PIPL Compliance

Configure your forms for China's Personal Information Protection Law.

What is the PIPL?

The Personal Information Protection Law (PIPL) is China's first comprehensive data protection law. It took effect on November 1, 2021, and is administered by the Cyberspace Administration of China (CAC). The full text was published by the Standing Committee of the National People's Congress.

The PIPL draws clear inspiration from the GDPR but is shaped by China's distinct regulatory environment. It establishes comprehensive rules around consent, data minimization, individual rights, and — most notably — strict controls on cross-border data transfers.

The law applies to the processing of personal information of individuals within China. Critically, this includes overseas entities that:

Provide products or services to individuals within China.
Analyze or assess the behavior of individuals within China.
Fall under other circumstances specified by law or regulation.

If your web form collects data from people in China — even if your business operates entirely outside the country — the PIPL applies to you.

Consent model

The PIPL uses consent as a primary legal basis for processing personal information, but it distinguishes between standard consent and separate consent depending on the sensitivity and purpose of the processing.

Standard consent is sufficient for basic form data collection (names, email addresses, messages). It must be informed, voluntary, and explicit. Pre-checked boxes or implied consent do not qualify.

Separate, explicit consent is required for:

Sensitive personal information — biometric data, religious beliefs, specific identity, medical and health data, financial accounts, and location tracking.
Cross-border transfers — before personal information is transferred outside China.
Public disclosure — making an individual's personal information publicly available.
Processing by a third party — providing personal information to another data processor.

Consents cannot be bundled. If you need consent for the form submission itself and a separate consent for transferring data abroad, these must be presented as distinct, independently selectable choices. A single "I agree to everything" checkbox does not satisfy the PIPL.

Practical note: For a standard contact form collecting name and email, a single well-worded consent checkbox covering the stated processing purpose is sufficient. Cross-border transfer consent is a separate concern addressed in the data transfer section below.

What the PIPL preset configures

Setting	Value	Why
Consent checkbox	Required	The PIPL mandates informed, voluntary consent before processing personal information. The checkbox serves as the consent mechanism for web forms.
IP anonymization	Yes	IP addresses are personal information under the PIPL. Anonymizing them (zeroing the last octet) reduces compliance exposure while retaining geographic usefulness.
User-agent storage	Enabled	Browser metadata is useful for troubleshooting and does not constitute sensitive personal information under the PIPL.
Data retention	365 days	The PIPL requires retention to be limited to the shortest period necessary for the processing purpose. One year is a reasonable default; adjust downward if your purpose is fulfilled sooner.
Privacy policy URL	Required	The PIPL requires that individuals be informed of the processor's name, contact details, processing purposes, retention periods, and how to exercise their rights. A linked privacy policy provides this transparency.

Set up the PIPL preset

Account level

Go to Account Settings in the sidebar.
Scroll to Compliance.
Select PIPL (China) from the dropdown.
Click Save.

Per form

Open the form in your dashboard.
Go to the Compliance tab.
Select PIPL (China) from the preset buttons or region dropdown.
Click Save.

Cross-border data transfer — strict rules

Cross-border data transfer is the single most significant area where the PIPL differs from other data protection laws. While the GDPR allows transfers with adequacy decisions or standard contractual clauses, and the DPDPA uses a permissive blacklist model, the PIPL imposes affirmative obligations before any personal information leaves China.

There are three mechanisms for lawful cross-border transfer:

CAC security assessment — mandatory for critical information infrastructure operators (CIIOs) and for processors handling personal information of more than one million individuals, or who have cumulatively transferred personal information of more than 100,000 individuals (or sensitive personal information of more than 10,000 individuals) abroad.
Standard contractual clauses (SCCs) — for processors that fall below the thresholds requiring a CAC security assessment. The CAC published its template SCC in February 2023. Both parties must sign the contract and file it with the local CAC branch.
Personal information protection certification — obtained from a CAC-recognized certification body. This is less common in practice for small-scale processors.

For a form backend operator who is not a CIIO and handles a relatively small volume of submissions from Chinese users, SCCs are the most practical path. You would sign the standard contract with your data processing partners and file it with the relevant provincial CAC office.

Data localization: Critical information infrastructure operators and processors handling personal information above certain volume thresholds may be required to store data within China. If your form collects data at scale from Chinese users, consult with a qualified legal advisor about whether data localization obligations apply to you.

Regardless of which mechanism you use, you must also:

Obtain separate consent from individuals for the cross-border transfer.
Conduct a personal information protection impact assessment before the transfer.
Ensure the overseas recipient provides a level of protection no lower than the PIPL's standards.

