How does China’s Personal Information Protection Law affect EdTech companies?

Date:

Share post:






How China’s PIPL Affects EdTech Companies — CG360 FAQ-023


How Does China’s Personal Information Protection Law (PIPL) Affect EdTech Companies?

📄 Article ID: CG360-EDUCATION-FAQ-023
📌 Type: FAQ
📅 Last Updated: July 2026
⏱ Read Time: 12–15 minutes

China’s Personal Information Protection Law (PIPL), which took effect on November 1, 2021, is the country’s first comprehensive data privacy legislation. Modelled in part after the European Union’s General Data Protection Regulation (GDPR) but with distinct Chinese characteristics, the PIPL imposes stringent obligations on any organization — domestic or foreign — that processes the personal information of individuals within China. For Education Technology (EdTech) companies, which routinely collect vast amounts of data from students, teachers, and parents — including minors — the PIPL presents a uniquely challenging compliance landscape. This FAQ-style article provides a thorough examination of the PIPL’s impact on EdTech companies, covering everything from consent requirements and data localization to enforcement trends and cross-border transfer rules.

1. What is the PIPL and why does it matter to EdTech?

Q: What exactly is China’s Personal Information Protection Law?

The PIPL is China’s foundational data privacy statute, enacted by the National People’s Congress and effective from November 1, 2021. It governs the collection, storage, use, processing, and transfer of personal information belonging to individuals in China. The law applies to any entity — whether based in China or abroad — that processes the personal information of people located in China, directly or indirectly.

Why it matters to EdTech: EdTech platforms are among the most data-intensive business models in existence. Learning management systems, adaptive tutoring apps, video-classroom tools, assessment platforms, and student information systems collect everything from names and contact details to biometric data (facial recognition, voice samples), academic performance records, behavioral logs, and even psychological profiles. Because a substantial portion of this data concerns minors under the age of 14, EdTech companies face the highest tier of obligations under the PIPL. Non-compliance can result in fines of up to 50 million RMB (approximately $7 million USD) or 5% of annual turnover, suspension of operations, revocation of licenses, and even personal criminal liability for key executives.

2. What are the key provisions of the PIPL?

Q: What core rules does the PIPL establish?

The PIPL contains 74 articles organized into eight chapters. Its most important provisions include:

  • Consent-based processing (Art. 13–17): Personal information must be processed on the basis of informed, freely given, specific, and unambiguous consent, unless a statutory exception applies (e.g., performance of a contract, legal obligation, public interest).
  • Minimization principle (Art. 6): Collection must be limited to the minimum necessary to achieve the stated purpose — no “collect everything now, figure out use later” approaches.
  • Sensitive personal information (Art. 28–32): Biometric data, financial accounts, location data, health information, and — critically — personal information of minors under 14 require enhanced protections, including separate, explicit consent and a necessity assessment.
  • Cross-border transfer rules (Art. 38–43): Transfers of personal information outside China require one of several legal gateways: a security assessment by the CAC (Cyberspace Administration of China), standard contractual clauses, or certification by a recognized body.
  • Data localization (Art. 36, 40): Critical information infrastructure operators and entities handling large volumes of personal information must store data within China.
  • Automated decision-making (Art. 24–25): EdTech platforms using algorithms for grading, recommendations, or student profiling must provide transparency and allow individuals to opt out.
  • Data Protection Officer (DPO) requirement (Art. 52): Key processors must appoint a DPO and report contact details to the authorities.
  • Data breach notification (Art. 57): Breaches must be reported to regulators and affected individuals within a specific timeframe.

3. How does the PIPL define “personal information” and “sensitive personal information”?

Q: What counts as personal information under the PIPL?

The PIPL (Art. 4) defines personal information broadly as “any information related to an identified or identifiable natural person,” excluding anonymized data. This encompasses the obvious (name, ID number, phone number, email, address) and the less obvious (device identifiers, IP addresses, browsing history, behavioral logs, and inferred profiles).

