Educational overview, not legal advice. The PIPL ecosystem also includes the Cybersecurity Law (CSL) and Data Security Law (DSL), and is interpreted by the CAC and other regulators. Anything affecting a live product needs Chinese counsel, not a blog post.
📜 What the PIPL Is
The Personal Information Protection Law took effect on November 1, 2021. It sits alongside the older Cybersecurity Law (2017) and Data Security Law (2021) and is the primary instrument governing personal information processing. Penalties can reach 50 million RMB or 5% of the prior year's annual revenue, plus suspension of business and personal liability for responsible individuals.
🌐 Extraterritorial Scope
The PIPL applies even when processing happens entirely outside China, if any of these is true:
- •The purpose is to provide products or services to individuals in China.
- •The purpose is to analyze or evaluate the behavior of individuals in China.
- •Other circumstances stipulated by Chinese law.
If your app has Chinese users, the second clause covers most analytics use cases by default.
⚖️ Legal Bases and Separate Consent
The PIPL lists seven legal bases. The big practical difference vs. the GDPR: there is no general "legitimate interest" equivalent. Consent is the dominant basis for analytics, and consent has a stricter form called separate consent for certain activities.
Separate consent is required for:
- •Processing sensitive personal information.
- •Sharing personal information with other handlers (third parties).
- •Cross-border transfers.
- •Automated decision-making with significant impact.
- •Public disclosure of personal information.
Separate consent cannot be hidden inside a general "I agree" checkbox. It needs its own, distinct affirmative action.
🇨🇳 Localization and Cross-Border Transfers
Three mechanisms allow cross-border transfers under the PIPL:
| Mechanism | Typical use case |
|---|---|
| CAC Security Assessment | Mandatory for CIIOs, large-volume processors, sensitive-data exporters. |
| Certification | By a CAC-recognized body; common for intra-group transfers. |
| Standard Contract | Filed with the local CAC; the most common mechanism for smaller processors. |
For most apps, the friction is real but manageable: pick a mechanism, document the data flow, file the paperwork. The faster path is to avoid the transfer altogether by hosting the analytics endpoint inside mainland China — possible because the Respectlytics server is open source and can be self-hosted.
🔐 Sensitive Personal Information
The PIPL defines sensitive personal information as data that, if leaked or misused, could easily harm a natural person's dignity or personal/property safety. The non-exhaustive list includes: biometrics, religious beliefs, specific identity, medical data, financial accounts, location tracking, and personal information of minors under 14.
Three of those are realistic worries in mobile analytics if you are not careful:
- •Location tracking. Precise GPS is sensitive; even neighborhood-level accuracy is risky.
- •Financial accounts. Anything close to a payment-related event needs careful naming and zero amounts.
- •Minors' data. If your app might be used by under-14s, the rules become much stricter.
👶 Minors and Other Special Categories
Personal information of minors under 14 is treated as sensitive. Processing requires the consent of a parent or guardian, and operators must establish dedicated processing rules. If your app cannot reliably establish that no users are under 14, the safe assumption is that it can — which is one more reason to avoid collecting personal information at all.
🛡️ Architecture Choices That Help
- Collect less. No device IDs, no IP retention, no custom properties means narrower processing and narrower consent scope.
- Self-host inside China. The open-source server can run on a Chinese cloud provider; the cross-border transfer question disappears.
- No location signal. Country-level geolocation from IP is much less risky than precise GPS — and for product analytics it is usually all you need.
- No persistent identifiers. RAM-only session IDs that rotate every two hours.
- Document the SDK behavior. Open-source SDKs let your privacy reviewer verify that the data flow matches the disclosure.
None of this is a compliance claim. It is an architectural pattern that narrows the questions an operator-of-record must answer in China.
❓ Frequently Asked Questions
What is the PIPL?
China's Personal Information Protection Law, in effect since November 2021, administered primarily by the Cyberspace Administration of China.
Does the PIPL apply to apps outside China?
Yes, when the processing is for providing products/services to individuals in China or analyzing their behavior.
What is separate consent under the PIPL?
A stricter consent required for specific activities — sensitive data, cross-border transfers, third-party sharing, automated decisions. It cannot be bundled into general privacy-policy acceptance.
Does the PIPL require data localization?
Not by default for most operators. Cross-border transfers need a specific mechanism (CAC assessment, certification, or standard contract). CIIOs and large-volume processors face stricter rules.
How can mobile analytics work under the PIPL?
Collect minimal data, host the analytics endpoint in mainland China (or self-host) to avoid the cross-border question, and avoid persistent device identifiers.
Legal Disclaimer: This information is provided for educational purposes and does not constitute legal advice. PIPL interpretation is the responsibility of Chinese regulators and courts. Consult Chinese counsel for product decisions.