China's Personal Information Protection Law (PIPL) establishes strict requirements for any organisation processing the data of individuals located within the People's Republic of China. Enacted on 1 November 2021, this legislation introduces unique state-specific mandates regarding national security, separate consent, and cross-border data flows.
Foreign companies often assume their existing compliance frameworks cover all international traffic. The PIPL contains extraterritorial provisions meaning it applies to your website even if you have no physical presence in China, provided you target Chinese consumers or analyse their behaviour. Failing to adapt your data collection methods to these specific Asian regulatory standards exposes your business to severe penalties, including service blocks within mainland China and massive financial fines. You must understand how this law diverges from European and North American standards.
Article 3 of the PIPL specifically outlines this extraterritorial reach. If your e-commerce store offers shipping to Beijing, or your analytics tools track the browsing habits of users in Shanghai, you fall under the jurisdiction of the Cyberspace Administration of China (CAC).
This law does not just govern registered Chinese corporations or state-owned enterprises. Any entity handling the personal information of natural persons within China's borders must appoint a dedicated representative or establish a local agency to handle privacy matters if they meet certain processing thresholds. The CAC strictly monitors the digital border to ensure foreign entities do not extract citizen data without proper oversight, legal basis, and explicit user agreement.
Your existing GDPR consent mechanisms might not satisfy the PIPL due to specific notification and explicit agreement requirements.
The Principle of Separate Consent
The PIPL introduces the concept of "separate consent" for specific processing activities. You cannot rely on a single, bundled "I Agree" button to cover all data uses.
Article 29 mandates separate consent when processing sensitive personal information, which includes biometrics, religious beliefs, specific identities, medical health, financial accounts, and location tracking. Articles 23, 25, and 39 also require separate consent when sharing personal data with third parties, publicly disclosing data, or transferring it outside of China. This means your cookie banner and privacy notices must present these options individually rather than burying them in a massive terms of service document.
Users must take an affirmative action for each specific high-risk category.
If you share website visitor data with advertising networks or social media pixels, you must clearly name the receiving entity, provide their contact information, explain the purpose of sharing, and obtain a distinct user opt-in just for that transfer. This creates significant friction for standard programmatic advertising setups that rely on broadcasting user data to hundreds of unknown vendors in milliseconds.
A simple check box for "all partners" violates this core PIPL requirement.
Rules for Cross-Border Data Transfers
Exporting data out of China is heavily regulated and monitored by the CAC. You cannot simply route Chinese user data to your servers in the US or EU without clearing specific regulatory hurdles.
Depending on the volume of data you process and the nature of your business, you must fulfill one of three conditions before transferring personal information overseas. Operators of Critical Information Infrastructure (CII) and companies processing large volumes of data (over 1 million individuals) must pass a mandatory security assessment conducted by the CAC. Smaller entities can opt to obtain a personal information protection certification from specialized institutions. The third and most common route for standard foreign websites is signing a standard contract formulated by the CAC with the overseas recipient, effectively acting as a binding agreement to uphold PIPL standards.
Even after selecting a transfer mechanism, you must still conduct a personal information protection impact assessment (PIPIA).
This assessment documents the legality, legitimacy, and necessity of the transfer. You must keep these records for at least three years. The CAC actively audits these transfer agreements and has the authority to halt any data flows that threaten national security or the public interest.
How PIPL Impacts Website Cookies and Tracking
The law does not explicitly mention cookies, but it broadly covers any technology that identifies a natural person or tracks their activities. You must align your tracking scripts with the law's consent definitions.
Basic functional cookies that are strictly necessary for your website to operate, such as session identifiers for shopping carts or security tokens, generally do not require explicit consent under the PIPL's necessity provision. However, you still need to disclose their use in your privacy policy. You cannot deploy analytics cookies to measure traffic or user behaviour without first obtaining clear, voluntary, and explicit consent from the Chinese visitor.
Targeted advertising trackers face the highest scrutiny.
Setting marketing cookies requires you to identify the specific cookie categories and the third parties receiving the data. Because these tools often transfer data to servers outside of China, you must also navigate the cross-border transfer rules and obtain separate consent for both the data sharing and the international transfer itself. Failing to block these scripts prior to consent is a direct violation of the law.
You must keep detailed logs of when and how a user granted consent, as regulators can request this proof at any time.
Fines and Enforcement Actions
The CAC possesses significant enforcement power and has demonstrated a willingness to issue record-breaking penalties for data mishandling.
In July 2022, the CAC fined ride-hailing giant Didi Global 8.026 billion RMB (approximately 1.19 billion USD) for severe violations of the PIPL and data security laws. The investigation revealed that the company illegally collected massive amounts of clipboard data, facial recognition information, and precise location data without proper user notification or consent. While this was a massive domestic company, the fine signaled the regulator's strict approach to data privacy enforcement.
Penalties under the PIPL can reach up to 50 million RMB or 5% of an organisation's previous year's annual revenue.
Regulators can also order the suspension of related business activities, revoke business licenses, and hold directly responsible individuals personally liable with fines up to 1 million RMB. For foreign websites, the ultimate penalty is often the implementation of technical measures to block all mainland Chinese traffic from accessing the domain.
GDPR vs PIPL Comparison
While the PIPL shares DNA with European regulations, understanding the differences is essential for global compliance.
| Compliance Area | EU GDPR | China PIPL |
|---|---|---|
| Extraterritorial Scope | Applies if targeting EU residents or monitoring behaviour. | Applies if targeting Chinese residents or analysing behaviour. |
| Consent Standard | Freely given, specific, informed, and unambiguous. | Voluntary, explicit, fully informed, with "separate consent" for high risks. |
| Legitimate Interest | Valid legal basis for many processing activities. | Does not exist. Replaced largely by consent or strict necessity. |
| Data Transfers | SCCs, adequacy decisions, binding corporate rules. | CAC security assessments, CAC standard contracts, certification. |
| Maximum Fines | 20 million EUR or 4% of global annual turnover. | 50 million RMB or 5% of annual turnover (revenue scope unspecified). |
Frequently Asked Questions
Does the PIPL apply to companies outside of China?
Yes. Article 3 states that the law applies to data processing activities outside the territory of China if the purpose is to provide products or services to individuals inside China, or to analyse and assess their behaviour.
What is separate consent under China privacy law?
Separate consent requires individuals to specifically agree to distinct processing activities, such as transferring data abroad, processing sensitive personal information, or sharing data with third parties. A single bundled agreement is not sufficient.
Do I need a cookie banner for visitors from China?
Yes. Because the PIPL requires explicit consent for collecting personal information and tracking user behaviour, you must use a banner to block non-essential trackers until the user actively agrees.
Can I transfer Chinese user data to the US or Europe?
You can, but you must pass a CAC security assessment, obtain a specific certification, or sign a standard contract formulated by the CAC with the overseas recipient, while also obtaining separate consent from the user.
What happens if a foreign website violates the PIPL?
Foreign entities face fines of up to 50 million RMB or 5% of annual revenue. Regulators can also mandate internet service providers to block access to your website within mainland China.
Take Control of Your Cookie Compliance
If you process data from users globally, navigating regional laws like the PIPL, GDPR, and US state privacy regulations manually is technically complex and risky. Run a cookie scan to uncover exactly what tracking scripts fire on your site and where that data goes. Kukie.io maps your trackers, implements geo-targeted consent banners, and blocks third-party scripts until valid consent is recorded.
