verified_user
Standardful
Homechevron_rightStandardschevron_rightPIPL
ActiveInternational Standardupdate Standard Updated: Nov 2021fact_check Fact checked: Jun 28, 2026

PIPL

Personal Information Protection Law — 中华人民共和国个人信息保护法

apartmentPublishing Organization:Cyberspace Administration of China (CAC)

Standard Introduction

PIPL is an active standard published by Cyberspace Administration of China (CAC). It is commonly used across Technology, Finance & Banking, Retail, Healthcare, Services and applies in China.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with PIPL.

public

Extraterritorial Application

Applies to processing of personal information of individuals within China, even when the data processor is located outside China — covering foreign companies offering products or services to Chinese residents.

warning

Severe Penalties

Grave violations can incur fines up to RMB 50 million or 5% of the previous year's annual revenue, plus personal liability for responsible individuals up to RMB 1 million and bans from senior positions.

lock

Strict Cross-Border Rules

Cross-border data transfers require security assessments, standard contracts, or certification — with mandatory CAC security assessment for critical information infrastructure operators and large-scale processors.

list_alt Core Principles

  • Lawfulness, legitimacy, necessity, and good faith
  • Purpose limitation and data minimization
  • Transparency and openness
  • Data quality and accuracy
  • Accountability and security
  • Separate consent for sensitive personal information
  • Restrictions on automated decision-making
  • Special protections for minors under 14

Who Needs to Comply?

groups

Any organization that processes personal information of individuals within China — including Chinese companies, foreign companies with operations in China, and foreign companies that offer products or services to or analyze behavior of individuals in China.

Key Requirements

1

Legal Basis for Processing

Establish a lawful basis before processing personal information — individual consent, contract necessity, legal obligation, public health emergency, public interest, or information already made public by the individual.

2

Separate Consent for Sensitive Data

Obtain specific, informed separate consent before processing sensitive personal information including biometrics, religious beliefs, medical health data, financial accounts, location tracking, and data of minors under 14.

3

Cross-Border Data Transfer Compliance

For transferring personal information outside of China, complete a CAC security assessment (for CII operators or large-scale data), enter into standard contracts, or obtain personal information protection certification.

4

Personal Information Protection Impact Assessment

Conduct impact assessments before processing sensitive data, using personal information for automated decision-making, transferring data cross-border, or any processing that may significantly affect individuals' rights.

5

Incident Notification

Immediately take remedial measures upon discovering a personal information security incident. Notify the relevant regulatory authority and affected individuals, including the types of information involved, causes, and remediation measures.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Define China personal-information scope

Map personal-information processing involving individuals in China, identify processors and entrusted parties, classify sensitive personal information, automated decision-making, minors data, and cross-border transfer scenarios.

2
Phase 2schedule Duration: 4-8 weeks

Establish lawful processing and notices

Document processing purposes, necessity, legal bases, separate-consent scenarios, privacy notices, retention periods, individual-rights processes, and the responsible person or local representative where applicable.

3
Phase 3schedule Duration: 8-20 weeks

Control sensitive data and transfers

Implement consent capture, personal-information protection impact assessments, security measures, entrusted-processing contracts, automated-decision safeguards, and cross-border transfer mechanisms such as security assessment, certification, or standard contracts.

4
Phase 4schedule Duration: Ongoing

Maintain inspections and change control

Refresh impact assessments, records, notices, and transfer filings as products, vendors, purposes, laws, or CAC guidance change. Prepare evidence for audits, complaints, and regulator inquiries.

Compliance Checklist

0 / 12

checklist Scope and lawful basis

checklist Individual rights and consent

checklist Security and transfers

Penalties & Enforcement

warning

For serious violations: fines up to RMB 50 million (approximately USD 7 million) or 5% of the prior year's annual revenue, suspension or termination of business, and revocation of business licenses. Responsible individuals face fines of RMB 100,000 to RMB 1 million and may be banned from holding senior management or DPO positions.

Frequently Asked Questions

When does PIPL apply outside China?

expand_more

PIPL can apply to organizations outside China when they process personal information of individuals in China to provide products or services, analyze or evaluate behavior, or in other circumstances provided by law.

What is separate consent?

expand_more

Separate consent is a distinct consent required for certain higher-risk activities, such as processing sensitive personal information, transferring personal information to another processor, public disclosure, or cross-border transfer.

What rights do individuals have under PIPL?

expand_more

Individuals have rights to know, decide, restrict or refuse processing, access and copy personal information, correct or supplement inaccurate data, delete data in specified circumstances, and request explanations of processing rules.

How are cross-border transfers handled?

expand_more

Transfers may require a CAC security assessment, personal-information protection certification, or standard contract filing depending on the processor type, volume, and data involved. A personal-information protection impact assessment and individual notice are also important.

What evidence should processors keep?

expand_more

Keep data maps, notices, consent records, impact assessments, transfer documents, entrusted-processing agreements, security controls, incident records, and records showing how individual requests were handled.

Official Documentation

View All

Implementation Timeline

edit_document
Oct 2020
PIPL draft published for public comment
gavel
Aug 2021
PIPL adopted by the Standing Committee of the National People's Congress
check_circle
Nov 2021
PIPL entered into force
description
Feb 2023
Standard Contract Measures for cross-border personal information transfer took effect
update
March 2024
Regulations on Promoting and Regulating Cross-Border Data Flows issued, relaxing some transfer requirements

Related Categories