FAQ: China’s PIPL (Personal Information Protection Law)

Disclaimer

We are a Chinese digital marketing agency and frequently address questions related to PIPL compliance and implementation. However, we are not legal advisors. All recommendations and information provided on this page are based on our interpretation of these laws and should not be considered as legal advice. We advise our readers to use this information as an initial reference and consult with a qualified Chinese lawyer for comprehensive legal guidance.

If you need legal assistance, we have connections with Chinese law firms that have staff fluent in English and German. We are happy to provide contact details upon request to help you get the appropriate legal advice.


General Overview and Comparison Question on PIPL

What are the key differences between PIPL and GDPR?

PIPL and GDPR share similar objectives in protecting personal data, but they differ significantly in certain areas. PIPL requires strict data localization, mandating that specific data, particularly from critical sectors, must be stored within China. In contrast, GDPR permits cross-border data transfers if the receiving country offers adequate data protection or through standard contractual clauses. PIPL also has more stringent consent requirements, necessitating explicit consent for processing sensitive personal data and data of minors under 14, whereas GDPR focuses on clear, informed, and revocable consent.

Regarding penalties, PIPL can impose fines up to RMB 50 million (approximately $7.7 million) or 5% of the previous year’s revenue, along with potential business suspensions for severe breaches. GDPR, on the other hand, has fines reaching up to €20 million or 4% of global turnover. Both regulations provide robust rights to data subjects, including access, correction, deletion, and data portability, but PIPL places additional emphasis on informing individuals about the specific handling and use of their data​.

How does PIPL affect foreign businesses operating in China?

Foreign businesses processing the personal data of Chinese nationals must comply with PIPL, requiring significant adjustments to their data protection policies. Compliance includes obtaining explicit consent, adhering to data localization requirements, and securing cross-border data transfers. Businesses may need to set up local data storage infrastructure in China or use local data centers to meet PIPL’s localization mandates, which can involve substantial operational changes and investments.

Cross-border data transfers under PIPL necessitate security assessments and adherence to stringent conditions, adding complexity to data management practices. Contracts with third-party service providers must ensure PIPL compliance, potentially requiring renegotiation to incorporate specific data protection clauses. Non-compliance with PIPL can result in substantial fines and operational penalties, including business suspensions, making it critical for foreign businesses to align their practices with PIPL requirements to maintain smooth operations in China.

Consent and User Rights under PIPL

What are the consent requirements for collecting personal data under PIPL?

The Personal Information Protection Law (PIPL) of China mandates that businesses obtain explicit and informed consent from users before collecting their personal data. Consent must be given voluntarily, meaning users must actively agree to data collection without the use of pre-ticked boxes or implicit consent mechanisms. The information provided to users should be detailed and specific, covering the purpose of data collection, the types of data being collected, and how this data will be used and retained. Additionally, PIPL requires that users be given the ability to withdraw their consent easily at any time, and businesses must facilitate this process by providing a straightforward method for revocation.

What constitutes sensitive personal information under PIPL?

Under PIPL, sensitive personal information includes data that, if leaked or misused, could potentially harm the dignity, personal safety, or property of individuals. This category encompasses biometric data (such as fingerprints and facial recognition data), medical and health information, financial data, personal location data, and data concerning minors under the age of 14. The law imposes stricter requirements for handling such data, necessitating higher levels of protection and explicit consent for its processing. Sensitive personal information must only be processed when absolutely necessary and for legitimate purposes, with businesses required to implement robust security measures to safeguard this data.

What are the specific requirements for informing users about data processing under PIPL?

PIPL emphasizes transparency and requires businesses to inform users comprehensively about the processing of their personal data. This includes providing clear and detailed information about the identity and contact details of the data controller, the purposes and methods of data processing, the types of personal data being processed, and the duration of data retention. Users must also be informed about their rights under PIPL and how they can exercise these rights. Any changes to the data processing practices must be promptly communicated to the users. This level of transparency is crucial for building trust with users and ensuring compliance with PIPL.

