Say your analytics dashboard starts showing 40,000 sessions a month from mainland China. Or your SaaS picks up its first paying customers in Shanghai. At what point do you need to care about China’s PIPL?
The honest answer: probably already. And if you’re GDPR-compliant, you’re closer than you think – but not close enough to stop reading.
China’s PIPL (Personal Information Protection Law) has been in force since November 2021, covering both Chinese companies and foreign ones that process data about people inside mainland China. It’s one of the stricter data protection laws globally, and there are a few places where it goes further than the GDPR in ways that have real practical consequences.
This guide covers what China’s PIPL is, who it applies to, how it compares to the GDPR, and what you actually need to do to comply.
What is China’s PIPL?
China’s PIPL – the Personal Information Protection Law (个人信息保护法) – is China’s national data privacy law, effective 1 November 2021. It regulates how personal information about people inside mainland China is collected, stored, used, shared, and transferred abroad.
The law was passed on 20 August 2021 and came into force just ten weeks later – one of the fastest rollouts for a major privacy law anywhere. It sits alongside two related laws, the Cybersecurity Law (2017) and the Data Security Law (2021), to form China’s core data governance framework.
Think of PIPL as China’s version of the GDPR: same general logic, tighter on several points.
Personal information vs. sensitive personal information – what’s the difference?
PIPL draws a clear line between two categories.
Personal information is any data that can identify an individual, directly or indirectly – names, contact details, location data, online identifiers, and similar. Anonymised data is excluded.
Sensitive personal information is a stricter subset: biometrics (face, fingerprint, voice), medical records, financial data, precise location tracking, religious beliefs, and any data about children under 14. Processing this category requires explicit consent even when another lawful basis covers your general processing.
Who does PIPL apply to?
PIPL applies to any organisation or individual that processes personal information of people within the territory of mainland China. Straightforward enough.
Does PIPL apply to foreign companies?
Yes – and this is the part that catches people off guard. PIPL has explicit extraterritorial reach. It applies to processing carried out outside China if the purpose is to:
- provide products or services to people inside mainland China
- analyse or evaluate the behaviour of people inside mainland China
- or falls within “other circumstances provided by laws or administrative regulations” (a catch-all)
So if your e-commerce platform ships to China, your app has users in Beijing, or your analytics tracks behaviour of visitors from the mainland – PIPL almost certainly applies. There’s no minimum threshold based on company size or revenue. A five-person startup with 500 Chinese users is in scope just like a multinational.
Foreign companies subject to PIPL must also designate a local representative or establish a legal entity inside mainland China to handle personal information matters. This is a real operational cost for smaller organisations.
Does PIPL apply to Hong Kong, Macau, and Taiwan?
No. PIPL explicitly applies to mainland China only. The Hong Kong SAR, Macau SAR, and Taiwan all have separate data protection frameworks and are outside PIPL’s scope. If you process data exclusively from those regions, PIPL doesn’t apply – though you’ll want to check the local rules.
PIPL vs GDPR – key similarities and differences
If you’ve worked through GDPR compliance, the PIPL framework will feel familiar. Both laws share the same foundations: lawful processing, consent requirements, data minimisation, individual rights, and breach notification. But PIPL is stricter on several points that matter in practice.
| PIPL (China) | GDPR (EU) | |
|---|---|---|
| In force since | November 2021 | May 2018 |
| Legitimate interest as lawful basis | Not available | Available |
| Maximum fine | RMB 50M or 5% of revenue | €20M or 4% of revenue |
| Data breach notification | Immediately | Within 72 hours |
| Cross-border transfer consent | Opt-in required | Opt-out permitted in some cases |
| Data localisation | Required above certain thresholds | No blanket requirement |
| In-country representative | Yes | Yes |
The most significant practical difference is the absence of legitimate interest. Under GDPR, many companies process data for analytics, marketing, and personalisation by relying on legitimate interests as a lawful basis – without needing explicit consent. That option doesn’t exist under PIPL. Consent is the default mechanism, and it must be specific, informed, and freely given before processing begins.
