China’s Personal Information Protection Law (PIPL) is the country’s main personal information protection law. It came into effect on November 1, 2021, and regulates how organizations collect, use, store, transfer, disclose, delete, and otherwise process personal information.
For businesses, PIPL is relevant whenever personal information of individuals in mainland China is processed. This may include customer data, employee data, user account information, mobile app data, online tracking data, HR records, vendor contact information, financial information, location data, and other information connected to an identified or identifiable individual.
Who Must Comply with PIPL?
PIPL applies to organizations and individuals that process personal information of natural persons within mainland China.
It may also apply to organizations outside China in certain circumstances. Overseas organizations may fall within the scope of PIPL if they process personal information of individuals in China for the purpose of providing products or services to them, analyzing or assessing their behavior, or meeting other circumstances provided by Chinese law or regulation.
This means that a foreign company does not always need a physical office in China to have PIPL obligations. A company may need to assess PIPL if it sells products to individuals in China, offers an app or online service to users in China, monitors the behavior of users in China, employs workers in China, or transfers China-related personal information into global systems.
Overseas organizations that are subject to PIPL may also need to establish a dedicated entity or appoint a representative in China, depending on the circumstances.
What Counts as Personal Information?
Under PIPL, personal information refers to information related to an identified or identifiable natural person, recorded electronically or by other means. Information that has been anonymized is generally excluded if it cannot identify a specific individual and cannot be restored.
The definition is broad, so many ordinary business systems may contain personal information. A practical PIPL compliance program should begin with a clear understanding of where China-related personal information is collected, stored, used, shared, and transferred.
Sensitive Personal Information
PIPL gives special protection to sensitive personal information. This is personal information that, if leaked or misused, could harm a person’s dignity or endanger personal or property safety.
Sensitive personal information may include biometric data, religious belief, specific identity information, medical health information, financial accounts, precise location data, and personal information of minors.
Organizations that process sensitive personal information must have a specific purpose and sufficient necessity for doing so. They must also apply stricter protective measures and obtain separate consent where required. In practice, this means sensitive personal information should be handled with stronger controls around access, security, retention, disclosure, and internal approval.
Core Requirements Under PIPL
PIPL requires personal information to be processed lawfully, fairly, transparently, and only for clear and reasonable purposes. Organizations should collect only the personal information necessary for the stated purpose and should avoid excessive collection.
The law also requires organizations to protect personal information through appropriate security measures. This can include internal policies, access controls, encryption, de-identification, staff training, incident response processes, and regular compliance reviews.
Legal Bases for Processing
Consent is important under PIPL, but it is not the only basis for processing personal information.
PIPL allows processing where consent has been obtained, where processing is necessary to enter into or perform a contract, where it is necessary for human resources management under lawful employment policies or collective contracts, where it is necessary to fulfill statutory duties or legal obligations, where it is necessary to respond to public health emergencies or protect life, health, or property, where processing is conducted for certain public interest activities, or where lawfully disclosed personal information is processed within a reasonable scope.
Some activities require separate consent. This may include processing sensitive personal information, transferring personal information outside China, providing personal information to another personal information processor, publicly disclosing personal information, and certain uses of automated decision-making.
A strong PIPL program should therefore map each processing activity to the correct legal basis and identify where consent or separate consent is required.
Privacy Notices and Transparency
Organizations must inform individuals about how their personal information is processed. A PIPL-aligned privacy notice should generally explain who is processing the information, why it is being processed, how it is processed, what categories of personal information are involved, how long the information will be retained, and how individuals can exercise their rights.
Where personal information is transferred outside China, additional notice requirements may apply. Organizations may need to inform individuals about the overseas recipient, contact details, processing purpose, processing method, categories of personal information transferred, and how individuals can exercise their rights with the overseas recipient.
This makes transparency especially important for multinational organizations. Privacy notices should accurately reflect how China-related personal information actually moves through business systems, vendors, cloud platforms, and global operations.
Individual Rights Under PIPL
PIPL gives individuals several rights over their personal information. These include the right to know about processing activities, the right to make decisions about processing, the right to restrict or refuse certain processing, the right to access personal information, the right to obtain a copy, the right to correct or supplement inaccurate information, the right to request deletion in certain circumstances, the right to withdraw consent, and the right to request explanations of processing rules.
Organizations should maintain clear procedures for handling individual rights requests. This includes verifying the requester’s identity, locating the relevant personal information, reviewing whether the request can be fulfilled, coordinating with internal teams or vendors, responding within applicable requirements, and keeping evidence of the response.
In practice, individual rights management depends heavily on data visibility. If personal information is spread across multiple systems and vendors, organizations need a reliable way to identify where the data lives and who owns the response process.
Personal Information Protection Impact Assessments
PIPL requires personal information protection impact assessments for certain higher-risk processing activities. These may include processing sensitive personal information, using personal information for automated decision-making, entrusting processing to another party, providing personal information to another personal information processor, publicly disclosing personal information, and transferring personal information outside China.
An impact assessment should generally evaluate whether the processing purpose is lawful, legitimate, and necessary; whether the processing affects individual rights and interests; whether security measures are sufficient; and whether risk mitigation steps are in place.
For businesses, this means impact assessments should not be treated as a formality. They are a key part of proving that higher-risk processing has been reviewed before it takes place.
Cross-Border Data Transfers
Cross-border data transfer is one of the most important parts of China’s PIPL compliance.
When personal information is transferred outside mainland China, organizations may need to inform individuals, obtain separate consent, conduct a personal information protection impact assessment, and ensure that the overseas recipient provides a level of protection consistent with PIPL.
As of 2026, China’s cross-border transfer framework includes several main routes. Depending on the type of data, volume of data, recipient, organization type, and risk level, a company may need to complete a CAC security assessment, use and file China’s standard contract, obtain personal information protection certification, or determine whether an exemption or adjusted requirement applies.
China has also continued refining its cross-border data transfer rules. In 2024, China issued rules intended to promote and regulate cross-border data flows, including exemptions or adjusted requirements for certain lower-risk transfers. In 2026, the framework became more developed with certification rules for certain cross-border transfers taking effect on January 1, 2026, and national safety standards for cross-border processing of personal information taking effect on March 1, 2026.
For organizations, the practical requirement is to know what China personal information leaves mainland China, where it goes, why it is transferred, who receives it, which transfer route applies, and what evidence supports that decision.
Automated Decision-Making and AI
PIPL includes requirements for automated decision-making based on personal information. Organizations using automated decision-making should ensure that the processing is transparent, fair, and reasonable. Individuals may have rights to explanation and may be able to refuse decisions made solely through automated decision-making in certain circumstances.
This is relevant for AI systems, profiling tools, recommendation engines, targeted advertising, fraud detection, hiring tools, credit decisions, and other automated processes that use personal information.
Organizations using AI or automated decision-making should understand whether China personal information is involved, whether sensitive personal information is used, whether the system affects individual rights, and whether an impact assessment is required.
Vendor and Processor Requirements
PIPL also applies to entrusted processing. When an organization asks another party to process personal information on its behalf, the arrangement should define the processing purpose, duration, method, categories of personal information, protection measures, and the rights and obligations of both parties.
The organization that entrusts the processing must also supervise the entrusted party’s activities. This makes vendor management an important part of PIPL compliance.
Organizations should understand which vendors process China-related personal information, whether those vendors transfer data outside China, whether subprocessors are involved, what security measures are in place, how incidents are reported, and what happens to the data when the relationship ends.