What obligations do businesses have regarding user rights and data subject requests under PIPL?

Businesses have several obligations under PIPL to respect and facilitate user rights. These rights include the right to access their personal data, correct inaccuracies, delete their data, and request explanations about data processing activities. Businesses must provide clear procedures for users to exercise these rights and respond to such requests promptly. Additionally, businesses are required to inform users about any significant risks associated with their personal data, such as potential data breaches. Ensuring these obligations are met is essential for maintaining compliance with PIPL and fostering a trustworthy relationship with users.

Questions on Data Handling and Security under PIPL

How should businesses handle data localization requirements under PIPL?

Under PIPL, businesses must comply with strict data localization requirements, especially for data deemed critical to national security or affecting a large number of individuals. To meet these requirements, businesses should first identify what constitutes critical data within their operations. This includes data from key sectors like finance, healthcare, and transportation, as well as any other data specified by regulatory authorities. Once identified, businesses should establish local data centers or use Chinese-based data storage services to store this critical data within China. Companies such as Tesla and Apple have already implemented this approach by building data centers in China to comply with localization mandates. Additionally, businesses should conduct regular audits and security assessments to ensure that data storage practices meet PIPL’s requirements, verifying that data is stored securely and access is restricted to authorized personnel.

How can businesses ensure compliance with PIPL’s cross-border data transfer rules?

To comply with PIPL’s cross-border data transfer rules, businesses must undertake several key steps. First, they should conduct thorough security assessments before transferring data outside China, evaluating the risks involved and ensuring the receiving entity provides adequate protection. It is also crucial to inform users about the transfer, including the purpose, destination, and data protection measures in place, and obtain their explicit consent for the transfer. Additionally, businesses should implement standard contractual clauses that stipulate the rights and obligations of both parties involved in the transfer, ensuring that the foreign entity adheres to data protection standards comparable to those under PIPL. In some cases, businesses may also need to obtain approval from Chinese regulatory authorities before proceeding with the transfer, especially for large-scale data transfers or sensitive personal information.

What steps should businesses take to secure personal data in compliance with PIPL?

To secure personal data and comply with PIPL, businesses should implement robust encryption techniques to protect personal data both at rest and in transit, preventing unauthorized access and data breaches. Anonymizing or pseudonymizing personal data wherever possible reduces the risk of exposure. Appointing specific personnel responsible for data protection, such as a Data Protection Officer (DPO), ensures accountability and oversight. Regular security audits and assessments help identify and mitigate potential vulnerabilities. Additionally, businesses should establish clear protocols for data access, limiting it to authorized personnel only, and provide regular training to employees on data protection best practices. By adopting these measures, businesses can ensure they are adequately protecting personal data and meeting PIPL’s stringent security requirements.

What are the guidelines for data retention and deletion under PIPL?

PIPL mandates that businesses retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Once the data is no longer needed, it must be deleted in a secure manner. Businesses should establish clear data retention policies, specifying the duration for which different types of data will be retained based on their purpose and regulatory requirements. Regular audits should be conducted to ensure compliance with these retention policies. Additionally, businesses must provide users with clear information about their data retention practices and ensure that users have the ability to request deletion of their personal data when it is no longer needed for the original purpose.

How should businesses handle data breaches under PIPL?

In the event of a data breach, businesses must act swiftly to comply with PIPL requirements. Immediate measures should be taken to mitigate the breach and prevent further unauthorized access to personal data. Businesses are required to notify the relevant regulatory authorities and affected individuals promptly, providing details about the nature of the breach, the data involved, and the measures being taken to address it. Clear procedures should be in place for responding to data breaches, including identifying and containing the breach, assessing its impact, and implementing corrective actions. Regular training and simulations can help ensure that employees are prepared to respond effectively to data breaches, minimizing the potential harm to individuals and ensuring compliance with PIPL.

