The State Administration for Market Regulation and the Standardization Administration of China have jointly issued a new national standard applicable to companies conducting business in China, GB/T 45574-2025, Data Security Technology – Security Requirements for Processing of Sensitive Personal Information (the Standard), which will take effect on November 1, 2025.
The data protection requirements outlined in the Standard align closely with those under China’s Personal Information Protection Law (PIPL). Whereas the PIPL establishes foundational principles, the new Standard provides detailed operational guidance to ensure transparency, legitimacy, and necessity in data processing. It further refines these principles by establishing clear criteria for identifying sensitive personal information and providing specific definitions of sensitive data categories, thereby offering companies a more actionable framework for compliance.
While the Standard is recommended (nonmandatory), it serves as a practical extension of the PIPL—translating high-level legal principles into specific compliance requirements—that may be relied on by regulators during inspections.
CRITERIA TO IDENTIFY SENSITIVE PERSONAL INFORMATION
The Standard outlines a multilayered framework for identifying sensitive personal information. Personal information handlers are required to assess whether certain data qualifies as sensitive personal information based on the following criteria:
- Information shall be classified as sensitive if it meets any of the following conditions:
- If leaked or misused, it is likely to infringe upon the dignity of the individual. For example, doxing, unauthorized access to online accounts, telecom fraud, reputational harm, or discriminatory treatment based on attributes such as identity, religion, sexual orientation, or health status.
- If leaked or misused, it is likely to endanger the personal safety of the individual. For example, the disclosure of location and tracking data may pose physical safety risks.
- If leaked or misused, it is likely to compromise the financial security of the individual. For example, exposure of financial account information may result in monetary loss.
- It should be considered not only standalone data items but also the aggregation of multiple general personal data points. If the combined dataset, when leaked or misused, could result in risks described above, it should be treated as sensitive personal information as well.
- Any personal information defined as sensitive under applicable laws or regulations must be recognized as such.
This criteria emphasizes a risk-based approach, requiring the personal information handlers to proactively assess the potential impact of data processing on individuals’ rights and interests. It also reflects a growing trend in Chinese regulatory practice to focus on not just the nature of data but also the context of its use and potential harm.
CATEGORIES OF SENSITIVE PERSONAL INFORMATION
The Standard reiterates and elaborates on the categories of sensitive personal information, which include:
- Biometric information
- Religious beliefs
- Specific identities
- Medical and health information
- Financial account information
- Location and tracking information (notably, the Standard explicitly excludes location and tracking information generated by certain occupations, such as food delivery and courier workers, when used solely for fulfilling service obligations)
- Personal information of children under 14
- Other sensitive personal information with high risk upon misuse
REQUIREMENTS FOR COLLECTION OF SENSITIVE PERSONAL INFORMATION
The data protection requirements set forth in the Standard are aligned with those under the PIPL. The Standard offers further elaboration to ensure transparency, legitimacy, and necessity in data processing:
- No collection of sensitive personal information if general personal information suffices. If the processing purpose can be achieved using nonsensitive data, sensitive personal information must not be collected.
- Collection must be limited to active use periods. Sensitive personal information should only be collected during the period in which the data subject is actively using the specific business function that requires it.
- Collection must be function- or scenario-specific. Sensitive personal information must be collected on a per-function or per-business-scenario basis, avoiding unnecessary bundling of data.
- No concealment of data collection functionalities. Products or services that involve sensitive personal information collection must clearly disclose, typically through privacy policies or similar notices, the types, scope, purpose, necessity, and potential impact on individuals’ rights.
- No deception or coercion. Sensitive personal information must not be obtained through fraud, deception, inducement, misdirection, or coercion either directly or via third parties. The purchase of sensitive personal information through illegal channels is also strictly prohibited.
- No unauthorized technical scraping. The use of automated tools (e.g., scripts or bots) to extract sensitive personal information from websites, applications, or transmitted content is not permitted.
STRINGENT NOTIFICATION REQUIREMENTS
Before collecting sensitive personal information, personal information handlers must provide clear and proactive notification to individuals. Under the Standard, obligations include:
- Personal information handlers must use distinguishable methods such as pop-up windows, SMS, input forms, animations, redirected prompt pages, or voice prompts to notify individuals before collecting sensitive personal information. These mechanisms must ensure the individual’s attention and informed understanding.
- If, in emergency scenarios involving life, health, or property safety, prior notice is not feasible, handlers must provide notification promptly after the emergency subsides.
- Where sensitive personal information is continuously collected (e.g., during app usage involving real-time recording, tracking, or monitoring), personal information handlers should implement persistent or periodic notification mechanisms. For example, in navigation services that continuously collect a data subject’s geolocation information, the individual should be reminded that their location is being collected through means such as floating windows, pop-up messages, voice prompts, device vibrations, or status bar icons.
This notification framework emphasizes transparency and user awareness, aiming to mitigate risks associated with covert or insufficient disclosure and uphold individuals’ right to be informed.
REFINED REQUIREMENTS FOR CONSENT
The Standard provides further granularity regarding the conditions and implementation of separate consent, written consent, and the withdrawal of consent by individuals. These refinements serve to operationalize the consent-related requirements under the PIPL and ensure that consent is not only lawfully obtained but also specific, informed, and revocable.
Separate Consent
The Standard provides “separate consent” means that, when processing sensitive personal information, personal information handlers shall not obtain consent in combination with that for general personal information.
