China Website Compliance: Top FAQs Answered

Your quick guide to China's data and cybersecurity regulations.Need help selecting a plan? Estimate your plan.

What is China’s Cybersecurity Law (CSL)?

The Cybersecurity Law (CSL) is the foundation of China’s three-layer data regime that regulates networks, mandates data localization for Critical Information Infrastructure Operators (CIIOs), and requires transparency, consent, and security controls for personal data including foreign sites serving Chinese users. 

What changed in the 2025 CSL draft amendments?

The March 2025 draft amendments to the Cybersecurity Law increase penalty limits, authorize regulators to shut down both apps and websites, require certified security products, and introduce a “voluntary rectification” mechanism that may reduce penalties for proactive compliance.

How does the CSL relate to the DSL and PIPL?

The three data laws are a layered set of measures: the Cybersecurity Law predominantly focuses on networks & infrastructure, the Data Security Law on “important data”, and the Personal Information Protection Law on personal data & privacy. Together they form an integrated framework.

What is the Data Security Law (DSL)?

Since 2021, the DSL classifies all data, sets security tiers and tightens localization and export rules for “important” data.

What counts as “Important Data”?

“Important Data” is judged by sector, scale and harm potential. Businesses need to catalogue important data, run risk reviews, and pass a CAC security assessment before any data export. Penalties include fines up to RMB 10 million plus licence loss.

Who is the Cyberspace Administration of China (CAC)?

China’s top internet regulator. It drafts and enforces the CSL, DSL & PIPL, runs security/algorithm reviews and can fine or shut services, including overseas companies processing Chinese data.

Does PIPL apply to companies outside China?

Yes. PIPL’s extraterritorial reach means any business handling data on people in China must comply, regardless of whether or not they are physically present in China.

What is Sensitive Personal Information (SPI)?

SPI includes data such as biometrics, health and financial records, religious beliefs, and data of minors (under 14s). It requires separate consent and higher protection due to its potential for serious harm if misused.

What is Automated Decision-Making (ADM) and what rights do users have?

ADM refers to algorithmic decisions (e.g., credit scoring, ads, hiring). PIPL lets users opt-out of marketing profiles, request explanations and demand human review where any ADM is used.

When must we run a Personal Information Protection Impact Assessment (PIPIA)?

Companies that are processing personal information have to conduct a PIPIA before engaging in data processing that involves SPI, launching ADM, exporting data or changing data flows. A PIPIA maps data, rates risk and records mitigations.

What are China’s Standard Contractual Clauses (SCCs)?

China’s SCCs provide a framework to legally transfer personal data from Mainland China to overseas recipients. They are part of the cross-border compliance regime under PIPL.

What is Cross-Border Data Transfer (CBDT)?

CBDT refers to the transfer of personal or “important” data outside of China. This is regulated under PIPL, DSL, and CSL and may require SCCs, CAC approvals, or PIPIA filings.

What is data localization and who must comply?

Data localization refers to the practice of storing data within a specific country or region. In China, this means certain data categories (e.g., personal data, financial data, health data) must be stored on servers physically located within the country's borders. China’s data laws apply to any business that collects, stores, uses, sells, or shares personal data from individuals in mainland China, regardless of whether they have a physical presence in China. 

Can anonymization bypass cross-border rules?

Only if the data is irreversibly anonymized. Reversible pseudonymized data is still considered personal information under PIPL and must follow cross-border transfer rules.

What is a Critical Information Infrastructure Operator (CIIO)?

CIIOs are organizations in sectors like telecom, energy, transport, and finance that manage systems critical to national security. They face heightened compliance requirements, including data localization and CAC security reviews.

Have more questions?

Reach out our Chinafy support team via email or via our chat bot. Our team usually responds within a few hours or within 1 day, if not immediately! Visit our Chinafy Support Center for more information.
Chinafy Support Center
Share
Make your website work in China
Fill out the form and one of our Chinafy team members will reach out to you within 1 business day to book an initial call or with a plan for next steps.
check30%-40% faster compared to using a CDN alone.
checkVerifiable results in just 2 weeks, instead of 1-2 years.
checkLittle to no action required from your IT teams.
"Chinafy has made it possible for us to be sure that our web visitors in China have the same good experience as all our other visitors in the rest of the world."
Michela Nalin Francek, Marketing Manager for Nolato
"Over 1 million engineers use SnapEDA each year all over the world. We were attracted to Chinafy's service because of how easy they made it to support the Chinese market."
Natasha Baker, CEO & Founder of SnapEDA
We are very happy with working with Chinafy. They went above and beyond to ensure we help MIT Professional Education deliver world-class online education in China.
Ignacio Cerro, CFO, Global Alumni for MIT Professional Education
"Consistency is crucial for us.
Chinafy fits the bill of what we were looking for."
Jonathan Rhodes, Marketing Technology Manager of Registrar Corp
"The process was super easy and I'm really glad we selected your team. The experience has been beyond my expectations."
Nicolas Duchesne-Lafoest, Product Marketing Manager 
"Chinafy went above and beyond to help me produce my event. I'm not sure I would have been successful without them. The client was elated that we managed to fulfill the request to live-stream into China so quickly."
Kevin Denham, Technical Director at ADM Productions
To start, please share a bit more about you.
Which website do you want to Chinafy?
Tell us your name?
What best describes your company role?
What's your Work Email Address?
What would you like to discuss?
Have a discount code?
By clicking 'Get Started', I also agree to Chinafy's Terms of Service & Privacy Policy.
close
Thanks for getting in touch!
One of our China experts will be in touch with you via email within the next 24 hours with

1 - Expected post-Chinafy results
2 - Your Custom Plan
3 - Next steps.

P.S. Make sure to check your promotions inbox in case our message lands there.

Please feel free to check out our case studies or blog in the meantime.
[[embed: get started form inline type]]
×

Notey will use the information you provide on this form to be in touch with you and to provide updates and marketing. Please let us know all the ways you would like to hear from us:

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at community@notey.com. We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices here.