Usage of Third-Party Services and Technologies under PIPL

How should businesses manage third-party data processors under PIPL?

Under PIPL, businesses must ensure that third-party data processors comply with the same stringent data protection standards. This involves drafting detailed contracts that specify the purpose, scope, and duration of data processing, as well as the specific data protection measures that third-party processors must implement. Businesses should conduct thorough due diligence to verify that third-party processors have adequate security measures in place. Regular audits and assessments of third-party processors are essential to ensure ongoing compliance with PIPL. Additionally, businesses must provide users with information about the involvement of third-party processors and ensure that these processors do not use the data for unauthorized purposes.

Is the use of Google Analytics legal under PIPL?

The use of Google Analytics is legal under PIPL, but it requires compliance with specific conditions. Businesses must obtain explicit consent from users before implementing Google Analytics, clearly informing them about the data being collected, its purpose, and how it will be used. Additionally, businesses need to ensure that Google Analytics complies with PIPL’s data protection standards, including the secure processing and storage of data. Any data transferred outside of China must adhere to PIPL’s cross-border data transfer requirements, which may include conducting security assessments and obtaining regulatory approval if necessary.

How does PIPL impact the use of cookies and tracking technologies on websites?

PIPL significantly impacts the use of cookies and tracking technologies by requiring explicit user consent before any non-essential cookies can be set. Websites must provide clear and detailed information about the types of cookies used, the data they collect, their purpose, and the duration of data storage. Users must have the option to opt-in to the use of non-essential cookies, and pre-ticked consent boxes are not allowed. Essential cookies, necessary for the basic functioning of the website, can be used without consent but must still be disclosed to users. Businesses must also ensure that users can easily withdraw their consent at any time.

Does the IP address need to be anonymized by Google Analytics under PIPL?

While PIPL does not explicitly categorize IP addresses as personal data, it is considered good practice to anonymize IP addresses when using Google Analytics. Anonymizing IP addresses helps mitigate privacy risks and aligns with global best practices for data protection. Google Analytics offers features that allow for IP anonymization, which businesses should enable to enhance compliance with PIPL and other data protection regulations. This practice ensures that even if the data is accessed without authorization, it cannot be easily linked back to individual users.

What About User Behavior Tracking for A/B Testing?

User behavior tracking for A/B testing also requires explicit user consent under PIPL. Businesses must inform users about the data collected through these tracking tools, the purpose of the data collection, and how it will be used to improve user experience or website performance. Users should have the option to opt-in or opt-out of such tracking. It is essential to ensure that the third-party tools used for A/B testing comply with PIPL’s data protection standards, including secure data processing and storage. Contracts with these third-party providers should specify data protection responsibilities and ensure compliance with PIPL. Regular reviews and updates of these agreements are necessary to maintain compliance and safeguard user data.

What About Using Google Web Fonts?

Using Google Web Fonts involves sending user data, such as IP addresses, to Google’s servers. Under PIPL, explicit user consent and transparency are required. Businesses must inform users that using Google Web Fonts will transmit data to Google and provide an opt-in mechanism through cookie consent banners or privacy settings. It is essential to include details in the privacy policy about using Google Web Fonts, the data collected, and its purpose, as well as to inform users that their data will be shared with Google. Ensuring contracts with Google include compliance with PIPL’s data protection standards and considering self-hosting fonts to reduce data transmission to third parties are also important steps. By following these guidelines, businesses can use Google Web Fonts while remaining compliant with PIPL.

How Does PIPL Affect the Use of Google Tag Manager?

Using Google Tag Manager (GTM) involves deploying various marketing tags and tracking codes on a website, which can lead to the collection and transmission of user data. Under China’s Personal Information Protection Law (PIPL), businesses must ensure compliance by obtaining explicit user consent and maintaining transparency about data practices.

