Consenti

PIPL Compliance Guide (China)

ℹ️Compliance group: opt-in-china — China-specific opt-in with separate consent required per processing purpose and strict cross-border transfer rules. Use compliance: { type: 'opt-in-china' } in your ConsentiSetup config.

China's Personal Information Protection Law (PIPL) — effective 1 November 2021 — is China's first comprehensive personal data protection law and is enforced by the Cyberspace Administration of China (CAC). PIPL applies to the processing of personal information of individuals located in China, regardless of where the processing entity is based.

Official references

Key requirements and how Consenti meets them

RequirementImplementation
Separate consent per purposePer-cookie granularity — each cookie purpose has its own consent toggle and stored value
Informed consenthtmlText on each category describes the processing purpose clearly
Explicit opt-inAll non-mandatory cookies default to 'denied' until actively granted
Right to withdrawConsent can be revoked at any time via widget.showModal() or the API
Cross-border transfer disclosureAdd cross-border transfer information to the relevant category's htmlText
Records keptImmutable consent_history table; audit_logs for admin actions

Consent model

PIPL requires informed, voluntary, specific, and unambiguous consent before collecting or processing personal information. Unlike GDPR, PIPL does not recognise "legitimate interest" as a lawful basis for processing personal information — consent or another listed basis must be obtained.

Cross-border data transfers

PIPL imposes strict requirements on cross-border transfers of personal information:

  • Transfers must pass a security assessment by the CAC (for critical data or large volumes)
  • Processors must obtain a personal information protection certification from a CAC-approved body
  • A standard contract must be signed with the overseas recipient
  • User consent must explicitly cover cross-border transfer
⚠️When collecting personal information that will be transferred outside China, disclose the overseas recipient's name, country, and processing purpose in your profile's category descriptions. Users must explicitly consent to cross-border transfer.

Children's data

PIPL requires separate parental consent for personal information of children under 14. Use the compliance.ageGate config option to enable the age gate:

ts
new ConsentiSetup({
  compliance: {
    type: 'opt-in-china',
    ageGate: {
      minAge: 14,         // PIPL threshold: under 14 requires parental consent
      defaultDeny: true,  // deny all non-mandatory cookies if underage
    },
  },
})

Consent configuration example

ts
import { ConsentiSetup } from '@consenti/ui'

new ConsentiSetup({
  compliance: { type: 'opt-in-china' },
  profileOverride: {
    cookies: [
      { id: 'necessary',  mandatory: true },
      { id: 'analytics',  expiry: 365 },
      { id: 'marketing',  expiry: 365 },
    ],
    mainBanner: {
      position: 'bottom',
      heading: '个人信息保护声明',
      htmlText: '我们使用Cookie改善您的体验,跨境传输数据需要您的明确同意。',
      buttons: [
        { text: '全部接受', style: 'primary',   action: 'custom', cookies: '*' },
        { text: '拒绝可选', style: 'secondary', action: 'custom', cookies: '!' },
        { text: '自定义',   style: 'secondary', action: 'manage' },
      ],
    },
    preferenceModal: {
      heading: 'Cookie偏好设置',
      subheading: '请选择您同意我们使用的Cookie类型。',
      showClose: true,
      overlayOpacity: 50,
      buttons: [
        { text: '保存设置', style: 'primary', action: 'submit' },
        { text: '全部接受', style: 'primary', action: 'custom', cookies: '*' },
      ],
      categories: [
        {
          id: 'cat-necessary',
          heading: '必要Cookie',
          htmlText: '网站正常运行所必需,无法关闭。',
          mandatory: true,
          cookies: ['necessary'],
        },
        {
          id: 'cat-analytics',
          heading: '分析Cookie',
          htmlText: '帮助我们了解访客使用网站的方式。数据可能传输至境外服务器(美国),受当地法律管辖。',
          cookies: ['analytics'],
        },
        {
          id: 'cat-marketing',
          heading: '营销Cookie',
          htmlText: '用于投放个性化广告。数据传输至第三方广告平台,可能存储于中国境外。',
          cookies: ['marketing'],
        },
      ],
    },
  },
})

Enforcement

The CAC and local cybersecurity bureaus enforce PIPL. Penalties include fines of up to 50 million RMB or 5% of annual revenue, suspension of business, and revocation of licences. Foreign companies targeting Chinese users are subject to PIPL even if they have no physical presence in China.