Data minimization

Article 6 of the PIPL establishes a clear principle: personal information processing must be conducted with the minimum scope necessary for the stated purpose. You should not collect personal information beyond what is needed.

For web forms, this means:

Only include fields that are genuinely required for the form's purpose. A contact form does not need a date of birth or ID number.
Mark truly optional fields as optional — do not make every field required.
If a form field is not necessary for responding to the submission, remove it.
Avoid collecting sensitive personal information (biometric, health, financial) unless the form's purpose specifically requires it and you have obtained separate consent.

The PIPL also prohibits refusing to provide a product or service solely because an individual declines to consent to the processing of personal information that is not necessary for that product or service. In the context of web forms, do not block form submission because a user refused to provide optional data.

Individual rights

The PIPL grants individuals a broad set of rights over their personal information — broader in some areas than the GDPR:

Right to know — individuals must be informed about how their data is collected, used, and shared.
Right to access — individuals can request a copy of their personal information.
Right to correct — individuals can request correction of inaccurate or incomplete information.
Right to delete — individuals can request deletion of their data. Processors must also delete proactively when the processing purpose has been achieved, the retention period has expired, or consent has been withdrawn.
Right to withdraw consent — individuals can withdraw consent at any time, and the processor must provide a convenient method for doing so.
Right to restrict or refuse processing — individuals can restrict or refuse the processing of their personal information.
Right to data portability — individuals can request transfer of their personal information to another processor, provided it meets conditions set by the CAC.
Right to explanation of automated decision-making — if automated decision-making significantly affects an individual's rights, they can request an explanation and can refuse processing based solely on automated decisions.

When you receive a rights request related to form submissions:

Search for the individual's submissions in the dashboard by email or name.
Fulfill the request (provide data, correct it, or delete it).
Respond within a reasonable timeframe — the PIPL does not specify an exact deadline as the GDPR does, but prompt handling is expected.

Children's data

The PIPL classifies personal information of children under 14 years old as sensitive personal information. This triggers heightened requirements:

Parental consent is required before processing any personal information from a child under 14. This consent must be obtained from the child's parent or guardian and must be separate from any general consent.
Processors must formulate specific processing rules for children's personal information and make those rules publicly available.
A personal information protection impact assessment must be conducted before processing children's data.

If your form might be used by individuals under 14, you need safeguards beyond what FormBlade's compliance preset provides. Consider age verification mechanisms and a dedicated parental consent workflow.

Penalties

The PIPL imposes significant penalties that can affect both organizations and individuals:

General violations: orders to rectify, warnings, confiscation of illegal income, and fines of up to 1 million RMB (approximately $140,000 USD). The directly responsible person can be fined between 10,000 and 100,000 RMB.
Serious violations: fines of up to 50 million RMB (approximately $7 million USD) or 5% of the previous year's revenue. The responsible individual can be fined between 100,000 and 1 million RMB and may be banned from serving as a director, supervisor, or senior manager of a company for a specified period.
Operational sanctions: the relevant authority can order the suspension or termination of the app or service, and can revoke business permits or licenses.

The personal liability provisions are notable. Unlike many data protection laws that focus penalties on the organization, the PIPL explicitly targets the individuals responsible for compliance decisions.

Practical recommendations

The PIPL is an active, enforced law. The CAC and other authorities have already taken enforcement actions against major platforms. For form operators collecting data from individuals in China, these steps will put you in a strong compliance position:

Apply the PIPL preset. The consent, IP anonymization, and retention settings address the law's core requirements for web form data collection.
Write a clear consent message. Your consent checkbox text should state what data you collect, why you collect it, and how the individual can withdraw consent. Example:
```
I consent to [Company Name] collecting and storing this form data
to respond to my inquiry. I can withdraw consent at any time
by emailing privacy@example.com.
```
Understand your cross-border obligations. If your servers are outside China and you collect data from Chinese users, you likely need to implement one of the three transfer mechanisms (SCCs are the most practical for small-scale operators). Consult with a legal advisor familiar with Chinese data protection law.
Minimize form fields. Only collect what you genuinely need. Remove optional fields that do not serve the form's stated purpose. The PIPL's data minimization requirement is explicit and enforceable.
Set an appropriate retention period. The 365-day default is a starting point. If you can fulfill the form's purpose in 90 or 180 days, use a shorter period.
Plan for rights requests. Have a process in place to respond to access, correction, and deletion requests. Use the FormBlade dashboard's search and export features to locate and manage individual submissions.
Do not collect children's data without safeguards. If your form could be used by individuals under 14, implement parental consent verification and conduct an impact assessment before going live.