China this week launched the most detailed enforcement roadmap in the short history of its Personal Information Protection Law, directing three major regulators to run coordinated inspections across six industries - with internet advertising named explicitly as a primary target. The announcement, dated April 2, 2026, and published by the Cyberspace Administration of China on its official website, lays out seven distinct enforcement campaigns for the year ahead and names internet advertising intermediaries and media platforms among the first entities to face scrutiny.

The joint announcement was signed by the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), and the Ministry of Public Security (MPS) - the same three-agency coalition that produced China's mandatory AI content labeling framework in 2025. Together they represent the principal architecture of China's digital governance apparatus.

According to Wenlong Li, a research professor at Zhejiang University who analysed the announcement on LinkedIn, this cross-sectional approach is "unprecedented in the short history of PIPL enforcement." Li described the document as providing "a rare window into how enforcement is being lined up across sectors."

What the announcement says

The official notice states that since the Personal Information Protection Law came into force, the CAC and partner agencies have "continuously intensified personal information protection efforts, investigated and dealt with various illegal and irregular personal information processing activities, and guided and supervised personal information processors to continuously improve compliance standards." The 2026 agenda, it says, aims to further address typical violations in appsSDKsinternet advertisingeducationtransporthealthcare, and finance, with the stated goal of raising public satisfaction.

Seven enforcement campaigns are set out. Each one names specific target entities and lists the specific violations regulators intend to pursue.

Internet advertising under the microscope

The second campaign focuses directly on internet advertising - a category that covers the intermediary platforms and media-side operations at the core of programmatic buying and selling. According to the official text, enforcement will target five types of violations.

First, regulators will pursue collection of personal information beyond what is strictly necessary. Second, they will act against platforms that collect and use personal information for advertising and user profiling without clearly disclosing this in their processing rules, and against those that fail to list the categories, purposes, and methods of data provided to third parties, along with the identity and contact details of those third parties. Third, platforms that do not provide users with easy channels to exercise their rights of correction, deletion, and refusal to have personal information processed will be targeted. Fourth, regulators will go after platforms that use automated decision-making - including algorithmic recommendations - to push advertisements without offering a clear, accessible, and operable switch to turn off personalised recommendations, and that continue collecting personal information after a user has turned personalisation off, or that fail to allow users to delete their personal characteristic labels. Fifth, the notice targets inadequate internal security management, access control, and external provision systems.

This is notable for the digital advertising industry. The requirement to stop data collection after a user opts out of personalised recommendations goes further than what many global platforms currently implement. The requirement to publish the names and contact details of third-party data recipients in advertising contexts mirrors obligations that exist under the General Data Protection Regulation in Europe, but has rarely been applied this specifically in Chinese enforcement action.

China's platform pricing regulations published in December 2025 already referenced PIPL frameworks for behavioural pricing. The new enforcement campaigns make good on those references by naming the specific violations regulators intend to pursue in advertising contexts.

Apps and SDKs: the first campaign

The first enforcement campaign covers common-type apps and the SDKs embedded within them. According to the notice, regulators will address four categories of problem. The first is failing to publicly disclose personal information collection and usage rules, failing to provide a functional account deletion option, or failing to establish a personal information security complaint and reporting channel. The second is failing to fully and accurately inform users about how their personal information is collected and used, or disclosing a purpose, method, and scope that does not match actual practice. Third, collecting personal information without user consent or forcing users to consent to collecting unnecessary personal information. Fourth, collecting personal information beyond the minimum necessary scope - including location data, contact lists, and SMS data in unrelated scenarios, or calling personal information permissions at frequencies exceeding the minimum necessary rate.

China's DPO registration system launched in July 2025 already required organisations processing personal information of more than one million individuals to report their Data Protection Officer details to local authorities. The new app and SDK campaign extends enforcement reach down to the product and SDK level, adding a new layer of operational scrutiny for any developer or ad technology vendor distributing software in China.

Education, transport, healthcare, and finance

The remaining four sectoral campaigns share structural similarities, but each contains sector-specific details that reflect particular risks.