Businesses should inform users that GTM may transmit their data to third parties, including Google. This consent must be obtained before deploying any tags that collect personal data. Additionally, detailed information about the use of GTM, the data collected, its purpose, and how it will be used should be included in the website’s privacy policy. Ensuring that GTM and any third-party tags it manages comply with PIPL’s data protection standards is crucial. This includes regularly reviewing and updating data protection measures and contracts with third-party providers to ensure ongoing compliance with PIPL.

Can I Use Cloud Services that Store Data Outside of China?

Using cloud services that store data outside of China is allowed under PIPL but comes with strict conditions. Businesses must conduct comprehensive security assessments and obtain explicit user consent before transferring personal data abroad. In some cases, especially for sensitive data or large-scale transfers, regulatory approval from Chinese authorities is required. Additionally, businesses need to ensure that contractual agreements with foreign cloud service providers include robust data protection measures that comply with PIPL standards. For certain types of data, particularly those deemed critical to national security, data must be stored within China.

How Should I Handle User Data in Server Logs?

Handling user data in server logs under PIPL requires a careful approach to ensure compliance. Although IP addresses are generally not considered personal data under PIPL, it’s still important to follow best practices for data protection. Minimize data collection by logging only essential information such as timestamps and user-agent strings. Implement strong security measures to protect server logs from unauthorized access, including encryption and strict access controls. Regularly review and audit your logging practices to ensure they remain compliant with PIPL and other relevant data protection standards.

How Do I Comply with PIPL When Using Analytics Tools Other Than Google Analytics?

To comply with PIPL when using analytics tools other than Google Analytics, you need to follow a few key steps. First, obtain explicit user consent by clearly informing users about the data being collected, the purpose of the collection, and how it will be used. Make sure users give explicit consent before any data collection starts. Next, update your privacy policy to include details about the specific analytics tools you use, the data they collect, and how it is processed. This transparency ensures users are fully aware of your data practices. Lastly, implement strong security measures to protect user data, such as encryption and access controls, and regularly review and audit your practices to ensure ongoing compliance with PIPL.

Is the Usage of Google Search Console PIPL Compliant?

Yes, the usage of Google Search Console is generally compliant with PIPL. Google Search Console, like Baidu Webmaster Tools, Bing Webmaster Tools, and Yandex Webmaster Tools, is not a tracking tool that collects data from your website or its visitors. Instead, it requires website owners or administrators to verify their ownership by adding a specific Meta-Tag to the website’s HTML source code. These tags are not scripts and do not collect any data from the website or its visitors.

Google Search Console allows you to view information that Google already has about your website. This includes anonymized data about how users interact with Google Search before they click on a search result that might lead to your website. This information does not track or collect data on whether these users actually visit your site, thus ensuring that no personal data of visitors is collected or processed through this tool.

Given that Google Search Console does not collect any data directly from your website or its visitors and merely provides access to pre-existing, anonymized search data, it aligns with PIPL’s data protection requirements. However, it is still essential to disclose the use of such tools in your privacy policy and ensure that you maintain transparency with your users about all data practices related to your website.

PIPL Compliance and Enforcement

What penalties and fines can be imposed for non-compliance with PIPL?

Non-compliance with PIPL can result in severe penalties and fines. Businesses can face fines up to RMB 50 million (approximately USD 7.7 million) or 5% of their annual revenue from the previous year, whichever is higher. Additionally, individuals directly responsible for the non-compliance can be fined between RMB 100,000 and RMB 1 million. In severe cases, authorities may order the suspension of business activities or even revoke business licenses and permits. These penalties underscore the importance of adhering to PIPL’s stringent data protection requirements.

What role do Data Protection Officers (DPOs) play in PIPL compliance?

Data Protection Officers (DPOs) play a crucial role in ensuring compliance with PIPL. They are responsible for overseeing the organization’s data protection strategy, ensuring that personal data is handled in accordance with PIPL, and acting as a point of contact between the organization and regulatory authorities. DPOs also conduct regular audits and assessments to identify and mitigate data protection risks, provide training to staff on data protection practices, and respond to data subject requests and potential data breaches.

