Skip to main content

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Regulations

PIPL — China's Data Privacy Law

China's Personal Information Protection Law: what it is, who it applies to, and what it means for your website.

China’s Personal Information Protection Law (PIPL) took effect November 1, 2021. It’s China’s first comprehensive data privacy law and it’s modeled closely on the GDPR, but with Chinese characteristics.

If you have Chinese users or visitors, PIPL applies. And it doesn’t care where your servers are.

Who must comply

PIPL applies to any organization that processes personal information of people in China, including organizations outside China if they:

  • Offer products or services to people in China
  • Analyze or evaluate the behavior of people in China
  • Fall under other conditions specified by Chinese law

There are no thresholds. Size and revenue don’t matter. Everyone must comply.

What counts as personal information

Broadly defined as any information relating to an identified or identifiable natural person, recorded electronically or otherwise. No specific examples in the law itself, but it covers names, contact details, online identifiers, and behavioral data. Excludes anonymized data.

PIPL recognizes seven legal bases for processing. Consent is just one option, but there is no “legitimate interest” basis, a notable contrast to the GDPR, CCPA, and ePrivacy landscape.

Consent must be:

  • Voluntary, explicit, informed
  • Easily revocable at any time
  • Separate or written in specific cases
  • Re-obtained if purposes or methods change

Separate consent is required for: sharing data with third parties, disclosing data, processing sensitive personal information, and transferring data outside China.

Sensitive personal information

PIPL defines sensitive data broadly:

  • Biometrics
  • Religious beliefs
  • Medical and health data
  • Financial accounts
  • Location tracking
  • Data of minors under 14 (children’s data always requires separate, explicit parental consent)

Processing sensitive information requires a clearly necessary purpose, strict protective measures, separate explicit consent, and detailed disclosures.

Individual rights

Chinese residents have the right to: know, access, copy, correct, delete, object, data portability, explanation of processing rules, and a private right of action, meaning they can sue directly for violations. Public interest organizations can bring class actions on behalf of groups.

Cross-border transfers

Transferring data outside China is heavily regulated. You need one of:

  • Passing a government security assessment
  • Obtaining government certification
  • Signing a government-approved standard contract
  • Meeting other conditions set by the Cyberspace Administration of China (CAC)

You also need separate consent from individuals for cross-border transfers and must inform them about the recipient, purpose, and categories of data.

Data localization

Certain categories of data must be stored in China:

  • Data collected by “critical information infrastructure” operators
  • Data from large-scale platforms meeting certain thresholds

Penalties

Fines up to CNY 50 million or 5% of annual revenue for serious violations. Individuals responsible can be personally fined. Business licenses can be revoked. The CAC has broad enforcement powers.

How Zest handles it

Zest’s consent-first architecture maps well to PIPL’s requirements: prior consent, separate consent gates, cookie blocking, and documented records. For cross-border scenarios, Zest’s geo-rules can be configured to serve region-specific compliance modes.

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.