China Data Privacy Laws: PIPL, CSL & DSL Compliance Guide (2026)

China's data privacy regime rests on three statutes: the Personal Information Protection Law (PIPL, effective November 1, 2021), the Data Security Law (effective September 1, 2021), and the Cybersecurity Law, substantially amended January 1, 2026. PIPL governs personal data collection, consent, cross-border transfers, and penalties up to CNY 50 million for serious violations.

China has built one of the world's most comprehensive -- and most consequential -- data privacy frameworks. It is not a copy of any foreign model. It reflects China's own policy priorities: national security, state oversight of private-sector data power, and rapid digital-economy growth. For any business that collects data from people in China, stores that data in China, or transfers it across Chinese borders, understanding these laws is a compliance requirement, not an option.

The rules have continued tightening. The Cybersecurity Law was overhauled effective January 1, 2026. Cross-border transfer certification rules were finalized effective the same date. Mandatory compliance audits began in May 2025. Cybersecurity incident reporting timelines were compressed to as little as one hour for the most critical operators in November 2025. Minors' data processing now requires annual audit filings. Enforcement has moved from sporadic to systematic.

This guide covers the framework as it stands in 2026 -- the foundational laws, enforcement structure, processing requirements, cross-border rules, penalties, and what compliance looks like in practice. Information in this article is accurate as of May 2026. Consult an attorney for advice specific to your situation.

Quick Answer: What Are China's Main Data Privacy Laws?

Three statutes form the core of China's data protection regime, often called the "three pillars."

The Personal Information Protection Law (PIPL), effective November 1, 2021, is China's dedicated personal data statute. It establishes legal bases for processing, individual rights, consent requirements, cross-border transfer rules, and the compliance audit framework. It is the closest Chinese equivalent to the EU's GDPR, though it differs in important ways.

The Data Security Law (DSL), effective September 1, 2021, governs data handling broadly -- not just personal information. It introduced a tiered classification system separating "core data," "important data," and general data, with escalating protection requirements for each tier.

The Cybersecurity Law (CSL), originally effective June 1, 2017 and substantially amended effective January 1, 2026, addresses network security obligations, critical information infrastructure protection, data localization for certain operators, and real-name registration requirements.

Below these three statutes sits a growing body of implementing regulations. The most significant is the Network Data Security Management Regulations, issued by the State Council and effective January 1, 2025. It fills operational gaps in all three pillar laws and introduced thresholds and obligations for large platform operators.

The Civil Code Foundation

Before the PIPL existed, China's Civil Code -- adopted in May 2020 and effective January 1, 2021 -- established privacy and personal information protection as civil law personality rights.

Articles 1032 and 1033 define the right to privacy for the first time in Chinese legislation. No organization or individual may infringe on another person's privacy by spying, invading, harassing, or disclosing their information.

Articles 1034 through 1039 address personal information specifically. Article 1034 defines personal information as "various information recorded in electronic or other form that can identify a natural person individually or in combination with other information" -- including name, date of birth, ID number, biometric data, address, phone number, email, and health and location information. Article 1035 requires consent and transparency as preconditions for lawful collection and use. Article 1037 grants individuals the rights to access, correct, and request deletion of their personal information.

The Civil Code's role is foundational but supporting. It gave individuals private causes of action for privacy violations and established the conceptual groundwork that the PIPL later developed into a comprehensive regulatory regime. Individual civil claims and regulatory enforcement can run in parallel.

The Cyberspace Administration of China (CAC)

The Cyberspace Administration of China is the lead regulator for data protection and online content. It oversees overall planning, coordination, and enforcement of personal information protection. The CAC issues implementing regulations, conducts investigations, levies fines, and has the authority to order the suspension or shutdown of non-compliant applications and services.

Several other agencies share enforcement responsibilities within their sectors:

• The Ministry of Industry and Information Technology (MIIT) handles telecommunications and internet service providers
• The Ministry of Public Security (MPS) investigates cybersecurity crimes and handles criminal enforcement
• The State Administration for Market Regulation (SAMR) oversees consumer protection and certification bodies
• Sector-specific regulators in finance (People's Bank of China, CBIRC), healthcare, and transportation enforce data rules within their domains

Local CAC offices and cybersecurity bureaus conduct investigations at the provincial and municipal level. Companies can face simultaneous scrutiny from multiple regulators -- the Didi investigation, for example, involved the CAC, MPS, MIIT, SAMR, and the National Security Bureau acting jointly.

