Is Matomo Analytics PIPL compliant?
The Personal Information Protection Law (PIPL) was passed on 20 August 2021. The PIPL is a China data protection law that takes effect from 1 November 2021. This is an important change for all organisations and individuals who process personally identifiable information (PII) of people in China. Importantly, Matomo Analytics can be configured in a way that is compliant with PIPL.
What does PIPL consider as personal information?
The PIPL defines “personal information” as all kinds of information relating to identified or identifiable natural persons recorded by electronic or other forms, excluding anonymised information. “Processing of personal information” includes, among other things, the collection, storage, use, refining, transmission, provision, public disclosure and deletion of personal information. The concept of “personal information” in PIPL is similar to “personal data” in GDPR.
When does the PIPL apply?
- If you are processing PII within China; or
- You are outside China and process PII of a person who is inside China, if the processing is:
- for the purpose of providing products or services; or
- to analyse or evaluate the behaviour of an individual
When should I care about PIPL?
When you collect any personally identifiable information (PII) using Matomo for example via user id, custom dimensions possibly storing user data, urls, page titles, session recordings that may record personal data, or even other PII, then you may need to be compliant with PIPL (and other privacy regulations like GDPR).
Are there penalties for PIPL non-compliance?
Yes, breaching the PIPL may lead to a fine of up to RMB 50 million or 5% of the processor’s turnover in the last year.
To be compliant with PIPL you will need to follow these steps:
If you have already done the steps to be GDPR compliant and followed the 12 steps to make Matomo compliant with GDPR then you have done the bulk of the work.
Most of the same steps also apply for PIPL compliance:
- Add a privacy notice.
- Add Matomo to your privacy policy page.
- Choose a lawful basis for processing personal data. The PIPL does not provide “legitimate interests” as a lawful basis for processing as found in the GDPR, and you may need to collect consent from users.
- Consent may need to be obtained from users in China before collecting their personal information or tracking them. (The consent must be informed, freely given, demonstrated by a clear action of the individual, and may later be withdrawn via opt-out).
- If you are processing any sensitive personal information, or personal information for automated decision-making, or if you are sharing personal information with third parties then you need to make a Data Protection Impact Assessment, and retain the processing records for at least three years for these following processing activities.
- Download and install Matomo on your infrastructure and servers, or from a secure web hosting company such as Matomo Cloud. Ensure that PII and Matomo interface and API is only accessible to authorised individuals
If you have any questions or if you need help with your Matomo On-Premise setup contact us, we’re always happy to help.
Sources: PIPL and how to compares to GDPR (IAPP) and PIPL: A game changer for companies in China, Norton Rose