For anyone running cookie consent on a site that gets Chinese traffic, this matters directly. If you collect behavioural data from users in mainland China, you need a genuine opt-in mechanism – not a banner that defaults to acceptance. A consent management platform that supports PIPL’s stricter consent requirements is worth looking at here.
It’s also worth knowing that GDPR compliance doesn’t automatically mean PIPL compliance. Most lawyers working in this space make that point clearly – the frameworks overlap, but the gaps are real.
Business obligations under PIPL
Here’s what PIPL actually requires of organisations within its scope.
Lawful basis for processing personal information
Unlike GDPR’s six lawful bases, PIPL centres consent as the starting point. Processing without consent is permitted in seven specific scenarios: contractual necessity, statutory obligations, public health emergencies, protecting an individual’s life or property in an emergency, cases where the individual has publicly disclosed their data, public interest activities within a reasonable scope, and other circumstances specified by law.
If none of those apply, you need consent. No workarounds.
Consent and notice requirements
Consent under PIPL must be separate, specific, and voluntary. You can’t bundle it into a general terms and conditions acceptance. Before collecting any data, you must provide a clear notice covering:
- your identity and contact details
- what categories of personal information you’re collecting
- why you’re collecting it and how it will be used
- how individuals can exercise their rights
- how long you’ll retain the data
For sensitive personal information – biometrics, health data, financial records, children’s data – you need explicit consent even if another lawful basis covers your general processing.
Data localisation – where must data be stored?
Personal information collected inside China must be stored within mainland China before any cross-border transfer takes place. For operators of critical information infrastructure (telecommunications, finance, energy, transport) and companies processing data above certain volume thresholds, this is mandatory regardless.
If all your infrastructure is in Europe or North America, this is a real operational consideration. Chinese users’ data needs to either stay in mainland China or go through a formal cross-border transfer process.
Data breach notification requirements
PIPL requires companies to notify affected individuals of a data breach immediately – there is no 72-hour window as under GDPR. You must also report to the relevant authorities. The expectation is real-time response, not next-business-day.
Cross-border data transfers under PIPL
This is the most complex area of PIPL for international businesses. Any transfer of personal information out of mainland China must go through one of three approved pathways.
The three compliance pathways
| Pathway | When it applies | Process |
|---|---|---|
| Security review (CAC) | Transferring personal information of 1 million+ individuals, or sensitive PI of 10,000+ individuals since 1 January of the current year, or any “important data” | Submit to Cyberspace Administration of China (CAC) for review. Takes ~60 working days; valid for 3 years once passed |
| Standard Contractual Clauses (SCCs) | Transferring personal information of 100,000–1 million individuals, or sensitive PI of fewer than 10,000 individuals | Sign CAC-approved SCCs with the overseas recipient, file with authorities within 15 working days |
| PI Protection Certification | Same volume thresholds as SCCs | Obtain certification from a CAC-accredited certification body |
If you’re transferring fewer than 100,000 individuals’ non-sensitive data per year, you may not need any of these formal mechanisms. But you still need individual consent for the transfer itself.
These thresholds were updated by the 2024 Provisions on Promoting and Regulating Cross-Border Data Flow (effective 22 March 2024). Most existing PIPL guides were written before this update, so if you’re relying on pre-2024 compliance advice, it’s worth a review.
Exemptions from cross-border transfer rules
The three formal mechanisms don’t apply when:
- the transfer is necessary to perform a contract (e.g. international e-commerce, cross-border HR, travel bookings, payment processing)
- it’s necessary to fulfil a statutory obligation
- the cumulative volume transferred is below 100,000 non-sensitive records per year and no important data is involved
Even in exempt cases, you still need individual consent for the specific transfer.
Individual rights under PIPL
PIPL gives people in mainland China a full set of rights over their personal data:
- Right to know – be informed about what data is being processed and why
- Right to decide – control how their information is used
- Right of access – request a copy of their data
- Right to correction – ask for inaccuracies to be fixed
- Right to erasure – request deletion under certain conditions
- Right to restriction – limit processing in some circumstances
- Right to data portability – receive a copy in a readable, transferable format
- Right to object – refuse automated decision-making that significantly affects them
Companies must have a working process for handling these requests. PIPL is less prescriptive than GDPR on response timelines, but it does require timely handling. If you already have a GDPR-compliant data subject request workflow, adapting it for PIPL is manageable – just check that it covers portability and the right to object to automated decisions, which PIPL is explicit about.
