On 3 April 2026 China’s Cyberspace Administration (CAC) published a draft regulation titled the Provisions on Simplified Measures for Personal Information Protection by Small Personal Information Controllers (Draft for Comment) (the „Draft“). The Draft is open for public comment and, once finalized, will introduce a tiered compliance framework under China’s Personal Information Protection Law (PIPL).
Background: Why This Draft Matters
The PIPL, in force since November 2021, applies uniformly to all personal information controllers in China. It sets demanding obligations on notice, consent, data minimization, cross-border transfers, personal information protection impact assessments, and audits. For large enterprises, these requirements are manageable.
Article 62 of the PIPL expressly authorizes the CAC to develop specialized rules for small personal information controllers. The Draft delivers on that mandate. Its core objective is not to lower the standard of protection, but to apply a proportionate, risk-based regulation so that compliance obligations match the scale and risk profile of smaller operations.
Who Qualifies as a „Small Personal Information Controller“?
The threshold is clear and binary: any personal information controller operating within China that processes the personal information of fewer than 100,000 individuals qualifies (hereafter “small controllers”).
The Draft does not distinguish by company size, revenue, or sector. The sole criterion is the volume of personal information processed at a given point in time. Deleted or anonymized data is likely excluded from the count, though the Draft does not yet confirm this.
What Is Actually Simplified?
The Draft simplifies six main compliance areas. It does not exempt controllers from PIPL obligations. The lawful basis requirements, the principles of legality, necessity, and proportionality, and rights mechanisms remain fully applicable.
Privacy Notice and Processing Rules
Under the general PIPL framework, controllers must publish detailed personal information processing rules, typically in the form of a privacy policy. Under the Draft:
- Offline controllers may post a notice in a prominent location on their premises instead of publishing a separate privacy policy.
- Online controllers may embed disclosure in a service agreement.
- Controllers operating exclusively through a network platform (such as an e-commerce marketplace) may rely entirely on the platform’s published processing rules, provided they process data only for product or service delivery and do not share it outside the platform.
- Controllers within an industrial park or managed business estate may rely on a unified processing rule published by the estate manager, where the controllers are listed in that rule.
Notice to Individuals
Where a small controller processes only non-sensitive personal information strictly necessary for service delivery and does not share or disclose that data to third parties, it may satisfy its notice obligation merely by making its processing rules publicly accessible. Individual-by-individual notice is not required in these circumstances.
Consent
The Draft introduces a streamlined consent mechanism. Where an individual voluntarily provides personal information to obtain a product or service, and the controller has published its processing rules and fulfilled its notice obligation, the act of voluntary provision constitutes valid consent. This reduces reliance on separate written or electronic consent forms for standard service transactions.
For sensitive personal information, including biometric data such as facial recognition used for attendance systems, the Draft permits processing where the individual knowingly and proactively provides the data, as long as the purpose, method, and type of data have been disclosed. The boundary of what counts as „knowing and proactive“ in employment contexts remains unclear and will require further regulatory guidance.
Cross-Border Data Transfers
Article 11 of the Draft lists six scenarios in which small controllers are exempt from the standard cross-border transfer mechanisms (security assessment, standard contract, or certification). These scenarios largely mirror existing exemptions under the Provisions on Promoting and Regulating Cross-Border Data Flows and the Network Data Security Management Regulations. They include, among others, transfers necessary for individual contracts (such as travel bookings and cross-border payments) and HR management transfers under lawful collective agreements.
One practical simplification is notable: where a small controller must file for a security assessment, it may submit to its provincial cyberspace administration department for initial review, which then reports to the national CAC for approval.
Impact Assessments and Compliance Audits
The PIPL requires personal information protection impact assessments (PIPIAs) and compliance audits. The Draft simplifies both:
- Small controllers may use a streamlined PIPIA checklist attached to the Draft instead of the full methodology.
- Compliance audits may be conducted using a simplified self-assessment checklist covering 24 audit items, at a minimum frequency of once every five years.
- Platform-reliant controllers may skip both the PIPIA and the audit if the platform has already conducted them.
- Controllers that obtain PIPL certification are exempt from audits during the certification period.
Internal Management and Breach Notification
Small controllers may embed personal information protection requirements and incident response obligations within general organizational management documents, rather than maintaining standalone policies. In genuine cases where individual notification after a data breach is technically infeasible, notification via a prominent in-store notice or in-app popup is acceptable.
Enforcement Posture
The Draft introduces a more accommodating enforcement tone specifically for small controllers. No penalty will be imposed where a violation is minor and promptly corrected with no harmful consequences, or where it is a first-time violation with minor impact that is remedied immediately. Mitigating factors include voluntarily eliminating or reducing harm, self-reporting unknown violations to regulators, timely breach notification with remediation, and cooperating with investigations. Where no penalty applies, regulators may still issue advisory letters or conduct compliance interviews. Regional authorities are also encouraged to provide training, legal education, technical tools, and infrastructure support to help small controllers build compliance capacity
Conclusion
The Draft represents a genuine and welcome step toward proportionate data governance in China. It is consistent with the broader global trend of risk-based regulation and aligns with the principles that underpin the GDPR’s differentiated obligations for controllers of different scales. We will continue to monitor the legislative progress of the Draft and provide updates as the finalization process develops.