China PIPL: Key Compliance Signals from CAC’s January 2026 Q&A

Posted by Written by Qian Zhou Reading Time: 8 minutes
China personal information protection continues to evolve as regulators clarify how core data laws should be applied in practice. In January 2026, the Cyberspace Administration of China (CAC) released a Q&A addressing personal and sensitive personal information, facial recognition compliance, impact assessments, and data protection officer obligations. The guidance provides important signals for foreign‑invested enterprises navigating China’s increasingly enforcement‑driven data governance landscape.

In January 2026, China’s Cyberspace Administration (CAC) published a set of frequently asked questions on personal information protection, reaffirming core principles under the Personal Information Protection Law (PIPL) while clarifying how regulators expect companies to operationalize compliance.

While the document does not introduce entirely new legal obligations, it sends a clear signal: enforcement attention is shifting from abstract compliance commitments to definitions, documentation, and accountability mechanisms, areas where foreign-invested enterprises (FIEs) often face implementation challenges.

For companies operating in China, the Q&A offers a useful window into some regulatory priorities for 2026, particularly concerning sensitive personal information, facial recognition technology, impact assessments, and the role of the personal information protection officer.

Personal information vs. sensitive personal information

The CAC reiterates the PIPL definition of personal information as any information relating to an identified or identifiable natural person, excluding anonymized data. The clarification lies less in the definition itself and more in the breadth of examples provided, which span from conventional identifiers (names, ID numbers) to behavioral, device, and profiling data, such as browsing records, user tags, and movement patterns.

Find Business Support
We help protect businesses against cybersecurity, data compliance, and business continuity risks in Asia.

More notably, the CAC emphasizes the regulatory treatment of sensitive personal information, data that, if leaked or misused, could harm personal dignity or personal and property safety. This includes biometric data, financial account information, precise location tracking, health data, and personal information of minors under 14.

The reference to GB/T 45574‑2025, a national standard detailing a method for identifying sensitive personal information, suggests that regulators increasingly expect companies to align internal data classification practices with these technical standards.

Q1. What is personal information?

A: Personal information refers to various types of information, recorded electronically or by other means, that relate to an identified or identifiable natural person, excluding information that has been anonymized.

Personal information includes, but is not limited to, the following categories: personal basic information such as an individual’s name, date of birth, and age; personal identity information such as resident identity card, military officer card, and passport details; biometric information such as facial images, genetic data, voiceprints, iris data, and fingerprints; online identity information such as user accounts and user identifiers (user IDs); personal education and employment information such as educational background, occupation, and job position; personal property information such as financial accounts, consumption records, income status, and borrowing information; identity authentication information such as account passwords and digital certificates; personal communications information such as communication records, text messages, and emails; contact information such as address books and friends lists; online activity records such as web browsing history and software usage records; personal device information such as International Mobile Equipment Identity (IMEI) numbers; personal location information such as transportation and travel data; personal tagging and profiling information such as user labels and profiles; personal activity information such as step count and step frequency; as well as other information related to an identified or identifiable natural person.

Q2. What is sensitive personal information?

A: Sensitive personal information refers to personal information that, once leaked or illegally used, is likely to result in harm to an individual’s personal dignity or endanger personal or property safety. This includes biometric information, religious beliefs, specific identity information, medical and health information, financial account information, tracking and location trajectory data, as well as personal information of minors under the age of fourteen.

The national standard GB/T 45574‑2025, Data Security Technology – Security Requirements for the Processing of Sensitive Personal Information, clarifies methods for identifying and defining sensitive personal information. Appendix A of the standard lists common categories of sensitive personal information, including: biometric information such as facial images, genetic data, and voiceprints; religious belief information such as personal religious affiliations or membership in religious organizations; specific identity information such as information identifying persons with disabilities or occupational information that is not suitable for public disclosure; medical and health information such as disease conditions, past medical history, medical consultation records, and examination and testing data; financial account information such as account numbers and passwords for bank, securities, fund, and insurance accounts; location trajectory information such as continuous precise location tracking data and vehicle travel trajectories; and other sensitive personal information such as photographs of resident identity cards, credit information, and criminal records.