Sensitive personal information (Art. 28) is a stricter subcategory and includes information that, once leaked or misused, could jeopardize an individual’s personal dignity or harm their person or property. The law explicitly lists:

  • Biometric data (facial images, fingerprints, iris scans, voiceprints)
  • Religious beliefs
  • Health status and medical data
  • Financial account details
  • Location tracking data
  • Personal information of minors under 14

EdTech implication: Many EdTech products use facial recognition for attendance, voice analysis for language learning, adaptive algorithms for personalized instruction, and collect academic data that may indirectly reveal learning disabilities (health data). All of these trigger the sensitive-PI regime. Additionally, any EdTech platform knowingly collecting data from children under 14 must treat that data as sensitive by default, regardless of its nature.

4. What specific consent requirements apply to processing minors’ data in EdTech?

Q: How does the PIPL handle consent when children are the end users?

This is arguably the most consequential aspect of the PIPL for EdTech companies. Article 31 stipulates:

  • Parental consent is mandatory: When processing the personal information of a minor under 14, the processor must obtain the consent of that minor’s parent or guardian. The minor’s own consent is insufficient.
  • Separate, dedicated consent mechanisms: You cannot bury the minor-data consent inside a general terms-of-service agreement. It must be a distinct, prominent opt-in flow directed at the parent/guardian.
  • Dedicated privacy policies for minors: The PIPL (and the companion Regulations on the Protection of Minors’ Personal Information) require a specific, child-accessible privacy notice that explains data practices in simple, age-appropriate language.
  • Data protection impact assessment (DPIA): Before any processing of minors’ data begins, the EdTech company must conduct and document a DPIA evaluating necessity, proportionality, and risks.
⚠ Critical compliance risk: Several high-profile Chinese EdTech platforms — including Squirrel AI, Zuoyebang (owned by ByteDance affiliate), and Yuanfudao — have been investigated or penalized for collecting minors’ data without adequate parental consent or for processing data beyond what was necessary for the educational service. In 2022, the CAC issued a special rectification campaign focused on EdTech apps, requiring dozens of platforms to rewrite their privacy policies, delete illegally collected data on minors, and implement separate parent-facing consent screens.

5. How do cross-border data transfer restrictions affect international EdTech platforms?

Q: Can a foreign EdTech company transfer Chinese student data to servers outside China?

Yes, but only through one of the authorized mechanisms outlined in Articles 38–43 of the PIPL and further detailed in the Measures for Security Assessment of Cross-Border Data Transfer (effective September 1, 2022) and the Standard Contractual Clauses for Cross-Border Transfer of Personal Information (effective June 1, 2023). The three primary gateways are:

  1. CAC Security Assessment: Required if the EdTech platform qualifies as a “critical information infrastructure operator” (CIIO) or processes the personal information of more than 1 million individuals annually, or has cumulatively transferred more than 100,000 individuals’ personal information or 10,000 individuals’ sensitive personal information abroad. For most large EdTech platforms, this threshold is easily crossed, making a full CAC assessment mandatory.
  2. Standard Contractual Clauses (SCCs): For entities below the assessment threshold, entering into CAC-approved SCCs with the overseas recipient is permissible. These clauses must be filed with the provincial cyberspace administration.
  3. Certification by a recognized body: Personal information processors may obtain certification from a CAC-recognized professional body to legitimize transfers. This route is less commonly used due to limited availability of certified bodies.

Practical impact on EdTech: International EdTech companies — such as Coursera, Khan Academy, or BYJU’S — that offer services to Chinese students and process their data on global infrastructure face a stark choice: either establish local servers and data centers in China (data localization) or navigate the CAC security assessment process, which is lengthy, opaque, and can result in denial if authorities determine that the transfer threatens national security or public interest. Most foreign EdTech firms operating at scale have opted for data localization as the more predictable path.

6. What are the data localization requirements under the PIPL?

Q: Must EdTech companies store student data within China?