Key provisions include:
- Where a single type of sensitive personal information is used for multiple processing purposes or business functions, the handler shall not obtain bundled consent.
- Where multiple sensitive personal information processing activities are involved, personal information handlers shall provide the personal information subject with a separate consent mechanism for each processing purpose or business function.
- When processing publicly available sensitive personal information, if the handler’s assessment concludes that such processing may have a significant impact on individual rights and interests, the handler shall obtain the separate consent of the individual.
With regard to the means to obtain separate consent, the Standard provides that separate consent may be obtained through the personal information subject’s active submission or by informing the individual through dedicated interfaces, such as separate pages, telephone, or SMS, followed by affirmative actions such as clicking, option selection, or form completion.
Written Consent
According to the Standard, unless laws or regulations expressly provide otherwise, the processing of sensitive personal information shall require the written consent of the personal information subject:
- Written consent may be obtained by the personal information handler through a tangible expression of the content, such as paper documents or digital communications, and the personal information subject shall provide consent through active signature, seal, or electronic signature, among other means.
- Scenarios requiring written consent include the collection of human genetic resources, inquiries into personal information made to credit reporting agencies, the provision of credit information by financial institutions to other entities, and the disclosure of real estate transaction–related information in the course of using real estate brokerage services.
- Notably, the Standard introduces, for the first time, a written consent template specifically for the processing of sensitive personal information. The template has been developed to align with the requirements set out under existing legislation regarding sensitive personal information processing.
The Withdrawal of Consent
Where sensitive personal information is processed based on individual consent, the personal information handler shall provide the personal information subject with a convenient means to withdraw consent and is also encouraged to inform the personal information subject of the potential impact that withdrawal of consent may have on them.
SPECIFIC SECURITY MEASURES
In addition to the provisions outlined above, the Standard includes a wide range of detailed requirements for personal information handlers in the protection of sensitive personal information.
These requirements, while operational in nature, reflect the growing expectation for granular compliance throughout the sensitive personal information processing:
- The personal information handler shall identify sensitive personal information prior to processing, classify it accordingly, and establish a sensitive personal information catalog, which shall be updated in a timely manner.
- After de-identification, sensitive personal information shall be protected as general personal information, except for information that has been anonymized. When sensitive personal information is displayed in products or internal systems, the personal information handler shall apply de-identification by default.
- The personal information handler shall conduct a personal information protection impact assessment (PIPIA) before launching any new application that involves the processing of sensitive personal information, and the assessment report shall be retained for three years.
- The personal information handler shall record the processing and operations of sensitive personal information, and log records shall be retained for three years.
- The personal information handler is advised to evaluate the effectiveness of the deletion or anonymization of sensitive personal information. Sensitive personal information that has been deleted or anonymized shall not be capable of being restored.
- The personal information handler shall conduct security audits of sensitive personal information processing logs and user access permissions at least once per month and shall promptly address any improper authorizations or operations.
- The personal information handler shall establish a mechanism for the deletion of sensitive personal information and provide the personal information subject with convenient means to delete their sensitive personal information. Where the retention of such information is required by laws or administrative regulations, the personal information handler shall promptly delete or anonymize it upon expiration. It is worth noting that the Standard defines “expiration” to include the following circumstances:
- The processing purpose has been achieved, cannot be achieved, or is no longer necessary to achieve the processing purpose
- The personal information handler has ceased to provide the relevant product or service or the retention period has expired
- The individual has withdrawn their consent
- The personal information handler has violated laws or administrative regulations or has processed personal information in breach of agreed terms
- The statutory retention period prescribed by laws or administrative regulations has expired, among other circumstances
- For personal information handlers that process sensitive personal information of more than 100,000 individuals, the Standard stipulates that the following requirements must be met:
- A personal information protection officer and management body shall be designated to supervise personal information processing activities and the implementation of corresponding protection measures
- The personal information protection officer shall possess professional knowledge of personal information protection and relevant management experience and shall be a member of the handler’s management team
- Security background checks shall be conducted on the personal information protection officer and personnel in key positions
- In circumstances such as mergers, divisions, dissolution, or bankruptcy that may affect the security of sensitive personal information, a disposal plan for sensitive personal information shall be developed, and appropriate measures shall be taken to ensure its security
Finally, the Standard sets out specific security requirements that must be separately complied with for biometric information, religious belief information, medical and health information, financial account information, location and tracking information, and personal information of individuals under the age of 14.
CONCLUSION
While the Standard is a recommended national standard and not legally binding, it serves as a detailed and practical extension of the PIPL with respect to the processing of sensitive personal information. The Standard translates high-level statutory principles into operational requirements, offering clear expectations across industries.
Importantly, we have observed that Chinese courts have, in practice, referred to recommended standards when assessing whether a company’s personal information processing activities are compliant with legal obligations. As such, the Standard may indirectly influence judicial reasoning and enforcement outcomes.
In addition, the Cyberspace Administration of China and other regulatory authorities may from time to time conduct random inspections of companies’ personal information protection practices. Based on our experience, the principles and safeguards outlined in this Standard offer valuable guidance for demonstrating good-faith compliance with the PIPL and related regulations.
We recommend that companies take this opportunity to revisit their personal information protection frameworks in light of the detailed operational requirements set out in the Standard. In particular, companies with existing consent templates are advised to review and, where appropriate, adjust them by referring to the Standard’s template, especially those engaged in the processing of large volumes of sensitive personal information.