Personal Information Protection Law: Your Data Rights and How to Defend Them
时间遗书编辑部 · Updated 2026-07-05 · 产品团队审核
China's Personal Information Protection Law (PIPL), effective November 2021, grants individuals the right to know, decide, access, copy, correct, and delete their personal information. Companies collecting personal data must disclose the purpose, obtain consent, stay minimally necessary, and bear security obligations. Individuals can file complaints with the cybersecurity administration or sue. This guide covers the boundary between legal rights, corporate obligations, and personal defense.
On November 1, 2021, China's Personal Information Protection Law (PIPL) took effect — the country's first comprehensive law on personal data processing. It defines what information of yours you can control, where companies draw the line on collection, and how to seek recourse after a leak. This guide covers the legal rights and the practical steps. Further reading: Personal Information Security.
What the PIPL Covers
The law protects a broad range of personal information: name, ID number, phone, face, location, biometrics, health data — anything that can identify a specific person. Biometrics, religious belief, medical health, financial accounts, whereabouts, and data on children under 14 count as sensitive personal information with stricter processing rules.
- Scope of personal information — Anything identifying a natural person.
- Sensitive personal information — Biometrics, health, finance, location — stricter rules.
- Anonymized data exempt — Information that can no longer identify a person is out of scope.
What Rights You Have
The law grants individuals core rights over their own information: the right to know, to decide, to access and copy, to correct and supplement, to delete, and to port data. In plain terms — you have the right to know who's collecting your data, what it's for, and whether it's been sold; you can ask for your data back, fix errors, and demand deletion.
- Right to know and decide — Who collects, for what purpose.
- Right to access and copy — You can ask for your own data.
- Right to correct and supplement — Fix what's wrong.
- Right to delete — Have data removed in defined circumstances.
- Right to portability — Receive your data in a usable form.
What Obligations Companies Have
Companies collecting and processing personal information must follow the principles of legality, good faith, necessity, and honesty — disclose the purpose, method, and scope, obtain consent, and process only the minimum necessary. On a leak or likely leak, they must act immediately and notify the individual. Chinese law prohibits refusing non-essential services because a user declined consent. U.S. state laws differ — California's CCPA offers similar opt-out rights, but its scope and exemptions vary.
- Inform and consent — Disclose purpose, method, scope before collecting.
- Minimal necessity — Only process what the feature actually needs.
- Security obligations — Take technical and organizational measures to protect data.
- Breach notification — Act and notify promptly on a leak.
How to Protect Yourself Day to Day
The law is a weapon for after-the-fact recourse; daily defense still depends on you. Follow the minimal-necessary principle when granting permissions — if an app asks for contacts, ask whether you really need to; if it asks for location, turn it off when done. Turn on 2FA for important accounts and tier your passwords. For the detailed approach, see Password Management Guide.
- Minimize permissions — Revoke what you don't actively use.
- Strong passwords + 2FA — On every account that supports it.
- Audit authorized apps — Review periodically and revoke stale access.
- Encrypt sensitive data — ID photos, financial info, private keys.
How to Seek Redress After a Leak
If your personal information is leaked or misused, the first step is preserving evidence — screenshots, notification records, timestamps. The second is demanding an explanation, deletion, and a stop to processing from the operator. The third is filing a complaint with the cybersecurity administration, 12377, or 12315. For financial or emotional damages, you can sue in court.
- Preserve evidence — Screenshots, logs, notification records.
- Demand action from the operator — Explanation, deletion, stop to processing.
- File a complaint — Cybersecurity administration, 12377, 12315.
- Sue in court — For actual damages.
Deceased Individuals' Information
Under the law, close relatives may exercise the rights to access, copy, correct, and delete a deceased person's personal information. When handling a loved one's accounts, gather the account list and death certificate first, then apply through each platform's process. Encrypting key credentials and naming a recipient while alive significantly reduces the family's burden later. Further reading: Post-Death Digital Identity Guide.
Disclaimer
This article is for personal information protection knowledge only and does not constitute legal advice. The authoritative text is the version published by the Standing Committee of the National People's Congress. For specific disputes or litigation, consult a qualified lawyer or the cybersecurity or public security authorities. Laws differ by region — U.S. state laws, the EU's GDPR, and Chinese law each have their own rules, and cross-border situations require professional advice.
FAQ
Q: What information does the PIPL cover?
It covers any information recorded electronically or otherwise that relates to an identified or identifiable natural person — excluding anonymized data. Name, ID number, phone, face, location, and biometrics all count; sensitive personal information has stricter rules.
Q: Can an app refuse service if I don't grant permissions?
Apps may not refuse to provide non-essential services on the grounds that you declined to let them process your personal information. Consent must be explicit about purpose and scope, and you have the right to withdraw it. You can decline anything beyond what the core feature requires.
Q: How do I defend myself after a leak?
First, preserve evidence (screenshots, notification records). Then demand an explanation and deletion from the operator. You can complain to the cybersecurity administration or 12377, and sue for damages. Also change passwords, enable 2FA, and monitor accounts.
Q: What happens to personal information after someone dies?
Close relatives may exercise rights to access, copy, correct, and delete the deceased's personal information. Families should gather the account list and death certificate and apply through each platform. The deceased can ease this by encrypting key credentials and naming a recipient while alive.