What this means for companies

FIEs should assume that regulators will assess whether sensitive personal information has been systematically identified, labeled, and protected, even if the business does not operate in traditionally “high-risk” sectors.

Compliance checklist:

  • Map all personal data categories processed in China operations
  • Identify which datasets qualify as sensitive personal information
  • Apply enhanced consent, access control, and retention measures
  • Align internal classifications with national standards where feasible

Facial recognition: A stand-alone compliance priority

The CAC Q&A devotes specific attention to facial recognition, reflecting growing regulatory sensitivity around biometric technologies. Under the Measures for the Secure Management of Facial Recognition Technology Applications, companies must conduct a Personal Information Protection Impact Assessment (PIPIA) before using facial recognition functions.

Third-party participation is permitted, but responsibility remains with the personal information processor.

Q3. How should a personal information protection impact assessment be conducted before using facial recognition technology?

A: Article 9 of the Measures for the Secure Management of Facial Recognition Technology Applications provides that, prior to using facial recognition technology, a personal information protection impact assessment shall be conducted, and records of the processing activities shall be retained.

The personal information protection impact assessment shall be organized and carried out by the personal information processor that applies facial recognition technology. Third‑party institutions may participate in the assessment. Where a third‑party institution is involved, the assessment report shall specify the basic information of the third‑party institution and describe its involvement in the assessment.

The assessment shall primarily evaluate four aspects:

  1. Whether the purpose and methods of processing facial information are lawful, justified, and necessary;
  2. The impact on individuals’ rights and interests, and whether measures to mitigate adverse impacts are effective;
  3. The risks of facial information being leaked, tampered with, lost, damaged, or illegally obtained, sold, or used, as well as the potential harm that may result; and
  4. Whether the protection measures adopted are lawful, effective, and commensurate with the level of risk.

What this means for companies

For foreign companies using facial recognition in access control systems, smart offices, retail environments, or consumer applications, facial data should be treated as a high-risk processing scenario, regardless of scale.

Compliance checklist:

  • Conduct and document a facial recognition-specific PIPIA
  • Reassess necessity: Is facial recognition strictly required?
  • Implement opt-out or alternative verification mechanisms where possible
  • Review vendor contracts and data handling responsibilities

Beyond facial recognition, the Q&A reinforces a broader regulatory expectation: PIPIA is becoming an enforceable compliance artifact, not internal check-the-box exercises.

While the PIPL introduced the concept of PIPIA, regulators are now increasingly focusing on whether assessments:

  • Were conducted before high-risk processing begins;
  • Address concrete risk scenarios; and
  • Are retained and available for inspection.

Companies should expect impact assessment records to be requested during audits, inspections, or investigations, particularly in sectors handling employee, customer, or platform user data.

Personal information protection officer: From title to function

Find Business Support
Our advisory is tailored to regulatory compliance, risk mitigation, and strengthened IT security solutions, throughout China, A...

Under the PIPL, personal information processors reaching a CAC-specified threshold must designate a personal information protection officer (often referred to as a “PIPO” or “DPO”). Subsequent regulations clarified that processing over one million individuals’ personal information triggers this obligation.

The July 2025 CAC announcement formalized mandatory reporting of DPO information through an online system, moving the role from a theoretical requirement to a visible regulatory accountability mechanism.

Importantly, the DPO role differs from general data protection or compliance positions. It is a statutory function, accountable for:

  • Supervising personal information processing activities;
  • Overseeing compliance audits; and
  • Acting as a key regulatory contact point.

Q4. Under what circumstances are personal information processors required to appoint a personal information protection officer and submit the officer’s information?

A: Article 52 of the Personal Information Protection Law of the People’s Republic of China provides that personal information processors that process personal information reaching a quantity specified by the national cyberspace authority shall appoint a personal information protection officer, who shall be responsible for supervising personal information processing activities and the implementation of protective measures.

Article 12 of the Measures for the Management of Personal Information Protection Compliance Audits further provides that personal information processors that process the personal information of more than one million individuals shall appoint a personal information protection officer, who shall be responsible for overseeing the processor’s personal information protection compliance audit work.

