Are You Exposed Under China’s 2026 Personal Information Protection Campaigns?

Posted by Written by Qian Zhou Reading Time: 7 minutes

China personal information protection enforcement enters a new phase in 2026, with regulators shifting from rule‑making to operational scrutiny. The latest special enforcement actions target apps, advertising, education, healthcare, transportation, and financial services, with clear implications for foreign businesses. This article explains what is being targeted and how companies can prepare

China is entering a new phase of personal information protection enforcement.

On April 2, 2026, the Cyberspace Administration of China (CAC), together with the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS), jointly announced a series of nationwide special enforcement actions targeting unlawful and irregular personal information processing activities.

For foreign-invested enterprises (FIEs), multinational companies, and overseas digital service providers operating in or targeting the Chinese Mainland, the message is clear: regulatory tolerance is shrinking, and operational compliance is under the spotlight.

This article breaks down what is being targeted, why it matters for foreign businesses, and most importantly, what companies should do now to reduce enforcement and reputational and operational risk.

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

Is China intensifying personal information protection enforcement?

In short answer, No. China’s 2026 special enforcement actions for personal information protection should be understood not as a sudden regulatory escalation, but as the next stage of implementing the Personal Information Protection Law (PIPL). After several years of building a comprehensive legal framework, regulators are now shifting their focus to routine, standardized enforcement centered on execution and accountability.

Find Business Support
Learn how to achieve stronger compliance through digital controls →

The core change is a move from rule‑setting to rule‑testing. Regulators are increasingly concerned with whether PIPL principles, such as necessity, purpose limitation, and data minimization, are actually embedded in business operations, rather than merely reflected in policy documents. This marks a process of regulatory normalization, in which abstract legal standards are translated into clear, sector‑specific, and enforceable compliance expectations.

In that context, 2026 is less about a sweeping crackdown and more about making compliance work in practice across industries.

This shift is evident in the design of the 2026 special enforcement actions, which emphasize:

  • Sector‑specific enforcement, focusing on high‑risk industries
  • Product‑level scrutiny, including apps, SDKs, and digital platforms
  • Cross‑agency coordination between regulatory and public security authorities
  • Escalation to criminal enforcement for serious or systemic violations

Why the 2026 special enforcement actions matter for foreign businesses

Unlike earlier campaign‑style inspections that primarily targeted domestic internet companies, the 2026 actions directly affect foreign businesses operating in or targeting the Chinese Mainland. This includes:

  • Foreign‑owned apps and SaaS platforms
  • China‑facing websites and WeChat mini‑programs
  • Multinational companies using third‑party vendors to process personal data
  • China entities applying group‑level global IT systems and data policies

As enforcement becomes more systematic and operationally focused, compliance gaps that were once viewed as minor or “technical” issues, such as excessive data collection, ineffective consent mechanisms, or weak third‑party controls, may now result in administrative penalties, mandatory rectification, product takedowns, business suspension, or, in serious cases, criminal liability.

For foreign businesses, it’s important to understand that personal information protection in China has evolved into a core operational and risk‑management issue, requiring demonstrable, day‑to‑day compliance rather than high‑level regulatory awareness.

Common exposure points for foreign enterprises include:

  • Using overseas or regional SDKs not localized for China rules
  • Applying global fraud, marketing, or analytics models that over-collect data
  • Weak third‑party data sharing governance
  • Consent mechanisms that exist in design but fail in practice

Key focus areas of the 2026 enforcement campaign

Below is a practical breakdown of each enforcement focus area, with implications for foreign businesses.

App and SDK personal information violations

Who is targeted:
All apps operating in China, as well as embedded SDKs (analytics, advertising, maps, push notifications, customer engagement tools).

High-risk issues include:

  • Missing or vague privacy policies
  • No functional account deletion mechanism
  • Collecting personal data before user consent
  • Default access to location, contacts, SMS, or device data
  • SDKs collecting data inconsistent with app disclosures

Why this matters to foreign companies:
Many China apps developed by MNCs rely on third‑party SDKs (often local vendors). If an SDK violates PIPL rules, the app operator remains legally responsible.

