Understanding China's Personal Information Protection Law

China's Personal Information Protection Law (PIPL), which took effect on November 1, 2021, is one of the most consequential data privacy regulations outside of Europe. For global websites, particularly those with Chinese visitors or operations in China, PIPL creates consent obligations that exist independently of — and sometimes conflict with — GDPR requirements.

PIPL governs the processing of personal information of individuals within China. Its territorial scope is broad: it applies to any organization that processes personal information of people located in China, regardless of where the organization itself is based. If your website is accessible to Chinese users and you collect any personal data from them, PIPL is relevant to you.

PIPL vs. GDPR: Key Differences That Matter

While PIPL is often called "China's GDPR," the comparison obscures important differences that affect how you implement consent:

• Consent as the primary legal basis: GDPR offers six legal bases for processing, including legitimate interest. PIPL is more consent-centric. While it does recognize other legal bases (contractual necessity, legal obligation, public interest), the scope of legitimate interest is far narrower, and consent is the expected default for most commercial data processing.
• Separate consent for sensitive data: PIPL requires separate, explicit consent for processing sensitive personal information, which includes biometric data, financial information, location tracking, and data of minors under 14. Cookie-based behavioral tracking could fall under this category.
• Mandatory data localization: Critical information infrastructure operators and organizations processing personal information above a volume threshold set by the Cyberspace Administration of China (CAC) must store data within China. This affects where your analytics and cookie data can be processed.
• Cross-border transfer restrictions: Transferring personal information outside China requires one of three mechanisms: passing a CAC security assessment, obtaining certification from a recognized body, or entering into standard contractual clauses published by the CAC. This is more restrictive than GDPR's transfer mechanisms.
• Individual rights with Chinese characteristics: PIPL grants data subjects rights similar to GDPR (access, correction, deletion, portability), but adds the right to refuse automated decision-making and the right to request explanation of automated processing rules.

What PIPL Means for Cookies and Tracking

PIPL does not specifically mention "cookies" in the way the EU's ePrivacy Directive does. However, the law's broad definition of personal information — any information related to an identified or identifiable natural person — encompasses most cookie-based tracking:

• Analytics cookies that track user behavior across pages collect personal information under PIPL's definition, even if the user is not logged in.
• Advertising cookies and cross-site tracking pixels clearly fall within scope, as they build profiles tied to device identifiers.
• Session cookies for basic functionality (shopping carts, login state) are generally permissible under the contractual necessity basis, similar to GDPR.
• Third-party cookies that share data with external parties trigger additional PIPL requirements around third-party disclosure and potentially cross-border transfer rules.

PIPL Enforcement: Real Consequences

Unlike some privacy laws that exist primarily on paper, PIPL enforcement has been active and escalating. The Cyberspace Administration of China, along with the Ministry of Public Security and other agencies, has taken concrete action:

• Major app stores in China have removed apps for excessive data collection and failure to obtain proper consent. Hundreds of apps have been delisted in enforcement campaigns.
• Companies have been fined for collecting personal information beyond what was necessary for their stated purpose.
• The CAC has issued public warnings to companies whose privacy policies did not adequately describe data processing activities.
• In severe cases, PIPL allows fines of up to 50 million RMB (approximately 7 million USD) or 5% of the previous year's revenue, along with potential suspension of business operations.

For international companies, the risk is both regulatory and commercial. Non-compliance can lead to app removal from Chinese app stores, blocking of services, and reputational damage in a market of over one billion internet users.

Geo-Targeting Chinese Visitors

If your website serves a global audience that includes Chinese users, you need a geo-targeted consent strategy. This means detecting when a visitor is located in China and presenting consent mechanisms that satisfy PIPL requirements:

• IP-based detection: Use IP geolocation to identify visitors from mainland China. This is the same approach used for GDPR geo-targeting of EEA visitors.
• Language-based signals: If a user's browser language is set to Chinese (zh-CN or zh-TW), this can serve as a secondary signal, though it should not be the sole determinant.
• Consent banner content: The consent notice shown to Chinese users should be in Simplified Chinese, clearly state the purposes of data collection, identify the data controller, and provide a genuine mechanism to refuse non-essential processing.
• Separate consent for sensitive processing: If you use cookies for behavioral profiling or location tracking, Chinese users should see a separate, more granular consent prompt for these categories.

Handling GDPR and PIPL with One CMP

Most global websites need to comply with multiple privacy regimes simultaneously. The challenge is presenting the right consent experience to the right user without maintaining separate systems. Here is how a unified approach works:

Region Detection as the Foundation

The CMP must first determine the visitor's location. Based on this, it applies the appropriate consent rules:

• EEA/UK visitors: TCF 2.3 consent banner with Consent Mode V2, opt-in model, all GDPR requirements.
• Chinese visitors: PIPL-compliant consent notice in Simplified Chinese, opt-in for non-essential processing, clear disclosure of cross-border transfers if data leaves China.
• US visitors: State-specific rules (CCPA/CPRA for California, state laws for Colorado, Connecticut, Virginia, etc.), typically opt-out models.
• Other regions: Default behavior based on the publisher's risk tolerance and applicable local laws.

Consent Storage Considerations

PIPL's data localization requirements mean that consent records for Chinese users may need to be stored on servers within China if your data processing volumes exceed the CAC's thresholds. For most international websites with incidental Chinese traffic, this threshold is unlikely to be met, but high-traffic sites targeting China should consult with local legal counsel.

Cross-Border Transfer Documentation

When a Chinese user consents to cookies that send data to servers outside China (which is the case for virtually all Western analytics and advertising platforms), the CMP should document this consent as part of the cross-border transfer justification. The consent notice should explicitly mention that data will be transferred internationally.

Practical Steps for Global Compliance

Here is a prioritized action plan for websites that need to address PIPL alongside GDPR:

• Audit your Chinese traffic: Check your analytics to understand what percentage of your visitors come from China. If it is negligible, your risk is lower but not zero.
• Map your cookies to PIPL categories: Determine which cookies process personal information under PIPL's definition and whether any involve sensitive personal information.
• Implement geo-targeted consent: Use a CMP that can present different consent experiences based on visitor location, with appropriate language and legal basis for each region.
• Update your privacy policy: Add a section specifically addressing PIPL rights and your data processing practices for Chinese users.
• Review cross-border transfers: Document how personal information of Chinese users is transferred and processed internationally, and ensure you have a valid transfer mechanism.

Important note: PIPL compliance for websites targeting China can be complex, and the regulatory guidance is still evolving. This article provides a general overview, but organizations with significant Chinese operations or user bases should seek legal advice specific to their situation.

FlexyConsent supports geo-targeted consent experiences with region-specific rules, allowing you to address GDPR, PIPL, CCPA, and other privacy laws from a single platform. The free plan includes geo-detection and multi-region consent configuration.