PIPL

Personal Information Protection Law of the People's Republic of China

Flag of CN
ChinaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
November 1, 2021
Enacted
August 20, 2021
Enforcing Authority
Cyberspace Administration of China (CAC)
Consent Model
Opt-in
Applies To
All organizations processing personal information of individuals within China, regardless of location (extraterritorial scope)

Overview

The PIPL is one of three pillars of China's data governance framework alongside the Cybersecurity Law and Data Security Law. For websites, non-essential cookies must be blocked until visitors actively opt in — simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, and third-party data provision.

What This Means for Your Website

  • Prior, informed, specific consent is required before placing any non-essential cookies on Chinese visitors
  • Separate consent is needed for sensitive data processing, cross-border transfers, public disclosure, and third-party provision
  • Foreign organizations serving Chinese users must establish a dedicated entity or appoint a representative in China
  • Data localization requirements apply for critical information infrastructure operators
  • Cross-border transfers require security assessment, standard contracts, or certification

Key Requirements

The CAC enforces the PIPL with penalties up to 50 million RMB or 5% of previous year's revenue for major violations. Organizations may also face business restrictions, suspension, and personal liability for responsible personnel. The tri-path framework for cross-border transfers (security assessment, standard contracts, certification) was completed in 2026.

How ConsentStack Handles This

ConsentStack blocks all non-essential cookies for Chinese visitors until active opt-in consent is given, with separate consent mechanisms for cross-border data transfers and third-party data sharing.

Penalties

Major violations: up to 50M RMB or 5% of previous year revenue. Minor: up to 1M RMB. Responsible persons: up to 100K RMB.

Maximum Fine
CN¥50,000,000 aggregate
Revenue-based
5% of annual revenue

Key Requirements

  • Prior informed specific consent before placing non-essential cookies
  • Separate consent for sensitive data, cross-border transfers, and third-party provision
  • Cross-border transfers require security assessment, contracts, or certification
  • Data Protection Impact Assessment for certain processing
  • Data localization for critical information infrastructure operators
  • Mandatory breach notification

Notable Provisions

  • Tri-pillar framework: PIPL + CSL + DSL
  • January 2026 CSL amendments increase penalties and enforcement
  • Foreign organizations must establish entity or appoint representative in China
  • Minors' data requires compliance audits

Other Asia Pacific Regulations

Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Indonesia PDP LawIndonesia
Indonesia's first comprehensive data protection law provides individuals greater control over personal data. Explicit, informed, specific consent is required including for cookies collecting personal data. Despite the transitional period ending October 2024, the Indonesian DPA has not yet been established, creating a current enforcement gap.

Frequently Asked Questions

Does China require cookie consent?

Yes. Non-essential cookies must be blocked until visitors actively opt in. Simply noting cookie use in a privacy policy is insufficient under the PIPL.

What are the PIPL penalties?

Up to 50 million RMB or 5% of previous year revenue for major violations. Responsible persons face up to 100,000 RMB and potential business bans.

Does the PIPL have extraterritorial scope?

Yes. The PIPL applies to all organizations processing personal information of individuals in China, regardless of where the organization is based.

What is China's data governance framework?

China has a tri-pillar framework: PIPL (personal data), CSL (cybersecurity), and DSL (data security). All three interact to form comprehensive data governance.

Stay compliant with PIPL

ConsentStack helps you implement Opt-in consent for China automatically.

Get started free