China DSL

Data Security Law of the People's Republic of China

Flag of CN
ChinaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
September 1, 2021
Enacted
June 10, 2021
Enforcing Authority
Cyberspace Administration of China (CAC) and relevant sectoral authorities
Consent Model
Opt-in
Applies To
All organizations conducting data processing activities within China (extraterritorial for activities affecting China)

Overview

The DSL establishes a comprehensive data security governance framework with a classification system categorizing data as "core data," "important data," and general data. Each category carries corresponding security obligations and cross-border transfer restrictions. It is the third pillar of China's data governance framework alongside the PIPL and CSL.

What This Means for Your Website

  • Data collected through your website must be classified under the DSL's grading system
  • Important data processors must appoint data security officers
  • Cross-border data transfers are subject to security review
  • Regular risk assessments are required
  • Cookie-specific consent is handled by the PIPL, not the DSL

Key Requirements

The CAC and sectoral authorities enforce the DSL with penalties including fines, business license revocation, and criminal liability. The data classification system determines the level of security obligations and cross-border restrictions. Important data processors have enhanced compliance requirements.

How ConsentStack Handles This

ConsentStack supports DSL compliance by ensuring data collected through consent mechanisms is handled according to classification requirements and security obligations.

Penalties

Varies by violation severity; includes fines, business license revocation, and criminal liability for serious offenses.

Key Requirements

  • Data classification and grading system (core, important, general)
  • Data security review system for cross-border transfers
  • Important data processors must appoint data security officers
  • Regular risk assessments required
  • Data security incident reporting obligations

Notable Provisions

  • Data classification system determines security obligations
  • Part of China tri-pillar framework with PIPL and CSL
  • Criminal liability for serious offenses
  • Affects data storage and security, not consent mechanics

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

What is the DSL data classification system?

The DSL categorizes data as core data, important data, and general data. Each category has corresponding security obligations and cross-border transfer restrictions.

Does the DSL address cookies?

No. Cookie-specific consent is addressed by the PIPL. The DSL focuses on data security governance, classification, and storage requirements.

How does the DSL relate to PIPL and CSL?

They form China's tri-pillar data governance framework: PIPL (personal data), CSL (cybersecurity), and DSL (data security).

Stay compliant with China DSL

ConsentStack helps you implement Opt-in consent for China automatically.

Get started