The Amended Cybersecurity Law (Effective January 1, 2026)

The Standing Committee of the National People's Congress approved amendments to the CSL on October 28, 2025. They took effect January 1, 2026 -- the first major overhaul of the law since it was enacted in 2017.

Penalty Increases

The amendments significantly raised fines. For network operators that fail to fulfill cybersecurity obligations where violations cause "particularly serious consequences," the maximum fine increases to CNY 10 million for the organization and CNY 1 million for directly responsible individuals.

For standard violations by non-CIIO network operators, the previous ceiling of CNY 100,000 rose to CNY 500,000 for general violations and CNY 2 million for serious violations.

Critical Information Infrastructure Operators face the highest exposure. In practice, the CNY 10 million cap is reserved for CIIOs where violations cause particularly serious harm. For most commercial businesses that are not CIIOs, the CNY 2 million serious-violation ceiling is the practical upper limit under the CSL.

Expanded Extraterritorial Reach

The amended CSL broadened the scope of overseas activities subject to Chinese enforcement. Previously, extraterritorial CSL enforcement applied only to overseas activities that endangered critical information infrastructure. The 2026 amendments expand this to any overseas activities that endanger China's cybersecurity generally -- bringing the CSL closer to the PIPL's broader extraterritorial approach.

AI and Algorithmic Provisions

The amendments added provisions specifically addressing artificial intelligence and algorithmic services. They codify security assessment requirements for AI products and services and align the CSL with CAC regulations on deep synthesis and generative AI that were already in force.

Data Security Law: Data Classification Framework

The DSL, effective September 1, 2021, governs data handling activities across all sectors -- not just personal information. Its most important contribution is a tiered classification system.

Core data is data related to national security, national economy operation, people's livelihood, and major public interests. Unauthorized handling or export can constitute a criminal offense. The government has not published a comprehensive public list of what qualifies; sectoral regulators define core data categories for their industries.

Important data is data whose tampering, destruction, leakage, or unlawful use could harm national security, the public interest, or the lawful rights and interests of individuals or organizations. The Network Data Security Management Regulations revised the threshold for personal data to qualify as important data upward, from 1 million to 10 million individuals.

General data encompasses all other data and is subject to baseline security obligations.

The DSL applies to all data handling activities within China and can reach extraterritorially when overseas data handling harms Chinese national security, public interests, or the rights of Chinese citizens or organizations.

Legal Bases for Processing Personal Information

The PIPL's approach to lawful processing differs from the GDPR in one critical way: legitimate interest is not a valid legal basis. Every processing activity must fit within one of the bases enumerated in Article 13.

Consent is the default and most commonly used basis. Consent must be voluntary, informed, and expressed through affirmative action. Pre-ticked boxes or blanket acceptance of terms do not satisfy the requirement.

Necessity to perform a contract covers processing objectively necessary to execute a contract to which the data subject is a party or to take pre-contractual steps at their request.

Necessity to fulfill statutory duties or obligations applies when processing is required by law -- tax reporting, employment records, and anti-money-laundering obligations fall here.

Public health emergencies permit processing where necessary to respond to emergencies or to protect natural persons' life, health, or property.

News reporting and public interest supervision allow journalists and supervisory organizations to process already-public personal information for reporting purposes where the public interest is served.

Human resources management in accordance with lawfully established labor rules and collective contracts is a permitted basis for employment-related processing.

Foreign entities processing the personal information of people in China under the PIPL's extraterritorial scope must identify a lawful basis from this list, just as domestic processors must.

Consent Rules That Go Beyond the GDPR

Several consent-specific rules under the PIPL are stricter than GDPR requirements:

• Handlers may not bundle consent for non-essential processing with provision of core products or services. If a user declines consent to targeted advertising, the handler must still provide the core service.
• Separate consent is required for sensitive personal information, cross-border transfers, and automated decision-making that significantly affects individuals.
• Consent may be withdrawn at any time, and withdrawal must be as easy as giving consent was.
• For minors under 14, consent must come from a parent or legal guardian.

Sensitive Personal Information

The PIPL defines sensitive personal information as data whose leakage or illegal use could easily harm a person's dignity or safety, or cause harm to their person or property. The law explicitly identifies:

• Biometric data (facial recognition features, fingerprints, voiceprints, iris scans)
• Religious beliefs
• Specific identities (ethnicity, political views, union membership)
• Medical and health information
• Financial account information (including payment credentials)
• Location tracking data with precision sufficient to identify whereabouts
• Personal information of minors under 14 years of age

Processing sensitive personal information requires a specific purpose, demonstrated necessity, and enhanced protective measures. The handler must obtain separate consent distinct from general processing consent and must complete a Personal Information Protection Impact Assessment (PIPIA) before processing begins. Assessment results must be retained for at least three years.