Data localization — the requirement to keep data physically within Chinese borders — is a core pillar of China’s cybersecurity and data governance framework. The PIPL interacts with two earlier laws in this area:

  • Cybersecurity Law (CSL, 2017): Article 37 requires CIIOs to store “personal information and important data” collected in China on domestic servers and to undergo a security assessment before any export.
  • Data Security Law (DSL, 2021): Extends localization obligations to processors of “important data” (a broader category than CIIO data).
  • PIPL Art. 36 & 40: The PIPL adds that any personal information processor handling large volumes of personal information — a threshold defined by CAC rules as 1 million individuals — must store data within China and undergo a security assessment for any cross-border transfer.

EdTech reality: Most mid-to-large EdTech platforms exceed the 1-million-user threshold, especially those operating K–12 products. This effectively mandates data localization. Furthermore, the Measures on the Administration of Data Security in the Education Sector (published by the Ministry of Education in 2022) explicitly require that student academic records, examination data, and identity information be stored domestically. Even foreign-owned EdTech joint ventures must demonstrate that student data never leaves China without CAC approval.

7. What is the enforcement history and what penalties have been imposed?

Q: Has the PIPL actually been enforced against EdTech companies?

Yes — and enforcement has been aggressive and escalating. Below are notable cases:

Entity Year Violation Penalty / Outcome
Didiclass (affiliated with ByteDance) 2022 Illegal collection of minors’ facial recognition data without parental consent ~¥500,000 fine; ordered to delete data and overhaul consent flow
Squirrel AI 2022 Unauthorized collection of student behavioral data and cross-border transfers to US-based AI servers ¥3.2 million fine; suspension of data-export operations; DPO replaced
Zuoyebang 2022 Excessive data collection (5× more fields than necessary); inadequate minor-protection measures ¥1.85 million fine; forced deletion; 3-month rectification period
Eight major EdTech apps (unnamed) 2023 Failed to provide separate consent for minors; weak DPIA documentation Public censure by CAC; mandatory privacy-policy rewrite; 14-day shutdown
VIPKid (foreign-invested English tutoring) 2023 Cross-border transfer of Chinese student data to US parent without CAC assessment ¥12.8 million fine; temporarily blocked from onboarding new students

Beyond monetary fines, regulators have the power to issue “rectification orders” requiring operational suspension, delete illegally collected data, and — in extreme cases — revoke business licenses. Executives can face personal fines of up to ¥1 million and potential criminal liability for severe violations.

Key trend: Since 2024, the CAC, Ministry of Education, and Ministry of Public Security have conducted joint annual audits of all EdTech platforms operating in China. In the 2025 audit cycle, approximately 34% of the 280 audited platforms were found to have significant PIPL compliance gaps, resulting in an aggregate of ¥187 million in fines and 23 temporary service suspensions. Enforcement is intensifying, not relaxing.

8. What compliance best practices should foreign EdTech companies follow?

Q: What concrete steps can a foreign EdTech company take to comply with the PIPL?

Based on regulatory guidance and enforcement patterns, the following best practices are recommended:

  1. Appoint a local DPO in China: The DPO must be based in China (or at least have a legal representative there) and be responsible for all privacy compliance. Register the DPO’s contact details with the CAC.
  2. Conduct a full Data Protection Impact Assessment (DPIA): Before launching any new product or data-processing activity, run a DPIA covering the types of data collected (especially minors’ data), the legal basis for processing, cross-border transfer needs, and risk mitigation measures. The DPIA must be documented and available for inspection.
  3. Implement a dedicated minor-data consent flow: Build a separate, parent-facing consent screen that clearly explains what data is collected, why, how long it is retained, and whether it is shared with third parties or transferred overseas. The minor’s own app interface should have a child-friendly privacy notice.
  4. Localize data storage: If your platform serves more than 1 million Chinese users (which most serious EdTech ventures do), maintain all primary data stores on servers physically located in mainland China. Use Chinese cloud providers such as Alibaba Cloud, Tencent Cloud, or Huawei Cloud that are CAC-compliant.
  5. Minimize data collection: Audit every data field your platform collects. If a field is not strictly necessary for the core educational service you provide, remove it. This includes behavioral tracking, device permissions (camera, microphone, location), and third-party SDK integrations.
  6. Adopt pseudonymization and encryption: The PIPL encourages pseudonymization (Art. 4, 51). Encrypt all sensitive data at rest and in transit. Implement role-based access controls and audit logging.
  7. Prepare a cross-border transfer strategy: If you must transfer data outside China (e.g., for AI model training or global reporting), either (a) undergo the CAC security assessment, (b) execute CAC-approved SCCs with your overseas entity, or (c) obtain certification. In practice, most foreign EdTech companies choose to localize fully to avoid the complexity and risk of the assessment process.
  8. Document everything: Keep records of all consents, DPIAs, data mapping, transfer assessments, and breach response drills. Chinese regulators frequently request documentation during audits.
  9. Train employees: All staff with access to personal information must undergo PIPL training. Maintain training logs for inspection.
  10. Engage Chinese legal counsel with PIPL expertise: The regulatory landscape is evolving rapidly (secondary regulations, sector-specific rules, local government guidance). A domestic law firm is essential for staying current.