On July 18, 2025, the Cyberspace Administration of China issued the Announcement on Carrying Out the Reporting of Personal Information Protection Officer Information, which clarifies the reporting requirements, reporting timeframe, and reporting methods for personal information protection officer information. The reporting of the personal information protection officer information is conducted online.

Personal information processors may directly access the Personal Information Protection Business System (https://grxxbh.cacdtsc.cn) and, in accordance with the Instructions for Completing the Personal Information Protection Officer Information Reporting System (First Edition) provided on the system’s homepage, prepare the required materials and complete the information reporting procedures. Alternatively, the system may be accessed through the “National Cyberspace Administration Government Services Hall” section on the homepage of the Cyberspace Administration of China website (https://www.cac.gov.cn).

What this means for companies

The regulatory focus on personal information protection leadership reflects a shift from formal designation to functional accountability. Simply naming an individual as a DPO is no longer sufficient. Regulators increasingly expect the DPO role to be substantive, informed, and operationally embedded within an organization’s China operations.

For foreign‑invested enterprises in particular, several practical questions frequently arise:

  • Can a regional or group‑level DPO be designated? Many multinational companies maintain centralized or regional data protection structures, often with a group‑level DPO overseeing global compliance. In the China context, regulators generally expect a clearly identifiable individual responsible for personal information protection matters related to China operations. While a regional or global DPO may be designated in name, companies should ensure that the individual has a clearly defined China‑related mandate, sufficient familiarity with Chinese data protection laws, and the practical ability to engage with local regulators and internal teams.
  • Can the DPO role be combined with IT, legal, or compliance functions? Chinese data protection regulations do not prohibit combining the DPO role with other internal functions. In practice, the role is commonly assumed by legal, compliance, or information security personnel. However, regulators may closely examine whether the individual has sufficient time, resources, and authority to effectively fulfill the role, particularly in companies that process large volumes of personal information or engage in higher‑risk processing activities. Overlapping responsibilities should not undermine the DPO’s supervisory effectiveness.
  • How much authority and independence is expected in practice? Although Chinese law does not prescribe an independence standard identical to that under the EU’s GDPR, enforcement trends increasingly emphasize effective supervisory authority. A DPO who lacks access to senior management, is excluded from key operational or system design decisions, or has limited influence over remediation measures may struggle to meet regulatory expectations. Companies are therefore advised to ensure that the DPO:
    • Has access to senior management and decision‑makers
    • Maintains visibility over personal information processing activities
    • Has the authority to recommend, escalate, and track corrective actions

Taken together, these considerations suggest that the DPO role is evolving into a core internal governance function under China’s personal information protection regime. For foreign‑invested enterprises, proactively strengthening the DPO’s mandate and positioning can help mitigate compliance risks, improve audit readiness, and demonstrate good‑faith engagement with China’s increasingly enforcement‑oriented data protection framework.

How this Q&A fits into China’s broader data governance framework

The January 2026 Q&A reinforces how the PIPL operates in tandem with the Data Security Law and the Cybersecurity Law as part of an integrated data governance system. While the laws establish core obligations and liability frameworks, regulatory practice increasingly relies on implementing rules, sectoral measures, and national standards to translate these obligations into concrete compliance expectations.

In particular, the Q&A highlights the growing role of national standards, such as those addressing sensitive personal information classification and processing, as practical benchmarks during enforcement actions, risk assessments, inspections, and compliance audits, even where such standards are formally designated as “recommended” rather than mandatory.

For FIEs, this means that compliance expectations in China may extend beyond the black‑letter law to include technical specifications, operational safeguards, and governance practices reflected in national standards and regulatory guidance. As enforcement continues to mature, aligning internal policies with these evolving benchmarks can be as important as meeting statutory minimum requirements.

About Us

China Briefing is one of five regional Asia Briefing publications. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong in China. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in Vietnam, Indonesia, Singapore, India, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.

For a complimentary subscription to China Briefing’s content products, please click here. For support with establishing a business in China or for assistance in analyzing and entering markets, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.