Facial Recognition

CAC regulations restrict facial recognition technology to public security purposes in public spaces unless each individual provides separate informed consent. Bundling facial recognition consent with other service consents is prohibited. Enforcement has specifically targeted companies that installed facial recognition in retail environments without individual consent.

Individual Rights Under the PIPL

The PIPL grants a comprehensive set of individual rights. Handlers must establish accessible mechanisms for exercising them and must respond in a timely manner. Refusal to respond -- or inadequate responses -- can themselves constitute violations.

Right to be informed: Individuals must receive clear disclosure of the handler's identity, processing purposes, methods, categories of information processed, retention periods, and the procedure for exercising rights, before processing begins.

Right of access and copy: Individuals may request access to their personal information and obtain a copy.

Right to rectification: Individuals may request correction or completion of inaccurate or incomplete personal information. Handlers must act promptly.

Right to deletion: Handlers must delete personal information when processing purposes have been achieved, consent has been withdrawn, the retention period has expired, services have been discontinued, or when processing violates applicable law or agreement.

Right to data portability: Under conditions set by the CAC, individuals may request that their personal information be transferred to another handler they designate.

Right to refuse automated decisions: Where automated decision-making significantly affects individual rights or interests, individuals have the right to request human review and to refuse decisions made solely through automated means.

Rights of deceased persons' next of kin: Relatives of deceased individuals may access, copy, correct, or delete the deceased's personal information for legitimate purposes, unless the deceased expressed contrary wishes while alive.

Data Breach Notification

Under Article 57 of the PIPL, handlers must take immediate remedial action upon discovering a leak, tampering, or loss of personal information and notify both the relevant regulatory authority and affected individuals.

The Cybersecurity Incident Reporting Measures, issued September 11, 2025 and effective November 1, 2025, establish a tiered reporting framework based on the type and severity of the incident:

• Critical Information Infrastructure Operators must report to the CII protection department and Public Security Bureau immediately and no later than one hour after identification
• State organs and subordinate units must report to their CAC office no later than two hours
• Other network operators must report to the provincial CAC within four hours of identifying an in-scope incident

The notification must include the categories of information involved, the cause and potential harm, remedial measures taken, and mitigation steps available to affected individuals. Notification to individual data subjects may be omitted only if the handler has implemented measures that effectively prevent the breach from causing actual harm.

Failure to report -- or delayed reporting -- is itself a separate PIPL violation subject to independent penalties.

Cross-Border Data Transfers: The Three-Pathway Framework

Transferring personal information out of China requires completing one of three CAC-approved mechanisms. The framework became fully operational in early 2026 with the finalization of the certification pathway.

Pathway 1: CAC Security Assessment (Mandatory for High-Risk Transfers)

A security assessment is mandatory -- not optional -- for:

• Critical Information Infrastructure Operators (any cross-border transfer)
• Any handler transferring "important data" abroad
• Handlers that have processed personal information of more than 1 million individuals and are transferring any of that data
• Handlers that have, cumulatively since January 1, 2023, transferred personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals

The process requires the handler to submit a self-assessment to the CAC, which then conducts its own security review. Approval is valid for two years and must be renewed.

Pathway 2: Standard Contractual Clauses (SCCs)

Handlers below the mandatory security assessment thresholds may execute the CAC's prescribed SCC template with the overseas recipient. The SCC imposes obligations on the foreign recipient equivalent to PIPL requirements -- including breach notification, data subject rights, and security measures.

The SCC must be filed with the local CAC authority. The CAC template is not negotiable; parties cannot materially modify it.

Pathway 3: Personal Information Protection Certification

The Measures for Certification of Cross-Border Personal Information Transfer, jointly issued by the CAC and SAMR on October 14, 2025 and effective January 1, 2026, finalized this pathway. The national standard GB/T 46068-2025 took effect March 1, 2026, providing technical certification criteria.

Certification is conducted by CAC-accredited institutions. It is better suited for enterprises with ongoing, high-volume, or complex cross-border data flows -- particularly intragroup transfers within multinational corporations. It functions similarly to Binding Corporate Rules under the GDPR.

Regardless of which pathway is used, handlers must always:

• Obtain separate consent from data subjects for the cross-border transfer
• Complete a PIPIA before the transfer begins
• Ensure the overseas recipient provides protections not lower than PIPL standards

For a detailed comparison of the PIPL and GDPR cross-border transfer mechanisms, see our guide to GDPR vs. PIPL.

