Privacy Regulations in China

China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.

The CSL establishes China's legal framework for cybersecurity obligations including network security, critical infrastructure protection, and data security. The January 2026 amendments represent the first major overhaul since 2017, significantly increasing penalties and broadening extraterritorial enforcement. Cookie-specific requirements are addressed by the PIPL.

The DSL establishes China's data security governance framework with a classification system for core, important, and general data. For website operators, it primarily affects how collected data is stored and secured rather than how consent is obtained. Cookie-specific consent is addressed by the PIPL.