PIPL — China's Data Privacy Law
China's Personal Information Protection Law: what it is, who it applies to, and what it means for your website.
China’s Personal Information Protection Law (PIPL) took effect November 1, 2021. It’s China’s first comprehensive data privacy law and it’s modeled closely on the GDPR, but with Chinese characteristics.
If you have Chinese users or visitors, PIPL applies. And it doesn’t care where your servers are.
Who must comply
PIPL applies to any organization that processes personal information of people in China, including organizations outside China if they:
- Offer products or services to people in China
- Analyze or evaluate the behavior of people in China
- Fall under other conditions specified by Chinese law
There are no thresholds. Size and revenue don’t matter. Everyone must comply.
What counts as personal information
Broadly defined as any information relating to an identified or identifiable natural person, recorded electronically or otherwise. No specific examples in the law itself, but it covers names, contact details, online identifiers, and behavioral data. Excludes anonymized data.
Consent under PIPL
PIPL recognizes seven legal bases for processing. Consent is just one option, but there is no “legitimate interest” basis, a notable contrast to the GDPR, CCPA, and ePrivacy landscape.
Consent must be:
- Voluntary, explicit, informed
- Easily revocable at any time
- Separate or written in specific cases
- Re-obtained if purposes or methods change
Separate consent is required for: sharing data with third parties, disclosing data, processing sensitive personal information, and transferring data outside China.
Sensitive personal information
PIPL defines sensitive data broadly:
- Biometrics
- Religious beliefs
- Medical and health data
- Financial accounts
- Location tracking
- Data of minors under 14 (children’s data always requires separate, explicit parental consent)
Processing sensitive information requires a clearly necessary purpose, strict protective measures, separate explicit consent, and detailed disclosures.
Individual rights
Chinese residents have the right to: know, access, copy, correct, delete, object, data portability, explanation of processing rules, and a private right of action, meaning they can sue directly for violations. Public interest organizations can bring class actions on behalf of groups.
Cross-border transfers
Transferring data outside China is heavily regulated. You need one of:
- Passing a government security assessment
- Obtaining government certification
- Signing a government-approved standard contract
- Meeting other conditions set by the Cyberspace Administration of China (CAC)
You also need separate consent from individuals for cross-border transfers and must inform them about the recipient, purpose, and categories of data.
Data localization
Certain categories of data must be stored in China:
- Data collected by “critical information infrastructure” operators
- Data from large-scale platforms meeting certain thresholds
Penalties
Fines up to CNY 50 million or 5% of annual revenue for serious violations. Individuals responsible can be personally fined. Business licenses can be revoked. The CAC has broad enforcement powers.
How Zest handles it
Zest’s consent-first architecture maps well to PIPL’s requirements: prior consent, separate consent gates, cookie blocking, and documented records. For cross-border scenarios, Zest’s geo-rules can be configured to serve region-specific compliance modes.