Action point:
App owners, product teams, IT, and compliance functions should conduct a comprehensive SDK inventory and data‑flow audit for all China‑facing apps. In particular, they are advised to:

  • Identify which personal information each SDK collects, for what purpose, when it is triggered, where data is stored, and whether it is shared with third parties.
  • Confirm that SDK behavior aligns with user disclosures, consent scope, and the minimum‑necessity requirement under the PIPL.
  • Where gaps are identified, adjust configurations, restrict permissions, or replace non‑compliant SDKs.
  • Collect and review China‑specific privacy compliance documentation in Chinese from SDK providers, and retain review and remediation records to support regulatory inspections.

Internet advertising and personalized recommendation compliance

Who is targeted:
Advertising platforms, media companies, and businesses engaging in programmatic advertising, user profiling, or personalized recommendations.

Top enforcement triggers:

  • Failure to disclose advertising data usage in privacy policies
  • No user‑friendly opt‑out from personalized ads
  • Continuing data collection after users opt out
  • Weak internal access controls and data sharing governance

Why this matters:
Foreign brands often rely on China‑based digital marketing agencies and ad‑tech vendors to conduct data‑driven advertising. Under China’s personal information protection regime, regulators increasingly scrutinize both the advertising platform and the advertiser, particularly where the advertiser determines the purpose of data processing or benefits directly from profiling and targeted delivery.

Action point:
Relevant parties should review advertising and ad‑tech contracts to clearly define data processing roles and responsibilities and verify that consent mechanisms and personalized recommendation opt‑out (“off switch”) functions operate effectively in practice. They need to ensure disclosures, consent, withdrawal, and opt‑out features comply with PIPL requirements and China’s algorithm transparency rules, and that advertisers are not relying solely on platforms to meet these obligations.

Education sector: Children’s and students’ data under the microscope

Who is targeted:
Schools, universities, training providers, ed-tech platforms, and corporate learning tools.

Key violations include:

  • Processing data of minors under 14 without guardian consent
  • Over-collection of student or parent personal information
  • Forced use of facial recognition for identity verification
  • Sharing data with third parties without notice or consent

Why this matters:
Foreign education providers and corporate training platforms operating in China often deploy global or regional learning systems that are not localized for China’s stricter requirements on minors’ personal information. This creates heightened compliance risk, particularly where consent, data scope, and identity verification mechanisms do not meet PIPL standards.

Action point:
Foreign education providers and corporate training platforms are advised to establish standalone personal information protection rules for minors, implement verifiable guardian consent processes, and ensure that non‑biometric alternatives to facial recognition are available for identity verification in both online and offline scenarios.

Transportation, travel, and logistics platforms

Who is targeted:
Airlines, rail and ticketing platforms, logistics providers, parking systems, and mobility apps.

Common issues under enforcement:

  • Forced registration for basic services (e.g., parking payment)
  • Excessive location tracking
  • Unauthorized sharing with ticket agents or partners
  • Data leaks involving addresses, trips, or contact details

Why this matters:
Foreign companies integrating China‑based travel, logistics, or expense management tools often involve multiple vendors and system interfaces, increasing the risk of unnecessary data transfers, unclear data roles, and uncontrolled downstream sharing, particularly for location and identity data.

Action point:
Relevant businesses are advised to apply strict data‑minimization controls, especially for location, travel itinerary, and identity information, and conduct third‑party data sharing assessments to confirm lawful purpose, transparency, consent coverage, and vendor safeguards in line with PIPL requirements.

Healthcare and health data enforcement

Who is targeted:
Hospitals, clinics, health apps, digital health platforms, and corporate healthcare providers.

