enactedCNEffective November 1, 2021

Personal Information Protection Law (PIPL)

Complete compliance guide for companies with <200 employees. Everything you need to know about PIPL requirements, deadlines, and penalties.

DSAR Deadline

30 calendar days

+ 30 days extension

Max Penalty

CNY 50,000,000/violation

Up to CNY 50 million or 5% of annual revenue for serious violations (Art. 66). Responsible individuals face personal fines of CNY 100,000 to CNY 1,000,000. Authorities may also suspend or terminate business operations. Didi Global was fined CNY 8.026 billion (~USD 1.2B) in 2022.

Threshold

No threshold

Est. Cost

$15,000 – $50,000

12-26 weeks

Mid-Market Compliance Guide

PIPL is one of the strictest data protection laws globally, comparable to GDPR. It applies extraterritorially to processing of Chinese residents' data. Cross-border data transfers face significant restrictions including mandatory government security assessments for large-scale transfers. Companies should seek local legal counsel.

Key Requirements

Lawful basis for processing (consent, contractual necessity, etc.)
Separate consent for sensitive personal information
Cross-border transfer requires security assessment, SCCs, or certification
Data localization for critical information infrastructure operators
Personal Information Protection Impact Assessment for high-risk processing
Designate a responsible person for personal information protection

Enforced by: Cyberspace Administration of China (CAC)Official site

Consumer Rights

Right to Know and Access (Art. 44-45)

Right to Correction (Art. 46)

Right to Deletion (Art. 47)

Right to Data Portability (Art. 45)

Right to Restrict or Refuse Processing (Art. 44)

Right to Explanation of Automated Decision-Making (Art. 24)

Business Obligations

1.Adopt internal management systems and operating procedures
2.Implement classified management of personal information
3.Conduct regular compliance audits
4.Perform impact assessments for sensitive data and cross-border transfers
5.Appoint a person responsible for PI protection (>1M individuals)

Exemptions

•Processing by natural persons for personal/family purposes
•Processing for news reporting in the public interest
•Statistical and archival purposes (de-identified data)
•Government agencies performing statutory duties

Related Privacy Laws

GDPR

General Data Protection Regulation

Recommended Compliance Tools

BigID

AI-powered data intelligence for privacy and security

PIPL data localization and classification support

TrustArc

Enterprise privacy management with built-in regulatory intelligence

PIPL compliance assessment and monitoring

Securiti

AI-powered data command center for privacy, security, and governance

PIPL cross-border data transfer management

Ketch

Programmatic privacy platform for responsible data use

PIPL consent requirements support

Browse all compliance tools

Get a mid-market compliance checklist for PIPL

We'll send you a practical, step-by-step checklist tailored for companies with <200 employees. No spam, unsubscribe anytime.

See how DPAs enforce PIPL in practice

Real fines, real violations, real lessons. Browse our enforcement database to understand what gets penalized under PIPL.

Browse Enforcement Actions

Disclaimer: This is general information, not legal advice. Consult a qualified attorney for your specific situation. Laws and regulations may change. Last reviewed: 3/27/2026.

Read the official text of PIPL