The manner in which companies do business in China saw a monumental change take effect on November 1 when China\u2019s new Personal Information Protection Law (PIPL) took effect. First announced in August 2021, it was clear entities with a China footprint were faced with the dilemma: Comply or face the consequences.The four stated objectives of the PIPL are:Protect the rights and interests of individualsRegulate personal information processing activitiesSafeguard the lawful and "orderly flow" of dataFacilitate reasonable use of personal informationHow has the industry reacted to PIPL?LinkedIn recently announced it is closing its flagship social network in China citing a \u201cchallenging operating environment and greater compliance requirements.\u201d Instead, LinkedIn has opted to create a China-light version without the social networking aspect\u2014a straight-up jobs board called \u201cInJobs\u201d. LinkedIn said in a recent blog post that it anticipates shuttering LinkedIn in China by year\u2019s end.Similarly, Yahoo announced its departure from China as the PIPL took hold. Yahoo said, \u201cIn recognition of the increasingly challenging business and legal environment in China, Yahoo\u2019s suite of services will no longer be accessible from mainland China as of November 1.\u201dThe irony of China pushing forward the PIPL in the face of global allegations of China\u2019s hacking is not lost on Lynn Raynault, co-founder of Hush, a provider of consumer privacy services. The U.S.-China Economic and Security Review Commission has been sounding the klaxon for years on how China stands accused of stealing, scraping, cataloging individuals\u2019 PII, PHI and PCI data from the United States and other countries.PIPL presents compliance challengesWhile the PIPL is similar in makeup to the GDPR, notes Armaan Mahbod, director of security and business intelligence at DTEX Systems, compliance isn\u2019t any easier and substantive differences exist. He wryly notes, \u201cThe PIPL may in fact spur business in China, as companies create their own versions of their offering in a \u2018China-light\u2019 format. The companies will have to hire a development and support team for their offering. There might be a bit of vulnerability for each company as complying may in fact reveal a bit of their infrastructure which had previously been protected information to the Chinese government.\u201d \u00a0\u201cPIPL does raise the Great Firewall of China a few more feet, but it also creates soft, perceptual challenges elsewhere in the world,\u201d observes Quimby Melton, co-founder and CEO of privacy-focused data management solution vendor Confection. \u201cPIPL\u2019s data localization mandate is unique among global data privacy laws. In essence, data controllers and infrastructure operators (CIIOs) must store data within China\u2019s borders. If you\u2019re operating in China, you\u2019re probably going to be storing your data on a mainland server anyway. From this perspective, it\u2019s easy to accommodate PIPL\u2019s localization mandate.\u201dWhat of the multinational with the \u201cmixed bag of international PII?\u201d says Melton. \u201cHow will your customers feel about the fact that (a) their data must live in mainland China and (b) it\u2019s subject to an on-demand \u2018security assessment\u2019 by the Cyberspace Administration of China (CAC)? If you want to segment out Chinese and non-Chinese data, what OPEX challenges will this create? How will you thread data back together? What\u2019s lost when you can\u2019t cross-reference data from around the world in real time?\u201dPIPL requires entities that process Chinese PII offshore to establish a \u201cdedicated office\u201d or appoint a \u201cdedicated representative\u201d in China, similar to the GDPR.Wide discretion for PIPL violation penaltiesInterestingly, the International Association of Privacy Professionals in its primer on China\u2019s PIPL noted how regulators have wide discretion on penalties to impose on violations of PIPL. Given the opaqueness of the Chinese justice system, the PIPL is not a law to be ignored. CISOs should be prepared to present options for their C-Suites: Change to be compliant, exit like Yahoo, or implement a hybrid approach like LinkedIn.