What Is the PIPL?

China's data protection legislation, known as the Personal Information Protection Law (PIPL), took effect on November 1, 2021. As the country's first comprehensive framework dedicated to personal information protection, PIPL forms one of the three pillars of China's data governance regime alongside the Cybersecurity Law (2017) and the Data Security Law (2021).

PIPL altered the rules for organizations that use clickwrap agreements with users in China. Distinctive to the law are the separate consent doctrine for sensitive data and cross-border transfers (Articles 23, 25, 29, 39), strict cross-border transfer mechanisms requiring a Cyberspace Administration of China (CAC) security assessment or standard contract, and an enforcement regime among the heaviest globally, with maximum fines of up to 5% of annual revenue and personal liability for responsible managers.

Who Does PIPL Apply To?

PIPL applies to the processing of personal information of natural persons within the People's Republic of China, regardless of whether the handler is domestic or foreign. Article 3 grants the law explicit extraterritorial reach.

PIPL is applicable when an entity:

  • Processes personal information of individuals located in China.
  • Provides products or services to individuals within China from outside the country.
  • Analyzes or assesses the behavior of individuals within China.
  • Operates in any other circumstance prescribed by Chinese law.

Foreign entities subject to PIPL must establish a dedicated institution or appoint a representative within China and report its details to the CAC. There is no small-business exemption.

PIPL and Clickwrap Agreements

PIPL imposes specific requirements on how consent is collected through clickwrap agreements. Articles 13, 14, 17, and 29 establish that consent must be voluntary, explicit, and given on a fully informed basis, with separate consent required for sensitive data, cross-border transfers, public disclosure, and certain third-party sharing. Each condition carries direct implications for clickwrap design, disclosure, and recordkeeping.

How PIPL Affects Clickwrap Design

Article 14 defines consent as a voluntary, explicit indication given by the individual on a fully informed basis for a specific and clear purpose. Article 15 grants individuals the right to withdraw consent at any time and requires that handlers provide a convenient mechanism for withdrawal. In a clickwrap context, this means an unbundled consent action paired with a one-click withdrawal at least as accessible as the original acceptance.

Separate consent is the defining feature of PIPL. Article 28 defines sensitive personal information to include biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, and the personal information of minors under 14, and Article 29 requires the individual's separate consent before any such handling. Article 39 imposes the same requirement for cross-border transfers, while Articles 23 and 25 extend separate consent to provision of personal information to other handlers and to public disclosure. A single "I agree" checkbox cannot legally cover both general processing and any of these scenarios. Each requires its own consent element, such as a distinct checkbox, a dedicated confirmation screen, or a separate workflow step that is independently actionable.

Consent must not be coerced or conditioned. Article 16 prohibits handlers from refusing to provide products or services because an individual withholds or withdraws consent, except where processing is necessary for the service to function. A clickwrap that locks users out of core functionality after they decline marketing analytics or non-essential cross-border transfers violates this provision.

Article 6 requires that processing have a clear and reasonable purpose directly related to the processing objective, and that handlers adopt the method with the least impact on individual rights. Collection must be limited to the minimum scope necessary. Clickwrap agreements that request broad categories of data without linking each category to a stated purpose face regulatory scrutiny.

What Must Be Shown Under PIPL

Article 17 establishes the disclosure obligations that must be satisfied prior to any clickwrap consent action. Personal information handlers must inform individuals in conspicuous, true, and accurate language of:

  • The name and contact details of the personal information handler.
  • The purpose and method of processing for each category of personal information.
  • The categories of personal information being collected, including the necessity for any sensitive data.
  • The retention period, or the criteria for determining it.
  • The means and procedures for exercising rights under Articles 44–48 (access, correction, deletion, portability, and withdrawal of consent).

For sensitive personal information under Article 30, the handler must additionally explain the necessity of processing and the impact on the individual's rights and interests as part of the separate consent flow, not buried in a general privacy policy.

For cross-border transfers under Article 39, the handler must inform the individual of the overseas recipient's name and contact information, the purpose and method of processing, the categories of personal information involved, and the means of exercising rights with the overseas recipient. All of this must be provided before the separate cross-border consent is captured.

What Records You Must Keep Under PIPL

Article 54 requires personal information handlers to regularly audit their processing activities, and Article 55 mandates a Personal Information Protection Impact Assessment (PIPIA) before any high-risk processing, including sensitive data, automated decision-making, cross-border transfers, and any processing with a significant impact on individual rights. Article 56 requires that PIPIA reports and processing records be retained for at least three years.

