China CSL

Cybersecurity Law of the People's Republic of China

Flag of CN
ChinaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
June 1, 2017
Enacted
November 7, 2016
Enforcing Authority
Cyberspace Administration of China (CAC) and relevant departments
Consent Model
Opt-in
Applies To
Network operators and critical information infrastructure operators in China, with expanded extraterritorial reach under 2026 amendments

Overview

China's Cybersecurity Law establishes the legal framework for cybersecurity obligations, forming one of three pillars alongside the PIPL and DSL. The January 2026 amendments represent the first major overhaul since 2017, significantly increasing penalties and broadening extraterritorial enforcement.

What This Means for Your Website

  • Network operators must verify user identity
  • Critical information infrastructure operators must store data locally in China
  • Security assessments are required for cross-border data transfers
  • The 2026 amendments increase penalties and broaden extraterritorial reach
  • Cookie-specific consent requirements are handled by the PIPL, not the CSL

Key Requirements

The CAC and relevant departments enforce the CSL. The 2026 amendments significantly increased penalties beyond the original 2017 framework and expanded enforcement to cover broader cybersecurity matters beyond critical infrastructure. Data localization requirements apply to critical information infrastructure operators.

How ConsentStack Handles This

ConsentStack helps websites comply with the CSL's framework by managing consent requirements in coordination with PIPL obligations, particularly around data localization and cross-border transfer considerations.

Penalties

Significantly increased under January 2026 amendments with expanded extraterritorial reach.

Key Requirements

  • Network operators must verify user identity
  • Critical infrastructure operators must store data locally
  • Security assessments required for cross-border data transfers
  • Mandatory cybersecurity incident reporting
  • Network security protection obligations

Notable Provisions

  • January 2026 amendments — first major overhaul since 2017
  • Increased penalties and broadened extraterritorial enforcement
  • Works alongside PIPL and DSL in tri-pillar framework

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

What changed in the CSL in 2026?

The January 2026 amendments represent the first major overhaul since 2017, significantly increasing penalties and broadening extraterritorial enforcement.

Does the CSL require cookie consent?

No. Cookie-specific consent requirements are addressed by the PIPL. The CSL focuses on cybersecurity obligations, network security, and data localization.

What is the relationship between CSL, PIPL, and DSL?

They form China's tri-pillar data governance framework: CSL (cybersecurity), PIPL (personal data), and DSL (data security).

Stay compliant with China CSL

ConsentStack helps you implement Opt-in consent for China automatically.

Get started