Configure Matomo Analytics for PIPL compliance

The Personal Information Protection Law (PIPL) was passed on 20 August 2021 nd took effect from 1 November 2021. The PIPL is China’s main data protection law, but it works alongside the Cybersecurity Law (CSL), the Data Security Law (DSL), and other regulations that set strict rules on data security, cross-border transfers, and privacy.

Controllers using Matomo to process personal information, must carry out their due diligence to check if their own processing complies with the privacy laws in the PRC.

Matomo Analytics can be configured in a way that is compliant with PIPL by applying privacy settings, data minimisation, and security measures.

What does PIPL consider as personal information?

The PIPL defines personal information as all kinds of information relating to identified or identifiable natural persons recorded by electronic or other forms, excluding anonymised information. “Processing of personal information” includes, among other things, the collection, storage, use, refining, transmission, provision, public disclosure and deletion of personal information. The concept of personal information in PIPL is similar to personal data in GDPR.

PIPL also recognises and gives stronger protection to “sensitive personal information” which is defined as information that, once leaked or illegally used, will easily lead to infringement of human dignity or harm to the personal or property safety of a natural person, including (but not limited to):

  • biometric data;
  • religion;
  • specific social status;
  • medical health information;
  • financial accounts;
  • tracking / location information;
  • minors’ data; or
  • other data that becomes sensitive based on the processing and impact.

When does the PIPL apply?

  • If you are processing personal information within China; or
  • You are outside China and process personal information of a person who is inside China, and if the processing is:
    1. for the purpose of providing products or services;
    2. to analyse or evaluate the behaviour of an individual; or
    3. for any reasons as required by law or regulations.

Remember that like GDPR, the PIPL has extra–territorial effect.

When should I care about PIPL?

When you collect any personal information using Matomo. For example, via IP address, geolocation data, user ID, and custom dimensions possibly storing user data, URLs, page titles, and session recordings that may record personal data, and the processing falls within the scope of PIPL, then you will need to be compliant with PIPL (and other privacy regulations in the P.R.C).

Are there penalties for PIPL non-compliance?

Yes, breaching the PIPL may lead to a fine of up to RMB 50 million or 5% of the processor’s turnover in the last year.

Steps for PIPL compliance

If you have already done the steps to be GDPR compliant and followed the 12 steps to make Matomo compliant with GDPR then you have covered many of the necessary steps. However, PIPL has some key differences from GDPR.

We recommend that you consider configuring Matomo to anonymise personal. If you are likely to process large volumes of personal information or sensitive information, consider using the self-hosted Matomo On-Premise.

1. Add a privacy notice

Privacy notices must be clear, accessible, and up to date, covering:

  • Identity & contact details
  • Types of personal data processed
  • Purposes and legal basis
  • Retention periods
  • Transfers (including international)
  • Security measures
  • Data subject rights.
  • Explain how you use Matomo.

2. Lawful basis

Consent is the default legal basis. Explicit separate consent is required for:

  • Sensitive data
  • Direct marketing
  • Cross-border transfers
  • Public disclosure
  • Sharing data with another controller
  • Biometrics (except for public security)

Unless any other basis listed below apply, you will need to obtain your visitors’ consent before collecting their personal information or tracking them using Matomo.

The consent must be informed, freely given, specific, demonstrated by a clear action of the individual and unbundled (not forced). Withdrawal of consent must be as easy as giving consent. Note that if you use Matomo Cloud which hosts data in the EU and is provided by a processor based in New Zealand, you will need to obtain separate consent for the international data transfer.

Other legal bases include:

  • Contractual necessity
  • Employment management
  • Legal obligations
  • Public health/safety
  • Public interest journalism
  • Reasonable use of publicly available data.

3. PIIA: Conduct a Personal Information Impact Assessment (PIIA)

Personal Information Impact Assessments (PIIA) must be conducted and records kept for at least 3 years in the following cases:

  • Processing sensitive personal information
  • Automated decision-making using personal data
  • Appointing a data processor
  • Sharing personal data with third parties (including intra-group sharing)
  • Public disclosure or overseas transfer of personal information
  • Any processing that significantly impacts individuals

The PIIA and the processing records must be retained for at least three years for these following processing activities.

4. Security requirements

Under China’s Cybersecurity Law, Data Security Law, and Personal Information Protection Law, organisations must implement data security measures, including encryption, access controls, and staff training, to ensure confidentiality and protection against unauthorised processing or data loss.

  • Ensure that Matomo interface and API is only accessible to authorised individuals;
  • Show due diligence, contract and ability to monitor our compliance with standards comparable with PIPL (refer to Matomo Cloud Terms of Service and Matomo Cloud DPA).
  • Set up SSL certificate for all your websites and apps.
  • Set up SSL certificate for your Matomo server.
  • Use the Activity Log to keep track of changes made to Matomo entities.

5. Comply with international transfer requirements

China’s privacy laws and regulations include extensive rules regarding international data transfer.

Matomo Cloud User:

When you use Matomo Cloud and collect personal information of your visitors, the data is transferred outside the PRC. In most cases, international data transfers out of PRC will require the controller to comply with the following steps:

A legitimate transfer mechanism must be in place. The compliance requirements you will need to meet, will depend on the nature and amount of personal information you are processing using Matomo Cloud and transferring overseas.

  • If you are a controller that meets certain criteria or transfers non-sensitive personal information of more than 1 million individuals (or sensitive information of more than 10,000) in a year, you will need to submit a CAC security assessment and obtain written approval for transfers.

  • If you are transferring non-sensitive personal information of 100,000 -1 mil individuals (or sensitive information of fewer than 10,000) per year:

    • A contract with the overseas processor, incorporating CAC SCCs, must be signed and filed at the CAC together with a PIIA.
    • An alternative mechanism may be CAC certification by qualified organisations.

  • Some types of volumes of processing from the above requirements:

    • Transfers involving non-sensitive personal information of fewer than 100,000;
    • Personal data collected and generated outside China, later imported into China, can be transferred abroad if it does not include data collected or generated within China.
    • Data transfer is a contractual necessity, or necessary for emergency situations of human resource management.

If you use Matomo On-Premise, you have the control over where the data is hosted and the option of hosting the data in China.

Download and install Matomo on your infrastructure and servers, or from a secure web hosting company such as Matomo Cloud.

If you have any questions or need help with your Matomo On-Premise setup, contact support – we are always happy to help.

Sources: DLA Pipler: Data protection laws in China – Data Protection Laws of the World; New rules adopted for cross-border transfer of data out of China | Perspectives | Reed Smith LLP; PIPL and how to compare to GDPR (IAPP) and PIPL: A game changer for companies in China, Norton Rose.

Disclaimer: The information provided above is for general informational purposes only and should not be considered legal advice. Please consult your legal team for specific advice and guidance tailored to your needs. If you are interested in our Matomo Cloud, learn more by reading our Matomo Cloud Data Processing Agreement (DPA).

Previous FAQ: Configure Matomo Analytics for CCPA compliance