A defensible clickwrap consent record under PIPL must capture:

  • Subject identity - Name, account ID, or another unique identifier verified at the consent action.
  • Action timestamp - The exact date and time of each consent or withdrawal event.
  • Consent type - Whether general or separate consent was obtained, and the specific Article 29, 39, 23, or 25 trigger.
  • Disclosure presented - The Article 17 (and Article 30 or 39 where applicable) disclosure shown at the moment of consent.
  • Terms version - The version of the privacy notice or terms in effect at the moment of consent.
  • Withdrawal log - The date and scope of any consent withdrawal, plus confirmation that processing ceased for the affected purposes.

Cross-border transfer documentation carries additional obligations. Organizations transferring data under the CAC standard contract (Article 38) must retain the signed contract, the PIPIA conducted before the transfer, and records of any CAC security assessment, available for regulatory inspection and subject to the three-year minimum retention period.

PIPL and Clickwrap Agreements

Key Provisions of PIPL

Lawful Basis for Processing
Personal information handlers must have a lawful basis for processing, which includes consent, contractual necessity, legal obligation, public health emergency, public interest, and reasonable processing of publicly available information. Consent is the primary basis for most commercial processing scenarios.
Separate Consent for Sensitive Data
Processing sensitive personal information (including biometric data, religious beliefs, specific identity, medical health, financial accounts, location tracking, and personal information of minors under 14) requires obtaining the individual's separate consent along with notification of the necessity and impact on the individual's rights.
Clear and Reasonable Purpose
The processing of personal information must have a clear and reasonable purpose directly related to the processing objective. Information collected must be the minimum necessary to achieve the stated purpose, and processing must not exceed what is needed.
Cross-Border Transfer Conditions
Personal information may only be transferred outside China if the handler passes a security assessment organized by the CAC, obtains certification from a specialized institution, enters into a standard contract published by the CAC, or meets other conditions prescribed by law. The individual's separate consent is also required.
Automated Decision-Making Transparency
Personal information handlers that use personal information for automated decision-making must ensure the transparency of the decision-making process and the fairness and reasonableness of the results. Individuals have the right to refuse decisions made solely through automated means that have significant impact.
Right to Withdraw Consent
Individuals have the right to withdraw their consent at any time. Personal information handlers must provide a convenient way to withdraw consent, and withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Personal Information Protection Impact Assessment
Handlers must conduct personal information protection impact assessments before processing sensitive information, using personal information for automated decision-making, entrusting processing to third parties, providing information to other handlers, transferring information abroad, or engaging in other activities with significant impact on individuals.
Data Localization
Critical information infrastructure operators and handlers processing personal information reaching quantities specified by the CAC must store personal information collected and generated within China domestically. Cross-border transfer requires passing a security assessment.

Penalties for PIPL Non-Compliance

Standard Violations Up to RMB 1 million for the organization; up to RMB 100,000 for directly responsible individuals
Under Article 66, departments fulfilling personal information protection duties shall order corrections, give a warning, confiscate unlawful gains, and may order suspension of services for non-compliant applications. Where the organization refuses to correct, an additional fine of up to RMB 1 million may be imposed on the organization and RMB 10,000 to RMB 100,000 on directly responsible persons.
Serious Violations Up to RMB 50 million or 5% of prior year's annual revenue
For serious violations (such as large-scale non-compliant processing or failure to correct after warning), authorities may impose fines of up to RMB 50 million (approximately USD 7 million) or 5% of the prior year's annual revenue, order suspension of business operations, and revoke business licenses or permits.
Personal Liability and Blacklisting RMB 100,000–1,000,000 for individuals; potential industry ban
Directly responsible managers and other personnel may face personal fines of RMB 100,000 to RMB 1 million. Individuals may also be prohibited from serving as directors, supervisors, senior managers, or personal information protection officers for a specified period. Violations are recorded in the national credit system.

Frequently Asked Questions

Yes. Article 3 of PIPL gives the law extraterritorial reach. It applies to the processing of personal information of natural persons within China outside of China's borders when the purpose is to provide products or services to individuals within China, to analyze or assess the behavior of individuals within China, or other circumstances provided by laws and regulations. Foreign platforms must appoint a dedicated entity or representative within China for compliance matters.
Separate consent under PIPL means the consent for sensitive data processing or cross-border transfers must be distinct from general consent. It cannot be bundled into a single 'I agree to everything' click. In clickwrap design, this typically requires an additional, standalone consent action: a separate checkbox, a dedicated consent page, or a distinct confirmation step that clearly explains the specific processing activity and its implications.

Related Regulations

GDPR
General Data Protection Regulation
EU-wide · Active 2018
PDPA
Personal Data Protection Act (PDPA) - Singapore
Singapore · Active 2021
This entry is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your situation.