How frequently should businesses review and update their data protection practices to stay compliant with PIPL?

Businesses should regularly review and update their data protection practices to remain compliant with PIPL. It is recommended to conduct reviews at least annually, or more frequently if there are significant changes in data processing activities, regulatory updates, or if new data protection risks are identified. Regular reviews ensure that data protection measures are up-to-date, effective, and aligned with PIPL’s requirements, helping to prevent non-compliance and potential penalties.

Are there any exemptions or special provisions for small businesses under PIPL?

PIPL does not provide specific exemptions for small businesses; all entities that process personal data must comply with its provisions. However, the regulatory burden on small businesses may be relatively lower due to the smaller scale of data processing activities. Small businesses must still ensure they obtain explicit consent, implement appropriate data protection measures, and comply with data subject rights. It is important for small businesses to stay informed about PIPL requirements and seek guidance to ensure compliance

How can businesses prepare for potential audits or inspections by Chinese regulatory authorities under PIPL?

To prepare for potential audits or inspections by Chinese regulatory authorities under PIPL, businesses should:

  1. Maintain Comprehensive Records: Keep detailed records of data processing activities, including data collection, storage, and transfer practices.
  2. Conduct Regular Audits: Perform regular internal audits to ensure compliance with PIPL and address any identified issues promptly.
  3. Implement Robust Data Protection Measures: Ensure strong security measures are in place, such as encryption and access controls, to protect personal data.
  4. Train Employees: Provide regular training to employees on PIPL compliance and data protection best practices.
  5. Establish Clear Procedures: Develop clear procedures for responding to regulatory inquiries, audits, and inspections, including designating a point of contact for regulators.

Practical PIPL Implications

What specific changes might be needed for existing GDPR-compliant consent forms to comply with PIPL?

To make GDPR-compliant consent forms suitable for PIPL, some key adjustments are necessary. First, ensure explicit consent for processing sensitive personal data, often in written form, particularly for biometric information, health records, and data about minors under 14. Consent forms must also include detailed information about the data handler’s identity, the purpose, scope, and methods of data processing, retention periods, and how individuals can exercise their rights. Additionally, make it easy for users to revoke their consent at any time, and ensure enhanced transparency about the specifics of data collection and usage, including third-party data sharing.

How should businesses handle data sharing and processing agreements under PIPL?

Handling data sharing and processing agreements under PIPL requires meticulous detail and strict adherence to regulations. Businesses should ensure contracts with third-party processors specify the purpose, scope, and duration of data processing, along with stringent data protection measures. These contracts must outline security measures, including encryption and access controls, and ensure compliance with PIPL requirements. This includes provisions for responding to data breaches and supporting the exercise of data subject rights mandated by PIPL. Regular audits and assessments of third-party compliance are also essential to maintain ongoing adherence.

What are the requirements for automated decision-making and targeted advertising under PIPL?

Under PIPL, automated decision-making and targeted advertising must be handled with care to protect user rights. Businesses must obtain explicit consent from users before using their data for automated decision-making processes that significantly impact them. This includes decisions related to credit scoring, recruitment, and other areas that affect users’ rights and interests. Transparency is crucial, so businesses need to inform users about the logic and potential consequences of automated decisions. Additionally, users must have the option to opt-out of automated decision-making and targeted advertising, ensuring they can exercise control over their personal data.


Some of the sources we digged into for you are:


Still confused? No problem. Although we are not providing any legal advice, our experience enables us to provide quick judgement if your website and online business activities might be in lower or higher risk of violating Chinese law.

We will be more than happy providing you with a quick judgement and if recommended recommendations of lawyer firms in China that have fluent English or German staff to provide legal advice in a language you speak.

Just send us a message asking for “PIPL Quick Evaluation” to hello@jadegital.com