The State Administration for Industry and Commerce of the People’s Republic of China published a draft of its Implementing Regulations for the P.R.C. Law on the Protection of the Rights and Interests of Consumers (the “Draft”) for public comment. The draft is open for comment until September 5, 2016.

The Draft reiterates the requirements under the law that business operators must follow the principles of legitimacy, rightfulness and necessity when they collect and use the personal information of consumers. They also must expressly state the purposes, methods and scope of their collection and use of the information, and obtain the consent of the consumers. It also provides that business operators may not collect information that is irrelevant to their operations, or collect information in an improper way. Under the Draft, a business operator is required to retain, for at least five years, supporting documentation that can demonstrate its performance of its obligation to expressly inform and obtain the consent of consumers.

Business operators are required to adopt information security systems to ensure the security of the personal information of consumers. Business operators are required not to provide consumers’ personal information to other parties without the consumers’ consent, except in cases where the consumers’ personal information is anonymized in such a way that it cannot identify the specific individual and that the anonymization cannot be reversed.

In the event that a business operator suffers an information security breach which results in the disclosure or loss of information, or anticipates that such a breach is likely, the business operator is required to adopt remedial measures and promptly inform the affected consumers of such breach.

Compared with the original definition of “consumers’ personal information” in the earlier Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers, the scope of the term “consumers’ personal information” under the Draft additionally includes biometric features.

According to the Draft, without consumers’ express consent or request, business operators may not send them commercial electronic messages or make commercial marketing calls. Business operators also may not cause consumers to bear the costs of sending commercial electronic messages or making commercial marketing calls, unless otherwise agreed by the parties.