China's Personal Information Protection Law (PIPL) took effect on 1 November 2021, and it doesn't work the way the GDPR does. The difference that matters most for tracking: PIPL has no legitimate-interests legal basis. Where a European site can sometimes lean on legitimate interests, a China-facing site generally can't. For most cookies and trackers, consent is the basis, full stop.
On top of that, PIPL layers a concept that trips up teams coming from Europe: separate consent (单独同意). Certain high-impact activities each need their own explicit yes, not a single blanket agreement. This guide covers what triggers separate consent, how targeted advertising is regulated, the three ways to move data out of China, the 2024 reforms that relaxed those rules, and who enforces it all.
Consent Is the Default, and It's Strict
PIPL Article 13 lists the legal bases for processing. Consent leads the list; the others are narrow (contract necessity, HR management, legal obligations, public-health emergencies, news reporting in the public interest, handling already-public information). There's no catch-all legitimate-interests basis to fall back on. So if you're setting analytics or advertising cookies on visitors in China, you're almost certainly relying on consent.
And consent under Article 14 has to be voluntary and explicit, given on a fully informed basis. If the purpose, the type of information, or the processing method changes, you have to obtain consent again. Bundled, take-it-or-leave-it consent for unrelated purposes doesn't meet the standard.
Separate Consent: The Part That's Different
This is the mechanism to understand. Beyond ordinary consent, PIPL requires a distinct, standalone consent for specific activities. You can't roll these into the general "I agree". The main triggers relevant to a website:
- Providing personal information to another handler (Article 23). Sharing data with a third party, an ad network, an analytics partner, a data processor acting as its own controller, requires separate consent, plus you must tell the user the recipient's identity and the purpose.
- Public disclosure of personal information (Article 25): separate consent.
- Processing sensitive personal information (Article 29): separate consent, and sometimes written consent.
- Cross-border transfer (Article 39): separate consent when consent is your basis for the transfer.
For a cookie banner, the practical consequence is granularity. If your tracking shares data with third parties or sends it offshore, a single accept button won't carry that weight. You need the banner to capture distinct, purpose-specific consents and to log them separately.
Targeted Advertising: Article 24
Behavioural advertising sits under PIPL's automated-decision-making rules. Article 24 says that where you use personal information for automated decisions, including targeted marketing and push advertising, the process must be transparent and the outcomes fair. You must either offer the individual an option that is not based on their personal characteristics, or give them an easy way to refuse the targeting.
In banner terms: a user in China who declines profiling should still get your service, just without personalised ads, and turning that off has to be genuinely easy. That maps cleanly onto an opt-in tracking model where advertising is a separate, refusable purpose.
Moving Data Out of China: Three Routes, Then the 2024 Reset
If your trackers send Chinese users' data to servers outside mainland China, and most Western tools do, PIPL's cross-border regime applies. There are three lawful mechanisms:
- CAC security assessment, a government review required for large-volume transfers and for critical information infrastructure operators.
- Standard contract, China's own standard contractual clauses, filed with the provincial CAC.
- Certification by a CAC-accredited body.
On 22 March 2024, the CAC issued the Provisions on Promoting and Regulating Cross-Border Data Flows, which took effect immediately and meaningfully relaxed the rules. The big one for smaller operators: transferring non-sensitive personal information of fewer than 100,000 individuals per year is now exempt from all three mechanisms (as long as you're not a critical information infrastructure operator). There are further exemptions for transfers necessary to perform a contract with the individual and for HR administration. A clear practitioner summary is available from Greenberg Traurig.
One nuance that catches people out: the CAC has confirmed that separate consent for a transfer is only required when consent is your legal basis for that transfer. If you're relying on contract necessity, you don't also need separate transfer consent. But since most website tracking runs on consent in the first place, transfer consent is usually still in play.
Who Enforces It, and Who's in Scope
The lead regulator is the Cyberspace Administration of China (CAC), working alongside other authorities for specific sectors. PIPL's penalties are serious: for grave violations, fines up to 50 million yuan or 5% of the prior year's turnover, plus business suspension and personal liability for responsible individuals.
PIPL reaches beyond China's borders. Article 3 applies it to processing that happens outside China where the purpose is providing products or services to individuals in China, or analysing and evaluating their behaviour. A foreign website targeting Chinese users is in scope, and Article 53 may require appointing a dedicated representative or entity inside China. You can read the official English text at the National People's Congress site.
A Practical Reality Check
Two things to keep in mind before you architect for China. First, many Western analytics and advertising services are blocked or unreliable inside mainland China, so China-facing sites often run domestic equivalents, which changes what you're actually collecting consent for. Second, PIPL compliance isn't only a banner problem; the cross-border mechanism, the local representative, and the separate-consent records are organisational obligations that sit behind the banner.
For the banner itself, the setup is:
- Opt-in for non-essential tracking, with nothing firing before consent.
- Separate, purpose-specific consents for third-party sharing and for cross-border transfer.
- An easy refusal for targeted advertising under Article 24.
- Timestamped, exportable logs of each separate consent, since you may have to prove them.
How CookieBeam Handles China
CookieBeam ships a PIPL framework preset scoped to China, set to opt-in, with non-essential scripts blocked until the visitor consents. Through the regional consent engine, a visitor in China gets that opt-in experience while visitors elsewhere get their own regional model, from one banner.
Where PIPL's separate-consent structure comes in, the honest picture is that the banner captures purpose-level choices and logs each decision with a timestamp, which is the record you need to evidence a distinct consent for third-party sharing or transfer. The parts PIPL puts outside the banner, the CAC filing or security assessment for cross-border transfers, appointing a China representative, choosing domestic-versus-foreign trackers, are yours to arrange; a consent tool can't file your standard contract for you. Verify the current CAC rules before you finalise, since the 2024 provisions are still bedding in and thresholds may shift.
Related Guides
For the EU model PIPL is often contrasted with, see the GDPR cookie compliance checklist. For another major Asian regime, read our India DPDP Act guide. For the contracts behind data sharing, see data processing agreements for website owners. For serving different rules per country, read regional consent for global sites, and for the wider picture, our emerging-markets guide.