Content personalization (new)
Two types of companies that provide personalized contents to individuals are subject to this amendment. First, content providers that curate personalized news or information based on the data subject’s browsing history, interests, and other online data are required to provide notice that a personalization service is being provided and give data subjects the right to opt-out.
Second, the amendment requires that companies looking to tailor ads and offers to target individuals based on their purchase or search histories also provide product and service options that are not tailored to that particular data subject.
Breach notification (revised)
The Amendments narrow the scope of the notification requirement of the Standards. While the Standards require notification to data subjects after any security incident, the Amendments require that the data controller notify only when data subjects’ rights and interests might be impacted by a breach.
The Amendments also require that a breach either affecting the personal information of more than one million data subjects or involving sensitive personal information affecting China’s national security (such as gene information, biometrics, and medical records) be reported to the Cyberspace Administration of China or its local counterparts.
The Amendments recommend that data controllers establish and maintain records of their data collection and processing activities, including: (i) identifying the category, quantity, and source of the personal information being collected; (ii) distinguishing data processing activity (such as sharing and cross-border transfer) based on different business functions and authorization; and (iii) identifying the systems, individuals, and entities that are involved with personal information processing.