China seeks public comments for Draft Rules on Simplified Personal Information Protection Measures for Small-Scale Personal Information Processors

On 3 April 2026, the Cyberspace Administration of China (CAC) launched a public consultation on the Provisions on Simplified Personal Information Protection Measures for Small-Scale Personal Information Processors, which was intended to reduce compliance burdens for small-scale personal information processors while maintaining baseline protection standards. 

Comments can be made until 3 May 2026.

These Draft Provisions set out a simplified compliance framework for small-scale personal information processors in areas such as personal information processing rules, notification and consent, compliance audits and impact assessments, security incident response, and enforcement and penalty – all part of a policy to adopt a more proportionate approach for small-scale personal information processors.

Application scope

The Draft Provisions apply to “small-scale personal information processors” operating within the People’s Republic of China (PRC). A small-scale personal information processor is defined as processing personal information of fewer than 100,000 individuals.

This definition focuses on the scale of personal information processing activities rather than the nature or size of the business, and the volume of personal information processed, rather than corporate form or revenue, determines whether the simplified regime can apply.

Highlights

The key points in the Draft Provisions include the following:

• Simplified processing rules and greater flexibility for reliance on unified rules – Small-scale personal information processors may adopt simplified personal information processing rules covering only core items (e.g. the name of the processor, contact details for handling data subject requests, and the purpose, method, type and retention period of processing). The Draft Provisions also allow small-scale processors to rely on unified personal information processing rules prepared by third parties (e.g. industrial parks, business premises managers and online platforms), provided that the processors agree to comply with these rules and are included within their scope. This feature will reduce the need for each small-scale processor to prepare separate standalone documentation.
• Streamlined notification and consent mechanisms – The Draft Provisions introduce flexibility on notification and consent for small-scale personal information processors, allowing them to satisfy notification obligations simply by publicly disclosing their processing rules only where certain conditions are met, rather than providing separate notices in each case. In addition, flexibility in processing can be applied where individuals voluntarily provide personal information necessary to obtain products or services, and where such small-scale personal information processors have already disclosed their personal information processing rules and fulfilled their notification obligations.
• Simplified audit and impact assessment requirements – Small-scale personal information processors may use simplified forms attached to the Draft Provisions to conduct personal information protection compliance audits and personal information protection impact assessments. Compliance audits can be conducted at least once every five years. Small-scale personal information processors that have obtained personal information protection certification are exempt from undergoing personal information protection compliance audits during the validity period of their certification. The self-assessment checklist for audit attached to the Draft Provisions significantly streamlines the audit process.
• Simplified internal governance and security incident response – The Draft Provisions allow small-scale personal information processors to adopt a more streamlined approach to internal personal information protection management and incident response. In particular, processors may establish internal management requirements and incident response mechanisms through general organisational documents, rather than developing separate, standalone policies. In the event of a personal information security incident, processors are still required to take remedial measures and notify individuals and regulators in accordance with applicable laws. Where direct notification to individuals is not feasible, simplified methods such as public notices at business premises or pop-up notifications through online services can be used.
• More flexible enforcement and stronger policy support – The Draft Provisions contain non-penalty treatment for promptly rectified minor violations that have not caused harmful consequences or for first-time minor violations that have also been promptly rectified. The Draft Provisions also provide for mitigated penalties in certain circumstances, and emphasise support measures such as training, consultation, infrastructure and technical tools to help reduce compliance costs for small-scale personal information processors.

Summary

These Draft Provisions signal China’s continuing development under the current personal information protection framework, and its determination to refine personal information compliance obligations in a more proportionate manner. The Provisions’ dedicated and simplified compliance regime for small-scale personal information processors reflects China’s policy move towards differentiated regulation based on the scale and risk profile of personal information processing activities. 

Smaller businesses and platforms must assess whether they fall within the scope of the proposals and be prepared to adapt to the new compliance regime.

The original publication can be found [here] (Chinese only).

For more information on the Draft Provisions and personal information regulations in China, contact your CMS client partner or the CMS experts who wrote this article.