PIPL Compliance Guide (China)
opt-in-china — China-specific opt-in with separate consent required per processing purpose and strict cross-border transfer rules. Use compliance: { type: 'opt-in-china' } in your ConsentiSetup config.China's Personal Information Protection Law (PIPL) — effective 1 November 2021 — is China's first comprehensive personal data protection law and is enforced by the Cyberspace Administration of China (CAC). PIPL applies to the processing of personal information of individuals located in China, regardless of where the processing entity is based.
Official references
- Personal Information Protection Law — NPC full text (Chinese)
- Cyberspace Administration of China (CAC)
- Measures on Security Assessment of Cross-Border Data Transfer (2022)
Key requirements and how Consenti meets them
| Requirement | Implementation |
|---|---|
| Separate consent per purpose | Per-cookie granularity — each cookie purpose has its own consent toggle and stored value |
| Informed consent | htmlText on each category describes the processing purpose clearly |
| Explicit opt-in | All non-mandatory cookies default to 'denied' until actively granted |
| Right to withdraw | Consent can be revoked at any time via widget.showModal() or the API |
| Cross-border transfer disclosure | Add cross-border transfer information to the relevant category's htmlText |
| Records kept | Immutable consent_history table; audit_logs for admin actions |
Consent model
PIPL requires informed, voluntary, specific, and unambiguous consent before collecting or processing personal information. Unlike GDPR, PIPL does not recognise "legitimate interest" as a lawful basis for processing personal information — consent or another listed basis must be obtained.
Cross-border data transfers
PIPL imposes strict requirements on cross-border transfers of personal information:
- Transfers must pass a security assessment by the CAC (for critical data or large volumes)
- Processors must obtain a personal information protection certification from a CAC-approved body
- A standard contract must be signed with the overseas recipient
- User consent must explicitly cover cross-border transfer
Children's data
PIPL requires separate parental consent for personal information of children under 14. Use the compliance.ageGate config option to enable the age gate:
new ConsentiSetup({
compliance: {
type: 'opt-in-china',
ageGate: {
minAge: 14, // PIPL threshold: under 14 requires parental consent
defaultDeny: true, // deny all non-mandatory cookies if underage
},
},
})Consent configuration example
import { ConsentiSetup } from '@consenti/ui'
new ConsentiSetup({
compliance: { type: 'opt-in-china' },
profileOverride: {
cookies: [
{ id: 'necessary', mandatory: true },
{ id: 'analytics', expiry: 365 },
{ id: 'marketing', expiry: 365 },
],
mainBanner: {
position: 'bottom',
heading: '个人信息保护声明',
htmlText: '我们使用Cookie改善您的体验,跨境传输数据需要您的明确同意。',
buttons: [
{ text: '全部接受', style: 'primary', action: 'custom', cookies: '*' },
{ text: '拒绝可选', style: 'secondary', action: 'custom', cookies: '!' },
{ text: '自定义', style: 'secondary', action: 'manage' },
],
},
preferenceModal: {
heading: 'Cookie偏好设置',
subheading: '请选择您同意我们使用的Cookie类型。',
showClose: true,
overlayOpacity: 50,
buttons: [
{ text: '保存设置', style: 'primary', action: 'submit' },
{ text: '全部接受', style: 'primary', action: 'custom', cookies: '*' },
],
categories: [
{
id: 'cat-necessary',
heading: '必要Cookie',
htmlText: '网站正常运行所必需,无法关闭。',
mandatory: true,
cookies: ['necessary'],
},
{
id: 'cat-analytics',
heading: '分析Cookie',
htmlText: '帮助我们了解访客使用网站的方式。数据可能传输至境外服务器(美国),受当地法律管辖。',
cookies: ['analytics'],
},
{
id: 'cat-marketing',
heading: '营销Cookie',
htmlText: '用于投放个性化广告。数据传输至第三方广告平台,可能存储于中国境外。',
cookies: ['marketing'],
},
],
},
},
})Enforcement
The CAC and local cybersecurity bureaus enforce PIPL. Penalties include fines of up to 50 million RMB or 5% of annual revenue, suspension of business, and revocation of licences. Foreign companies targeting Chinese users are subject to PIPL even if they have no physical presence in China.