy notice lacked mandatory disclosure items under PIPL
- No documented process for data subject rights (access, deletion, portability)
- Third-party vendor contracts didn't include required clauses
- Staff had no training on PIPL-specific requirements
Our Approach
1. Gap Assessment (2 weeks)
We conducted a comprehensive review of existing data practices against PIPL requirements, including:
- Review of privacy policies (global and China-specific)
- Analysis of consent flows in WeChat mini-program
- Audit of data sharing with marketing partners
- Review of internal data handling procedures
2. Privacy Notice Redesign (3 weeks)
We drafted a China-specific privacy notice that included:
- Clear identification of data controller and contact information
- Specific purposes for each category of data collected
- Third-party recipients (named, not just "partners")
- Data retention periods by purpose
- Data subject rights and exercise procedures
- Cross-border transfer mechanisms
3. Consent Flow Optimization (4 weeks)
PIPL requires "separate consent" for sensitive data, marketing, and cross-border transfers. We redesigned the WeChat mini-program onboarding to:
- Present privacy notice before data collection begins
- Obtain separate opt-in for marketing communications
- Allow granular control over data sharing preferences
- Make consent withdrawal as easy as granting it
4. Vendor Contract Review (3 weeks)
We reviewed contracts with 15 third-party vendors (payment processors, marketing platforms, logistics providers) to ensure:
- Data processing agreements included required PIPL clauses
- Vendors' data practices were documented and acceptable
- Cross-border transfer mechanisms were in place where needed
5. Staff Training (2 weeks)
We developed and delivered training for:
- Store managers (50+ participants) — customer data handling basics
- Customer service team — responding to data subject requests
- Marketing team — consent requirements for campaigns
- IT team — data security and breach response
Key Deliverables
- China Privacy Notice — Localized for PIPL compliance
- Consent Management System — Implemented in WeChat mini-program
- Data Subject Request Procedures — Internal SOP for handling requests
- Vendor Data Processing Agreements — PIPL-compliant templates
- Training Materials — Customized for different team roles
- Compliance Checklist — For ongoing self-assessment
Lessons for Other Companies
- GDPR compliance ≠ PIPL compliance. While there's overlap, PIPL has unique requirements (separate consent, specific disclosure items) that need dedicated attention.
- WeChat is critical. For most foreign brands in China, WeChat mini-program is the primary customer touchpoint. Get the consent flows right there first.
- Training is not optional. Frontline staff handle personal data daily. Without proper training, even the best policies won't be followed.
- Vendor management matters. You're responsible for your vendors' data practices. Review contracts carefully.