Regulation of cookies under Chinese law
Chinese law does not specifically regulate cookies. Instead, cookies are generally subject to Chinese regulations on the Internet, consumer privacy and data protection. Among these laws are:
- the 2010 Tort Liability Law;
- the related 2014 Supreme People’s Court’s Provisions on Certain Issues Concerning the Application of Law in the Hearing of Cases of Civil Disputes over the Use of Information Networks to Infringe upon Personal Rights and Interests (the SPC Provisions);
- the 2013 Ministry of Industry and Information Technology Provisions on Protection of Personal Information of Telecommunications and Internet Users (the MIIT Provisions); and
- the 2015 State Administration for Industry and Commerce Measures for Punishments against Infringements on Consumer Rights and Interests.
There is also a non-binding standard which gives helpful guidance for the industry, the 2013 China Standardization Administration’s Guidelines for Personal Information Protection within Information Systems for Public and Commercial Services on Information Security Technology (the Guidelines).
The consumer’s claim
In this recent case, Internet user Ms. Zhu Ye claimed that Baidu violated her privacy rights under the 2010 Tort Liability Law leading to damages in the form of emotional distress. Ms. Zhu had used Baidu’s search engine to type in distinctive search terms such as “weight loss”, “abortion” and “breast implants”. Then, when visiting third party websites, such as www.4816.com, www.paolove.com and www.500kan.com, she found (and used a notary to document evidence) that the advertisements displayed on these websites related to the search term she had input into Baidu’s search engine prior to visiting the site. Marking on the online advertisements traced them back to the cooperative advertising arm of Baidu. This caused Ms. Zhu to feel significant fear and distress that Baidu engaged in commercial activity using her personal habits and preferences, in violation of her rights to privacy.
The court’s finding
The appellate court disagreed with Ms. Zhu’s privacy claim based on three key considerations.
- The information collected by the Baidu cookies did not amount to “personal information” as defined under the MIIT Provisions.
The court agreed that a record of a user’s internet activity and internet preferences are matters of privacy, but the court also found that such items did not amount to personal information in the context of cookies because the information is separate from, and unable to lead to discovery of the identity of the user. Baidu’s cookies were not linked to the identity of a person, but only to the specific Internet browser. Baidu did not know the identity of the user using the browser, nor did it know whether there were one or several people using the browser or what Ms. Zhu’s preferences would be if she used a different browser.
- Baidu’s online targeted advertising service did not result in cognizable damages to the user or involve public disclosure.
The SPC Provisions, which set down the parameters for courts to take on Internet public disclosure cases, provides that courts shall uphold a finding for liability in tort for cases in which: (1) a network user or network service provider, (2) causes harm to an individual (3) by using the Internet to make public the individual’s genetic information, medical records, health examination data, criminal records, home address, personal activities or other private and personal information. The court found that Ms. Zhu’s claims failed on the second element (damages) and the third element (public disclosure).
Concerning damages, the court found that Ms. Zhu’s claims of emotional distress were subjective and unsupportable, and that the objective result of Baidu’s personalized advertisements service, far from being harmful, actually provided a benefit to Ms. Zhu as the advertisements she saw on third party websites were targeted towards her preferences, rather than being random and irrelevant.
Concerning public disclosure, the court found that no public disclosure had occurred. The only place where Ms. Zhu’s Internet preferences were disclosed was to Ms. Zhu’s own Internet browser, and not to the public.
- Baidu had not denied Ms. Zhu’s right to know and right to choose.
In Baidu’s case, there are not one, but two opt-out mechanisms available to users. The first is Baidu’s explanation of how to turn off cookies through adjusting the user’s browser settings. The second is a button provided by Baidu on its own website that allows users to turn off the cookie function.
China has no specific rules on cookies, which can leave companies uncertain about whether the cookie policies they have formulated under general PRC privacy rules and practice comply and are sufficient to withstand claims in court. Indeed, Baidu itself could not be certain of the outcome of this particular case, and actually lost the case in the court of first instance.
The appellate judgment, on the other hand, overruled the court of first instance and, in a detailed opinion, shed much needed light on the issue. Even though not binding on other courts as a precedent, given that the PRC is not a common law jurisdiction, the court’s opinion is the final judgment for this case, and its analysis reveals important take-aways to consider in addition to the main findings discussed above:
- Privacy policies are critical. They should be thorough in their explanation of cookie use and where applicable, explain how to opt out, or even better, directly provide a mechanism to users for opting out.
- The court cited the Guidelines. The Guidelines are non-binding, so their usefulness is often, and at least in some measure rightly, discounted. Nevertheless, they are the most detailed statement of standards for privacy matters in the PRC, and we often advise clients of the potential upside of referring to them to develop best practices. In this court judgment, the upside was explicit. The court found the Guidelines to be an important reference point for devising principles for what is acceptable, acknowledged the Guidelines’ separate classification and consent requirements for sensitive personal information as opposed to general personal information, and recognized the Guidelines’ purpose of striking a balance between preserving personal dignity and promoting technical innovation.
The judgment cannot be relied on as a precedent, but it bodes well for Baidu and provides strong arguments for why similar uses of cookies will be compliant with the spirit and letter of Chinese law, which is a welcome development for technology companies across China.