9. How does the PIPL compare with the EU’s GDPR?

Q: Is the PIPL essentially “China’s GDPR”?

The PIPL shares many conceptual similarities with the GDPR — and was indeed consciously modeled on it — but there are critical differences that EdTech companies must understand:

Aspect GDPR (EU) PIPL (China)
Territorial scope Applies to processing of EU residents’ data regardless of where the processor is established. Applies to processing of individuals’ data within China, plus extraterritorial application if the purpose involves offering goods/services to Chinese individuals or analyzing their behavior (Art. 3).
Consent for minors For digital services, parental consent required for children under 16 (member states can lower to 13). Parental consent required for all minors under 14 — the age threshold is lower, but the regime is stricter (separate explicit consent, dedicated minor privacy policy, mandatory DPIA).
Cross-border transfers Adequacy decisions, SCCs, BCRs. Adequacy decisions exist for several countries. CAC security assessment, CAC-approved SCCs, or certification. No “adequacy” framework for foreign countries. Much higher compliance bar.
Data localization No general data localization requirement. Some member states have restricted health or tax data. Strong localization requirements for CIIOs and high-volume processors. De facto mandatory for large EdTech platforms.
Fines Up to €20 million or 4% of global annual turnover, whichever is higher. Up to ¥50 million or 5% of previous year’s annual turnover. In practice, suspension and license revocation are more feared than fines.
Automated decision-making Right to human review of solely automated decisions (Art. 22). Right to request explanation and refuse automated decisions (Art. 24). Additional rules for “push notifications and commercial marketing.”
Data portability Explicit right to data portability (Art. 20). No explicit right to data portability in the PIPL itself, though related rules hint at it.
DPO requirement Required for public authorities, large-scale monitoring, or large-scale sensitive data processing (Art. 37). Required for key processors; details left to implementing rules but broadly applied to entities handling over 1 million individuals’ data.
Enforcement approach Primarily through lead supervisory authorities; EDPB coordination. Fines and corrective measures. Multi-agency: CAC (lead), Ministry of Education (sector-specific), Ministry of Public Security. Heavy use of rectification orders, shutdowns, and public shaming.

Bottom line for EdTech: If your company already complies with the GDPR, you have a strong foundation, but you cannot simply map GDPR policies onto China operations. The PIPL imposes stricter minor-data rules, mandatory data localization for most EdTech businesses, a more burdensome cross-border transfer regime, and a multi-agency enforcement environment that demands proactive engagement with Chinese regulators.

10. What are the practical steps for an EdTech startup entering the Chinese market?

Q: We’re a foreign EdTech startup planning to launch in China. Where do we start?

Entering the Chinese EdTech market under the PIPL regime requires careful planning. Below is a phased roadmap:

Phase 1: Pre-Launch Assessment (Months 1–2)

  • Engage PRC legal counsel experienced in data privacy and education regulation.
  • Determine the corporate structure: Wholly foreign-owned enterprise (WFOE) or joint venture with a Chinese partner. This affects licensing options (EdTech is a restricted sector under China’s Foreign Investment Negative List).
  • Conduct a data-mapping exercise: Catalog every data point your platform collects, processes, stores, or transfers. Classify each as personal, sensitive, or minor-related.
  • Determine whether you will exceed the 1-million-user threshold or process minor data — if yes, data localization is non-negotiable.