Data Localization

China's data localization requirements apply specifically to Critical Information Infrastructure Operators. CIIOs must store all personal information and important data collected and generated during operations in China on servers physically located in mainland China. Transfers of that data abroad require a CAC security assessment -- no other pathway is available to CIIOs.

The sectors most likely to contain CIIOs include public communications, energy, transportation, water resources, finance, public services, and e-government. Designation is handled through a non-public process; businesses in these sectors should assume they may be classified as CIIOs until told otherwise.

For non-CIIOs, localization is not generally required by the PIPL or DSL, though sector-specific regulations in finance and healthcare may impose additional obligations. The practical effect of the mandatory security assessment threshold -- which applies to handlers who have processed more than 1 million individuals -- is that large platforms face a significant compliance burden before any transfer, even if strict localization does not technically apply.

Compliance Audit Requirements (Effective May 1, 2025)

The Measures for Personal Information Protection Compliance Audits, issued February 14, 2025 and effective May 1, 2025, made compliance audits a binding legal obligation under the PIPL rather than a voluntary best practice.

Audit frequency requirements:

• Handlers processing personal information of more than 10 million individuals must conduct at least one audit every two years
• Handlers processing personal information of fewer than 10 million individuals must conduct audits "regularly," with no prescribed frequency -- the interval is left to the handler's judgment based on risk
• Handlers processing minors' personal information must conduct an audit annually and file results with the CAC

Audits may be conducted internally or by an external professional institution. The CAC may also order a mandatory audit by an accredited institution when it identifies high-risk processing, finds that processing may harm a large number of individuals, or follows a serious data incident.

The audit scope must cover legal bases for processing, consent mechanisms, sensitive personal information handling, cross-border transfers, automated decision-making, data subject rights mechanisms, and security measures.

Minors' Personal Information: Annual Filing Requirement

On December 29, 2025, the CAC issued the Announcement on the Filing of Compliance Audits for the Protection of Minors' Personal Information. Any processor of minors' personal information must file audit results with the CAC annually -- the first deadline was January 31, 2026.

The filing covers all processors of minors' data, with no minimum volume threshold. Foreign companies that process minors' personal information to provide products or services in China are included. The CAC filing system accepts submissions from overseas entities.

Data Protection Officer Requirements

Under Article 52 of the PIPL, handlers processing personal information above prescribed thresholds must appoint a personal information protection officer -- China's equivalent of a DPO. The CAC set the threshold at processing personal information of more than 1 million individuals.

In July 2025, the CAC launched an online registration portal. Registrations must include company details, the DPO's identity, nationality, and contact information, and the scope of data processing activities covered. The DPO is responsible for overseeing PIPL compliance, conducting or commissioning audits, and serving as the point of contact for regulatory inquiries.

Foreign entities that fall within the PIPL's extraterritorial scope and that process personal information of more than 1 million Chinese individuals must also designate a representative or establish a legal entity in China -- a requirement separate from but coordinated with the DPO obligation.

Penalties and Enforcement

Penalty Structure Under the PIPL

The PIPL's penalty framework is graduated:

Standard violations trigger orders to rectify, warnings, confiscation of illegal gains, and fines up to CNY 1 million for the organization, plus fines of CNY 10,000 to CNY 100,000 for directly responsible individuals.

Serious violations -- including large-scale breaches, systematic non-compliance, or refusal to correct -- trigger fines up to CNY 50 million or 5% of annual revenue from the prior fiscal year (whichever is higher), plus personal fines up to CNY 1 million, career bans for responsible executives, suspension or shutdown of non-compliant services, and in extreme cases, criminal liability.

Penalty Structure Under the Amended CSL (2026)

The January 2026 CSL amendments introduced a tiered penalty schedule:

• General network operator violations: up to CNY 500,000 (general) or CNY 2 million (serious)
• CIIO violations causing particularly serious consequences: up to CNY 10 million for the organization, CNY 1 million for responsible individuals

Landmark Enforcement Actions

Didi Chuxing (July 2022) remains the largest data protection fine ever issued. The CAC, acting jointly with five other agencies, fined Didi CNY 8.026 billion (approximately USD 1.2 billion) for violations spanning seven years. The investigation found that Didi illegally processed more than 64.7 billion pieces of personal information, including excessive collection of user data, illegal processing of sensitive vehicle data, and failure to accurately disclose the purpose of data collection. Didi's chairman and president were each personally fined CNY 1 million. The penalty applied the PIPL's 5% annual revenue provision.