PIPL penalties and enforcement
PIPL enforcement has been active since the law took effect. The Cyberspace Administration of China has ordered major apps removed from stores for violations, and fines have been issued across both domestic and foreign companies. This isn’t a law that’s sitting on the shelf.
The penalty structure works in two tiers:
Standard violations:
- Fines of up to RMB 1 million for the organisation
- Fines of RMB 10,000–100,000 for responsible individuals
- Mandatory correction of violations and suspension of relevant programs
Serious (“grave”) violations:
- Fines of up to RMB 50 million or 5% of the previous year’s annual revenue, whichever is higher
- Suspension or revocation of business licence
- Removal of apps from app stores
Personal liability:
- Individuals found directly responsible: fines of up to RMB 1 million
- Banned from serving as director, supervisor, data protection officer, or in other senior management roles
The revenue-based cap is worth sitting with for a moment. GDPR’s equivalent is 4% of global annual turnover. PIPL’s is 5%. For a large company, that difference compounds quickly. A company with RMB 5 billion in revenue faces a potential fine of RMB 250 million under PIPL’s serious violations tier.
PIPL compliance – a practical checklist
If you’re approaching this from a GDPR baseline, here’s what PIPL adds or changes:
- Audit your data flows – identify all personal information you process about mainland China users, including what’s collected, why, and where it’s stored
- Review your lawful basis – if you rely on legitimate interest for any processing of Chinese users’ data, that needs to change; switch to explicit opt-in consent
- Overhaul your cookie consent for Chinese users – opt-in only, no pre-ticked boxes, and clearly separate from your general T&Cs
- Update your privacy notice – cover all PIPL-required disclosures; make it accessible to Chinese users (consider a Chinese-language version)
- Assess your data localisation setup – if you process above the volume thresholds, Chinese users’ data needs to be stored in mainland China before any transfer
- Choose a cross-border transfer pathway – if you send Chinese users’ data to overseas servers, work out which of the three mechanisms applies at your volumes
- Designate a mainland China representative – mandatory for foreign companies in scope
- Build a breach response plan that meets the “immediate notification” standard – not a 72-hour process
- Set up a data subject rights process covering all eight PIPL rights
- Conduct a PI Protection Impact Assessment before processing sensitive personal information or initiating cross-border transfers
One note: get legal advice from someone familiar with Chinese data law before you go live in the Chinese market. GDPR experience is a useful starting point, not a substitute.
FAQ
What is the PIPL law in China?
PIPL (Personal Information Protection Law) is China’s national data privacy law, in force since November 1, 2021. It governs how personal information about people inside mainland China may be collected, stored, used, and shared – by Chinese companies and foreign ones alike.
Does PIPL apply to companies outside China?
Yes. PIPL has extraterritorial scope. Any organisation that provides products or services to people inside mainland China, or that analyses their behaviour, is subject to PIPL regardless of where the company is based. Foreign companies in scope must also appoint a local representative inside mainland China.
What are the PIPL penalties?
For serious violations, companies face fines of up to RMB 50 million or 5% of annual revenue (whichever is higher), plus possible suspension of business operations and confiscation of illegal gains. Individuals personally responsible can be fined up to RMB 1 million and barred from senior management roles.
Is PIPL compliance required for websites targeting Chinese users?
If your website collects personal information from users in mainland China, or analyses their behaviour for commercial purposes, PIPL likely applies to you. This covers consent for cookies and tracking, a clear privacy notice, and a process for users to exercise their data rights. The threshold is based on who you’re collecting data from, not how big your company is.
For a broader look at global privacy regulations, see our guide to privacy compliance regulations for businesses. If you’re comparing regional laws, our CCPA compliance guide covers the US equivalent, and our GDPR explainer is a good reference for the EU framework.
