China Announces Special Measures to Strengthen PIPL Enforcement in 2025

• The CAC and three additional departments jointly announced plans to strengthen PIPL enforcement in 2025 by applying special measures to apps, SDKs, smart terminals, facial recognition in public places, offline consumption, and criminal cases.

• U.S. institutions that handle personal information in China should review their PIPL compliance status in anticipation of potential actions that may be taken by the CAC and other departments.

On March 28, 2025, the Cyberspace Administration of China (“CAC”), Ministry of Industry and Information Technology (“MIIT”), Ministry of Public Security, and the State Administration for Market Regulation jointly announced special measures to strengthen enforcement of the Personal Information Protection Law (“PIPL”) in 2025. The measures focus on the following six scenarios (“Announcement”):

• Illegal collection or use of personal information by apps (including WeChat mini-programs and WeChat official accounts), i.e., failure to provide personal information handling rules, failure to handle personal information in accordance with the handling rules, collection of unnecessary personal information, failure to provide channels for complaints regarding personal information, failure to provide effective functions for correcting or deleting personal information or canceling accounts, providing personalized information push functions without providing a convenient way to opt out, and frequent jumping to advertising pages, etc.

• Illegal collection or use of personal information by software development kits (“SDKs”), i.e., failure to handle personal information in accordance with the handling rules, collection of unnecessary personal information, failure to provide channels for complaints related to personal information, providing personalized information push functions without providing a convenient way to opt out, etc.

• Illegal collection or use of personal information by smart terminals, i.e., failure to provide personal information handling rules, collection of unnecessary personal information, failure to notify users when personal information is continuously collected in the background or needs to be calculated and analyzed in the cloud, etc.

• Illegal collection or use of facial recognition in public places, i.e., use of facial recognition in public places to process facial information without complying with legal requirements such as obtaining separate or written informed consent, posting conspicuous reminders, taking personal information protection measures such as encryption, conducting personal information protection impact assessments (“PIPIA”) under the PIPL, etc.

• Illegal collection or use of personal information in offline consumption scenarios (e.g., ordering food, using public transportation, paying for groceries, etc.), i.e., forcing people to follow WeChat official accounts, forcing people to register for accounts, forcing the collection of unnecessary personal information, using personal information for unauthorized purposes, providing personal information to third parties without consent, leaking personal information as a result of failure to comply with the PIPL obligations, etc.

• Criminal cases involving personal information, such as the sale or theft of personal information.

Implications for U.S. Higher Education Institutions

In February 2025, the CAC released online violations data from 2024. The CAC reviewed 11,159 website platforms, imposed warnings or fines on 4,046 website platforms, ordered 585 websites to suspend relevant functions or information updates, removed 200 apps, “punished” 40 WeChat mini-programs, canceled the ICP licenses or recordation or shut down a total of 10,946 websites in conjunction with MIIT, and closed 107,802 accounts.

The Announcement signals that the CAC may step up enforcement and take stricter measures than it did in 2024 to punish PIPL violations such as non-compliance with personal information handling rules, collection of unnecessary personal information, failure to provide channels for complaints and contact, failure to honor data subjects’ right to correct or delete personal information, failure to obtain informed consent, non-compliance with legal requirements for collection of personal images and identifying information in public places (i.e., obtaining separate or written informed consent, conducting PIPIA), failure to take personal information protection measures, etc.

U.S. institutions handling personal information in China will need to invest in PIPL compliance strategies and implement technical measures to protect personal information. Given the CAC’s focus on the illegal collection or use of personal information by apps, and particularly WeChat, U.S. institutions with WeChat mini-programs or official accounts should carefully assess their PIPL compliance notices, policies, and practices to ensure their collection and handling of personal information via WeChat is limited to what is necessary and consistent with their PIPL privacy notices and policies. Similarly, given the CAC’s focus on the illegal collection or use of personal information in offline consumption scenarios, U.S. institutions collecting personal information offline in China, such as collecting contact information at prospective student recruitment fairs, admitted student yield events, or alumni networking events, should also carefully assess their PIPL compliance notices, policies, and practices to ensure that they collect only necessary personal information and do not use or share such personal information in any authorized manners.

The areas of focus in the Announcement are also consistent with the audit requirements highlighted in the newly released Measures for the Administration of Compliance Audits on Personal Information Protection (“Measures”) that will come into effect on May 1, 2025. U.S. institutions that handle personal information in China and in connection with business in China are advised to review their compliance policies and procedures and, if applicable, conduct compliance audits as required by the Measures.