Key compliance risks:

  • Over-collection of location or identity data
  • Inadequate user authentication
  • Unauthorized disclosure of medical data
  • Insufficient encryption or access controls

Why this matters:
Health data is classified as sensitive personal information under the PIPL and is subject to heightened protection obligations. Regulatory violations involving health data carry heavier penalties, lower tolerance for remediation failures, and significant reputational risk, particularly where safeguards are deemed inadequate.

Action point:
Relevant parties should implement enhanced technical and organizational safeguards, including data encryption, strict access controls, and clearly defined role‑based permission mechanisms, to ensure health data is accessed, used, and disclosed only on a need‑to‑know basis in line with PIPL requirements.

Financial services and internet lending platforms

Who is targeted:
Banks, insurers, fintech platforms, payment companies, and online lending services.

High-risk practices include:

  • Collecting contacts, call logs, app lists, or SMS data
  • Sharing data with partners without disclosure
  • Facial recognition as the only identity verification method
  • Weak internal data governance

Why this matters:
Foreign financial institutions operating in China are often caught between global group‑level risk, fraud‑control, or customer due diligence frameworks and China’s stricter requirements on data minimization and purpose limitation. Practices that are standard elsewhere may be viewed by Chinese regulators as excessive or unjustified collection of personal information.

Action point:
Financial services and internet lending platforms should localize data collection and risk‑management standards for China operations. They are advised to reassess global risk, credit, and fraud models to identify areas of potential over‑collection, and ensure that personal information collected is strictly necessary, clearly disclosed, and supported by valid user consent in accordance with China’s personal information protection rules.

Crackdown on personal information-related crimes

Beyond administrative enforcement, regulators will coordinate criminal investigations targeting:

  • Data leaks
  • Data trafficking
  • Insider misuse of personal information
  • Illegal data commercialization

Both companies and individual employees (“industry insiders”) may face criminal liability.

Practical Compliance Checklist for Foreign Businesses

To prepare for China’s 2026 personal information protection enforcement actions, foreign businesses should shift their focus from conceptual compliance to operational readiness. In practice, this means embedding PIPL requirements into systems, workflows, and decision‑making processes, rather than relying on high‑level policies alone. Key priorities include:

  • China‑specific data mapping and gap analysis
  • Localized privacy policies aligned with actual practices
  • Consent and withdrawal mechanisms that function in practice
  • SDK, vendor, and partner due diligence
  • Employee access control and internal training
  • Incident response and reporting mechanisms

In short, waiting for an inspection notice is no longer a viable strategy. Regulators expect companies to demonstrate ongoing, proactive compliance capability.

Final takeaway: 2026 is about execution, not interpretation

China’s regulators are no longer asking whether companies understand the Personal Information Protection Law. They are asking whether companies execute it consistently and effectively in daily operations. The 2026 special enforcement actions signal a shift toward assessing real‑world behavior: how data is collected, how systems are configured, how vendors are managed, and how risks are controlled.

For foreign businesses, personal information protection in China has moved beyond regulatory theory. Compliance is more about maintaining market access, protecting brand reputation, and sustaining long‑term operations in the Chinese Mainland, rather than just about avoiding fines. Companies are advised to treat data compliance as a core operational issue, rather than a peripheral legal task.

Tony Tang
DSA
quote

Asia’s data protection environment is rapidly evolving, with businesses facing rising pressure to maintain secure IT systems while complying with national regulations like China’s CSL, DSL, and PIPL, alongside global frameworks such as GDPR. Dezan Shira & Associates provides cybersecurity and compliance advisory tailored for Asia’s regulatory landscape. Our services include IT infrastructure audits, Zero Trust implementation, security training, and multi-jurisdictional data privacy compliance.

Tony Tang
Manager, IT Service
Talk to an expert at China@dezshira.com
Or request a consultation at +86 21 6358 8686

About Us

China Briefing is one of five regional Asia Briefing publications. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong in China. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in Vietnam, Indonesia, Singapore, India, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.

For a complimentary subscription to China Briefing’s content products, please click here. For support with establishing a business in China or for assistance in analyzing and entering markets, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.