European Luxury Brand -- Shanghai Subsidiary (September 2025): Following a data breach discovered May 7, 2025, authorities penalized the Shanghai subsidiary of a major European luxury brand for illegally transferring personal information to its French headquarters without passing a CAC security assessment or using any approved cross-border mechanism, failing to obtain separate consent, and lacking adequate encryption and de-identification measures. This was one of the first publicly disclosed enforcement actions specifically targeting unlawful cross-border transfer mechanisms under the PIPL.

Mobile App and SDK Campaigns (2025): Throughout 2025, the CAC conducted coordinated enforcement targeting six categories: mobile apps and mini-programs, software development kits (SDKs), smart terminals, facial recognition in public spaces, offline consumer data scenarios, and data-related crimes. In September 2025, the CAC published 10 typical enforcement cases -- seven involved inadequate security measures, two involved illegal personal information collection, and one targeted a deep synthesis service that failed to complete required CAC filing.

Generative AI and Deep Synthesis Rules

China has enacted a layered regulatory framework specifically for AI-generated content, operating alongside the PIPL and CSL.

The Regulations on the Management of Deep Synthesis in Internet Information Services prohibit using deepfakes to create or disseminate illegal content, impersonate individuals, or fabricate news. Providers must label AI-generated or AI-manipulated content and maintain the technical capability to identify it.

The Interim Measures for the Administration of Generative AI Services, in effect since August 15, 2023, require generative AI providers to conduct security assessments before public release, implement content filtering, and identify lawful bases for processing personal information used in training data and user inputs.

In March 2025, the CAC released the Measures for Labeling Artificial Intelligence Generated Content and the national standard GB 45438-2025, effective September 1, 2025. These require both visible labeling for users and technically detectable watermarking for automated systems.

Enforcement has directly targeted AI-privacy intersections. The CAC has penalized platforms that cloned individuals' voiceprints and provided AI voice-synthesis services without obtaining separate consent, treating this as a violation of both the PIPL's sensitive personal information rules and the Deep Synthesis Measures.

For businesses deploying AI systems in China: training data must comply with PIPL legal basis requirements including consent where personal information is involved; AI-generated content that involves identifiable individuals requires separate consent; and automated decision-making that significantly affects users triggers disclosure and opt-out rights under Article 24 of the PIPL.

How China's PIPL Compares to the GDPR

The PIPL draws significant inspiration from the GDPR but differs in ways that matter for compliance strategy. See our full comparison at GDPR vs. PIPL. The key operational differences:

The absence of legitimate interest is the most consequential difference for multinationals. Companies that rely on legitimate interest as a processing basis under the GDPR -- for fraud prevention, security monitoring, or marketing analytics -- must identify a different PIPL-compliant basis for those same activities in China.

Business Compliance Checklist

For organizations operating in or handling data from China, compliance requires action across several areas.

Legal basis: Identify a PIPL-compliant lawful basis for every processing activity. Document it in your records of processing activities. There is no legitimate interest option.

Consent mechanisms: Implement separate consent flows for sensitive personal information, cross-border transfers, and non-essential processing. Ensure withdrawal is as easy as giving consent.

Privacy notice: Publish a comprehensive notice covering processing purposes, legal bases, retention periods, cross-border transfers, individual rights, and contact information for the handler and any DPO.

Data subject rights: Establish operational mechanisms for access, correction, deletion, portability, and automated-decision-making opt-out requests.

Cross-border transfers: Determine which pathway applies to each international data flow. If you have processed more than 1 million Chinese users' data, a CAC security assessment is mandatory for any outbound transfer. Others should evaluate whether SCCs or certification are more practical for their transfer volumes.

DPO appointment: Appoint and register a DPO through the CAC's online portal if you process personal information of more than 1 million individuals.

Compliance audits: Schedule audits according to the threshold applicable to your organization. If you process minors' personal information in any volume, an annual audit and CAC filing by January 31 each year is mandatory.

Breach notification: Implement an incident response plan that meets the tiered reporting deadlines -- one hour for CIIOs, four hours for general network operators -- under the November 2025 reporting measures.

PIPIA: Conduct Personal Information Protection Impact Assessments before processing sensitive personal information, implementing automated decision-making with significant individual effects, or making cross-border transfers.

AI and deep synthesis: If you deploy generative AI or systems that process biometric or voice data, ensure separate consent for sensitive personal information, content labeling compliance, and PIPL-compliant training data practices.

For a deeper look at how China's recording and surveillance rules interact with privacy law, see our article on China recording laws.