China’s Personal Information Protection Law (PIPL) requires that organizations obtain clear, informed, and voluntary consent from individuals before collecting or processing their personal information — including data gathered through cookies. Is your website ready for consent management requirements?
The Personal Information Protection Law (PIPL) is China’s comprehensive data privacy legislation that came into effect on November 1, 2021. It regulates the collection, use, storage, and transfer of personal information of individuals within China. The PIPL is similar in scope to the EU’s GDPR, emphasizing user rights, lawful processing, and data minimization.
If your business collects or processes data from individuals in China, you must comply with the PIPL—even if your organization is not physically located in China. Key requirements include:
Control consent:
Obtain explicit user consent
Review data practices:
Provide individuals with access to their data, including the ability to correct and delete
Audit and assess risk:
Conduct privacy impact assessments for sensitive or high-risk processing
Appoint a DPO:
Bring onboard a local data representative if operating from abroad
Any organization that handles the personal data of individuals in China must comply with the PIPL, regardless of where the company is based in the world. This includes websites, apps, service providers, and international businesses offering goods or services to people in China or analyzing their behavior.
The PIPL gives consumers in China various data privacy rights, including:
Request to be informed about how personal information is being collected, used and shared
Request that inaccurate, incomplete or out-of-date information be corrected or entirely deleted
Restrict or prohibit the processing of personal data
Request explanations regarding rules and logic behind automated decision-making
Request to receive and transfer data collected
Ability to withdraw consent for data processing at any time
Under the PIPL, cookies that collect personal information require prior, informed, and specific consent from users. This applies to tracking cookies, analytics tools, and advertising technologies. Simply stating cookie use in a privacy policy is not enough; users must actively opt in, and they should be able to withdraw consent just as easily.
Violations of the PIPL can result in severe penalties, including fines of up to 50 million RMB (approx. 7 million USD) or 5% of the previous year's annual revenue. Non-compliant organizations may also face business restrictions, suspension of operations, reputational damage, and legal liability for responsible personnel.
Some best practices to bring your data privacy approach in line with PIPA compliance include:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly, enable users to withdraw consent at any time, and maintain consent logs
Check partner and third-party contracts:
Review third-party data-sharing practices
Give staff training:
Ensure that employees have training to understand and comply with PIPL
The PIPL applies to the processing of personal information of individuals within China. It also applies to data handlers outside China if they process personal data of individuals in China for the purpose of offering products/services or analyzing user behavior.
Personal data refers to any information, recorded electronically or otherwise, that can identify a natural person—either alone or when combined with other information. This includes names, addresses, ID numbers, and other identifiable information.
Sensitive personal data includes information that, if leaked or misused, could harm an individual's dignity or personal and property safety. This includes biometric data, religious beliefs, medical health, financial accounts, location tracking, and data of minors under the age of 14.
The Cyberspace Administration of China (CAC) is the primary authority responsible for enforcing the PIPL and overseeing data protection matters in China.
PIPL does not apply to personal data handled by individuals for personal or household affairs. However, once such data is used beyond this scope—such as for business or public purposes—the PIPL may apply.
You can find official information and updates about the PIPL on the website of the Cyberspace Administration of China (CAC) or consult professional legal and data protection resources that specialize in Chinese data privacy law.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