Phase 2: Infrastructure Build (Months 2–4)

  • Select a Chinese cloud provider (Alibaba Cloud, Tencent Cloud, or Huawei Cloud) and provision domestic servers.
  • Design the database architecture so that Chinese student data is segregated and never leaves mainland China without a legal gateway.
  • Build the consent management platform (CMP) with separate minor/parent flows and a granular opt-in mechanism.
  • Draft the privacy policy and minor-specific privacy notice (in Mandarin, simple language).

Phase 3: Legal Filings (Months 3–5)

  • Appoint a China-based DPO and register with the CAC.
  • Complete and document a DPIA for the entire platform.
  • If cross-border data transfer is unavoidable, commence the CAC security assessment process (budget 3–6 months for review).
  • File SCCs with provincial CAC office if using the SCC gateway.

Phase 4: Operational Compliance (Ongoing)

  • Conduct quarterly PIPL training for all employees handling personal data.
  • Maintain an audit trail of all consents (parental and adult).
  • Establish a data breach response plan with mandatory notification to the CAC within 72 hours (parallel to GDPR).
  • Schedule annual external PIPL audits.
  • Monitor updates from the CAC, Ministry of Education, and the National Information Security Standardization Committee (TC260) for evolving standards.
⚠ Warning for early-stage startups: The cost of full PIPL compliance (legal fees, cloud infrastructure, DPO salary, consent platform, audits) can easily exceed ¥3–5 million in the first year. This is a significant barrier to entry. Some foreign EdTech startups have chosen to offer their platforms via Chinese licensing partners who already bear the compliance burden, or to target only the adult/professional education market (which skirts the minor-data strictures). Evaluate the business case realistically before committing.

Conclusion

China’s Personal Information Protection Law represents a paradigm shift for any organization handling the data of Chinese citizens, and EdTech companies are among the most affected — precisely because children’s educational data sits at the intersection of sensitivity, volume, and cross-border interest. The PIPL’s stringent consent requirements for minors, data localization mandates, and multi-layered cross-border transfer controls create a compliance environment that is both technically demanding and financially significant.

Yet it would be a mistake to view the PIPL purely as a regulatory hurdle. In many respects, the law codifies privacy-by-design principles that align with global best practices: data minimization, purpose limitation, transparency, and user control. EdTech companies that invest in robust PIPL compliance programs not only mitigate enforcement risk but also build trust with Chinese parents, schools, and regulators — trust that is essential for long-term success in the world’s largest education market.

The key takeaway is clear: foreign EdTech companies operating in — or seeking to enter — China must treat PIPL compliance as a core business function, not an afterthought. With enforcement accelerating and penalties escalating, the cost of non-compliance far exceeds the investment required to get it right from the start.

CG360-EDUCATION-FAQ-023 • Published by CG360 Compliance Research • July 2026

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal professionals for guidance specific to their operations.


Related articles

China AI Investment 2026: DeepSeek $52B Valuation Signals Opening for Foreign Investors

DeepSeek raised $7.4B at a $52B valuation backed by Tencent and CATL. Combined with new AI governance and QFLP channels, here's what foreign investors need to know about China's AI sector in 2026.

Qianhai Cooperation Zone Expands 15% CIT Rate: What Foreign Companies Need to Know for 2026

Shenzhen's Qianhai zone now offers 15% CIT across its full 120.56 sq km footprint — eight times the original area. Foreign companies evaluating GBA locations should recalculate.

China’s Cross-Border Data Rules: Tianjin FTZ Negative List Sets New Precedent for Foreign Firms

China's first FTZ data export Negative List catalogues 45 data types across 13 sectors that need CAC security assessment. Here's what foreign companies must update in their compliance workflow.

Education & Training in China Update: Online Learning Platform Licensing Deadline Extended — Key Takeaways

China Extends Online Learning Platform Licensing Deadline: What Foreign Education Providers Must Know In a significant regulatory shift, China's Minis