Introduction 
Since the full implementation of China’s Personal Information Protection Law (PIPL) in 2021, privacy compliance has become mandatory for businesses operating in or targeting the Chinese market. PIPL aligns China’s regulatory framework with global privacy standards, such as the EU’s General Data Protection Regulation (GDPR) establishing comprehensive rules for the collection, processing, and storage of personal information, but it also has some extra wrinkles of its own that you need to be aware of if you’re planning operate in the country. 
 
Foundations of an effective privacy notice 
Before delving into specific measures about your Privacy Notice, it is essential to understand the foundational requirements from the PIPL. Article 17 of the PIPL outlines the core elements necessary for valid consent prior to processing personal data. Specifically, organisations must inform individuals of the following: 

1. The name and contact details of the personal information processor;
2. The purposes, methods, categories, and retention periods related to the processing of personal information;
3. The procedures and mechanisms through which individuals can exercise their legal rights; and
4. Any other information required by laws and administrative regulations, such as the regional Shanghai Data Regulations and Shenzhen Special Economic Zone Data Regulations.

Role of the PISS 
It’s not just the PIPL you need to be mindful of, however. There is a complementary document called the Personal Information Security Specification (PISS)* which extends the legal text of the PIPL by giving guidance on information security expectations. While the PIPL is principle based, lawyers, courts, and regulators look to the PISS to interpret and apply it. While not legally binding, PISS provides detailed and operationally focused requirements that organisations are expected to follow as part of best practices. Both the PIPL and the PISS are overseen by the Cyberspace Authority of China (CAC), China’s equivalent of the UK’s ICO.

The PISS introduces the document of a ‘Personal Data Protection Policy’ (个人信息保护政策), which serves a dual function: it can act as a Privacy Notice and a consent mechanism. This comprehensive document is designed to enhance user trust while supporting the organisation’s data protection and compliance objectives. 
 
As a multifunctional compliance instrument, the ‘Personal Data Protection Policy’ goes beyond legal formality to become the cornerstone of an organisation’s transparency, accountability, and risk mitigation activities. To ensure its effectiveness, five key elements should not be overlooked: 
 
1. Clarity of content: Be clear about what data you’re collecting and why 
Let’s start with the basics: users need to know what personal data would be collected and for what purpose. It is not enough to say “we collect these personal data from you.” In China you’re expected to identify each core business activity with a list of the data collected and processed in pursuit of it, as well as saying how the data is collected. Break out items such as user registration, taking orders, making payments, invoicing, customer services with a list of personal data provided from individuals so users can understand how their data fits into the overall experience. 
 
2. Readability: Make your notice readable 
Privacy Notice are often full of complex terms that confuse users and cause them to skip over important information. PISS demands the Privacy Notice be truthful, accurate and complete, all written in plain language that is easy to understand.  Use standard figures and diagrams to avoid ambiguity. For sensitive personal data such as specific location and financial account consider using bold text or underlining the terms to make the Notice easy to scan.  
 
3. Visibility and access: Make Privacy Notice front and centre. Do not hide in the settings 
PISS requires that the customer journey be integrated with the privacy experience from the very beginning. When a user opens the app or uses your service for the first time, you should give a clear and timely prompt to review the Privacy Notice while separating out mandatory versus optional features. A pop-up window is recommended. Additionally, ensure users can easily access their privacy settings at any time. Privacy Notices should be hidden in the settings but be placed on the landing page, before the app’s profile screen or webforms. Visibility is key; the Privacy Notice should be presented directly to every user before data collection, and published on the website when that is the best communication method of informing individuals of their rights. 

4. Be transparent about app SDKs and third-party data collection
Many apps rely on SDKs (software development kits) for things like analytics, ads, and push notifications. But here’s the thing: SDKs often collect user data too - and this should be disclosed to users. In the recent announcement the CAC made it clear that many software developers are failing to providing clear rules about how SDKs collect or use personal data. Also, in some cases, they process data in ways that don’t align with statements made in the Privacy Notice of the company deploying the software. That is a major red flag for the Chinese regulator. 
 
Your Privacy Notice should therefore clearly disclose the following information in the SDK table: 

• What SDKs your app is using
• What type of data each SDK collects or shares with SDK
• The purpose of that collection
• Contact info or links to the SDK provider.

5. Data sharing during structural changes
When companies acquire or merge with others in China, the PISS requires organisations to be pro-active about explaining in the relevant Privacy Notices what personal data will flow where under what conditions, and which organisation will fulfil what data responsibilities and obligations at the various stages of any structural transition. In addition, in the purposes for which any personal data previously collected has changed, new consent should be obtained from the individuals concerned.  

Conclusion 
Addressing these five points will dramatically help with your Privacy Notice compliance in China. You should be aware however that there are often regional regulatory requirements that you may need to comply with, as well as national ones, as privacy is regulated at a regional level. To navigate the Chinese privacy landscape confidently and reduce compliance risk, we also strongly recommended that consult data privacy experts familiar with Chinese business practices and regulations in the areas in which your organisations operate. Tailoring your notice with this kind of expert guidance will help ensure your credibility in the eyes of regulators, business stakeholders and, of course, users. 

----------------------- 

Reference links: 

1. CAC announcement on 28th March 2025: Official link 
2. Shanghai Data Regulations: 上海市数据条例 (Chinese only) 
3. Shenzhen Special Economic Zone Data Regulations： Data Regulations of the Shenzhen SEZ 
4. Nation-wide SDKs in mobile internet applications standards: GB/T 43435-2023 Security requirements for software development kit (SDK) in mobile internet applications (App): Official link