The Personal Information Protection Law (PIPL) of China establishes a comprehensive framework for the processing of personal data, emphasizing the importance of consent. This guide delves into the specific consent requirements under PIPL, including separate consent, explicit consent, and the rights of individuals to withdraw consent, providing organizations with the necessary insights to ensure compliance.
| Regulation | PIPL |
|---|---|
| Max Penalty | Up to RMB 50M or 5% of revenue |
| Enforcing Authority | Cyberspace Administration of China (CAC) |
| Official Source | PIPL Official Text |
What Is PIPL?
The Personal Information Protection Law (PIPL), effective from November 1, 2021, represents a significant shift in China’s approach to data privacy. It aims to protect personal information rights and interests, promote the reasonable use of personal data, and establish a framework for compliance that aligns with global standards. PIPL is designed to regulate how organizations collect, store, and process personal information, ensuring that individuals maintain control over their data.
PIPL’s introduction reflects China’s growing recognition of the need for robust data protection mechanisms, similar to frameworks like the General Data Protection Regulation (GDPR) in Europe. The law applies to all organizations that process personal data of individuals within China, regardless of where the organization is based. This extraterritorial reach underscores the importance of compliance for international businesses operating in the Chinese market.
Who Must Comply
Organizations that handle personal information of individuals in China must comply with PIPL, regardless of their geographical location. This includes foreign companies that provide services or products to Chinese consumers or process data of Chinese citizens. Compliance is not optional; organizations must ensure that their data processing activities align with PIPL’s stringent requirements.
The law applies to various sectors, including technology, finance, healthcare, and e-commerce. Organizations must assess their data processing activities to determine whether they fall under the purview of PIPL. This includes evaluating the types of personal data collected, the purposes for which it is processed, and the mechanisms in place for obtaining consent.
Core Compliance Requirements
Lawful grounds for processing. Under PIPL, organizations must establish a lawful basis for processing personal information. Consent is one of the primary grounds, but other bases include contractual necessity, compliance with legal obligations, and protection of vital interests. Organizations must carefully evaluate which basis applies to their specific data processing activities.
Separate consent. PIPL mandates that organizations obtain separate consent for different processing activities. This means that consent must be specific to the purpose for which personal data is being collected and processed. Organizations cannot bundle consent for multiple purposes into a single agreement; each purpose must be clearly articulated, and consent must be obtained for each one.
Explicit consent. For certain sensitive categories of personal information, such as biometric data, health information, and data of minors, PIPL requires explicit consent. This means that organizations must obtain clear and affirmative consent from individuals before processing such sensitive data. The explicit consent requirement emphasizes the need for transparency and clarity in how sensitive data is handled.
Withdrawal rights. PIPL grants individuals the right to withdraw their consent at any time. Organizations must have mechanisms in place to facilitate this withdrawal and must inform individuals of their right to do so. Upon withdrawal, organizations are obligated to cease processing the individual’s personal data unless they have another lawful basis for continuing the processing.
Transparency and notice. Organizations must provide clear and accessible information to individuals about their data processing activities. This includes details about the types of personal data collected, the purposes of processing, the legal basis for processing, and the rights of individuals under PIPL. Transparency is crucial for building trust and ensuring compliance with the law.
Penalties and Enforcement
Non-compliance with PIPL can result in severe penalties. The Cyberspace Administration of China (CAC) is the primary enforcing authority and has the power to impose fines of up to RMB 50 million or 5% of an organization’s annual revenue, whichever is higher. In addition to financial penalties, organizations may face reputational damage and operational restrictions.
The enforcement landscape under PIPL is evolving, with the CAC actively monitoring compliance and investigating potential violations. Organizations should be aware that enforcement actions may include audits, investigations, and public disclosures of non-compliance. Proactive compliance measures are essential to mitigate the risk of enforcement actions and penalties.
Building a Defensible Compliance Program
To effectively navigate the complexities of PIPL, organizations should establish a robust compliance program. This program should include the following steps:
-
Conduct a comprehensive data inventory to identify all personal data processed.
-
Assess the legal basis for each data processing activity.
-
Develop clear and accessible privacy notices that inform individuals about their rights.
-
Implement mechanisms for obtaining and managing consent, including separate and explicit consent where required.
-
Establish processes for handling withdrawal of consent and ensuring compliance with individuals’ requests.
-
Train employees on PIPL requirements and the importance of data protection.
-
Regularly review and update compliance policies and procedures to reflect changes in the law.
-
Engage with legal and compliance experts to ensure ongoing adherence to PIPL.
Practical Implementation Priorities
Data mapping and assessment. Organizations should begin by mapping their data processing activities to understand what personal information is collected, how it is used, and the legal basis for processing. This assessment will inform the development of compliance strategies and help identify areas of risk.
Consent management. Implementing a robust consent management system is critical for compliance with PIPL. Organizations must ensure that consent is obtained separately for each processing purpose and that explicit consent is secured for sensitive data. This system should also facilitate easy withdrawal of consent by individuals.
Policy development. Organizations need to develop clear privacy policies that outline their data processing practices in compliance with PIPL. These policies should be easily accessible and written in plain language to ensure that individuals understand their rights and the organization’s obligations.
Training and awareness. Employee training is essential for fostering a culture of compliance within the organization. Employees should be educated about PIPL requirements, the importance of data protection, and the organization’s specific policies and procedures.
Monitoring and auditing. Regular monitoring and auditing of data processing activities are necessary to ensure ongoing compliance with PIPL. Organizations should establish metrics to evaluate their compliance efforts and identify areas for improvement.
Engagement with stakeholders. Organizations should engage with stakeholders, including legal counsel and privacy experts, to ensure that their compliance program aligns with best practices and addresses any potential gaps in their approach.
Incident response planning. Developing an incident response plan is crucial for addressing potential data breaches or compliance failures. Organizations should have procedures in place for reporting incidents, notifying affected individuals, and cooperating with regulatory authorities.
Continuous improvement. Compliance with PIPL is an ongoing process. Organizations should regularly review and update their compliance programs to reflect changes in the regulatory landscape and evolving best practices.
Run a Free Privacy Scan
Before building a compliance program, an automated scan of your public-facing properties identifies the gaps that carry the most immediate regulatory risk — undisclosed trackers, consent mechanism failures, data sharing without adequate notice, and policy misalignments. BD Emerson’s privacy scanner produces a detailed findings report against PIPL requirements within minutes.
Run your free scan or speak with a privacy expert to discuss your compliance obligations under PIPL and build a prioritized remediation plan.
Regulatory Crosswalk
Organizations subject to this regulation often operate under these overlapping frameworks: GDPR consent, APPI consent, PIPA consent. BD Emerson maps controls across frameworks to reduce duplicated compliance effort.