China has passed a new data protection law, according to the country’s Xinhua state media outlet . The newly enacted Personal Information Protection Law (PIPL) lays out a comprehensive set of rules around how companies collect, process and protect user data. Like GDPR, the law enshrines data minimization, the practice of limiting data collection to only the information needed for a specific purpose. It also mandates companies give users control over how their personal information is used. For instance, they’re allowed to opt out of targeted advertising.

Per Reuters , another requirement put forward by PIPL is that companies designate someone who is personally responsible for user data protection. Platforms must also submit themselves to periodic audits to ensure compliance. Any foreign company operating in the country that handles the data of Chinese citizens must comply with those same rules, making the law extraterritorial in much the same way that GDPR is.