China's Personal Information Protection Law (PIPL) is one of the world's strictest privacy regulations. We help companies build compliant data practices from the ground up—or fix gaps before regulators find them.
The Personal Information Protection Law (个人信息保护法) is China's comprehensive data privacy law, often compared to GDPR but with stricter requirements in several areas. It applies to any organization processing personal information of individuals in China—even if the company has no physical presence there.
PIPL applies to overseas companies that: (1) provide products/services to people in China, (2) analyze/evaluate behavior of people in China, or (3) process personal information of people in China for any other purpose specified by law.
Any processing of personal information of individuals located in mainland China.
Requires one of 7 legal bases for processing, with consent as the default.
Extra protections for biometrics, health, financial, location, and minors' data.
Strict rules on international data transfers—CAC assessment, SCC, or certification required.
PIPL introduces obligations that may be familiar from GDPR, but with China-specific nuances that catch many companies off guard.
Obtain separate, explicit consent for: sensitive data processing, cross-border transfers, automated decision-making, public disclosure, and any third-party sharing. Consent must be informed, voluntary, and withdrawable.
Provide clear, prominent privacy notices including: processor identity, purpose and method, data types, retention periods, data subject rights, and cross-border transfer details. Must be in Chinese and understandable.
Implement mechanisms for: access, correction, deletion, portability, withdrawal of consent, and explanation of automated decisions. Must respond within 15 business days in most cases.
Collect only what's necessary for stated purposes. Cannot refuse service if user declines non-essential data collection. Regular reviews required to delete unnecessary data.
Implement appropriate technical and organizational measures. Encryption, access controls, incident response plans, and regular security assessments are expected.
Overseas companies processing Chinese personal data must designate a local entity or representative in China to handle compliance matters and liaise with regulators.
We offer end-to-end PIPL compliance support, from initial assessment to ongoing monitoring.
Comprehensive review of your current data practices against PIPL requirements.
Includes: Data flow mapping, policy review, technical controls audit, risk prioritization matrix, remediation roadmap.
China-compliant privacy policies and internal procedures.
Includes: Chinese-language privacy notice, consent forms, data processing agreements, retention schedules, breach response procedures.
Implement the technical controls PIPL requires.
Includes: Consent management platform integration, data subject request workflows, audit logging, encryption standards.
Ensure your team understands their PIPL obligations.
Includes: Executive briefings, staff training modules, China-specific privacy awareness, incident response drills.
Ongoing support to maintain compliance as regulations evolve.
Includes: Regulatory updates, annual assessments, policy updates, audit support.
Serve as your designated PIPL representative in China.
Includes: Regulatory liaison, complaint handling, documentation filing, annual reporting.
If you process personal information of anyone in China, PIPL applies to you. Here are common scenarios:
Selling to Chinese consumers
Apps with Chinese users
Cloud services used in China
China subsidiaries or employees
Games accessible in China
Chinese tourists or travelers
Telemedicine, health apps
Online education platforms
"We don't have offices in China, so PIPL doesn't apply to us." Wrong. PIPL has extraterritorial effect. If Chinese residents use your app, website, or services—you need compliance.
Don't wait for a regulator to find your gaps. We'll assess your current state and build a practical roadmap to compliance.
Request Assessment