Education is one of the more technically detailed campaigns. Schools, universities, kindergartens, and off-campus training institutions are the named targets. Regulators will enforce the requirement to obtain parental or guardian consent before processing the personal information of children under 14. Websites and apps operated by educational institutions must not collect excessive location data, school enrollment information, or parental identification numbers. Third-party data sharing by training institutions must be disclosed and consented to. Critically, the notice states that educational institutions must not use facial recognition as the sole means of verifying the identity of parents or students where non-facial-recognition alternatives exist - a direct constraint on a technology that has expanded rapidly in Chinese schools.

Transport covers road, waterway, rail, and civil aviation carriers, online ticketing platforms, postal and courier companies, and public parking management platforms. Among the specific violations targeted is the practice of public car parks requiring users to register and provide a mobile phone number as a condition of scanning a code to pay for parking - a data collection approach that regulators now consider excessive. Express delivery companies and ticketing platforms leaking users' contact information, home addresses, and travel itineraries are also named.

Healthcare introduces the most detailed security requirements. Medical and health institutions - hospitals, community health centres, clinics, and disease control centres - must not allow unauthorised individuals to access other people's medical records due to inadequate identity verification. Institutions must not publicly disclose patient imaging, photographs, or written descriptions containing personal information without consent. The campaign also prohibits the use of facial recognition as the sole authentication method where alternatives exist - identical in structure to the education campaign restriction. Internal information management systems must implement encryption and de-identification. Third-party technical maintenance staff must be managed and supervised to prevent data leakage.

Finance covers banks, insurance companies, securities firms, credit reference agencies, payment institutions, and internet lending platforms. The notice prohibits the collection of contact lists, SMS records, call logs, location data, device information, and application lists under the pretext of security risk control or lending services. Internet lending platforms sharing personal information with third-party partners must disclose the names, purposes, and methods of such sharing and obtain consent. Again, facial recognition as the sole authentication method is prohibited where alternatives are available.

Criminal enforcement campaign

The seventh campaign is qualitatively different from the sectoral ones. Rather than auditing compliance, it focuses on criminal prosecution. According to the notice, enforcement will concentrate on personal information theft and trafficking in areas including public services, financial lending, healthcare, education, and daily life and travel. Regulators will pursue three stages of the crime chain: the point of data leakage, the trading of data, and the downstream use of stolen data. The campaign specifically calls for "severe punishment of industry insiders" - a phrase aimed at employees within organisations who sell personal data they have legitimate access to.

Omnibus structure - and its limits

The cross-sectoral design of this announcement has drawn attention from privacy law researchers. According to Wenlong Li, "this feels like one of the first attempts to pull together an omnibus-style enforcement roadmap - cutting across sectors, technologies and regulatory tools." Li noted that similar initiatives have appeared in past years but had "not quite been stitched together in this way."

However, Li also highlighted structural tensions in the document. Criminal offences sit alongside sectoral compliance requirements. Apps and SDKs are grouped as a digital sector category. Facial recognition appears as what Li describes as "a use-case trigger" rather than a standalone principle. Some principles, such as transparency, "are not being fully fleshed out, but instead get touched on indirectly through concrete violations."

Li drew an explicit comparison to how GDPR enforcement has developed in Europe - not through clean doctrinal lines, but through "a gradual piecing together of priorities via enforcement practice." He cited recommender system opt-out rights, the right to terminate an account, and mandatory registration as examples of how European enforcement has built up incrementally through specific cases.

The comparison is apt in a technical sense. The requirement in China's internet advertising campaign that platforms provide a close option for personalised recommendations, and that they stop collecting data after opt-out, parallels rights that European regulators have spent years enforcing in the context of GDPR Article 21 and the ePrivacy Directive. The noyb complaints against Chinese technology platforms filed in January 2025 for failing to comply with European data subject access rights reflected precisely the kind of gap between declared policy and actual practice that China's domestic regulators are now trying to close from the inside.

Relevance for the advertising and marketing community

For marketing professionals operating in or with China, the 2026 enforcement agenda has direct practical implications. The internet advertising campaign names intermediary platforms explicitly - a category that includes demand-side platforms, supply-side platforms, data management platforms, and the SDKs that connect them. The combination of the first and second campaigns means that both the SDK layer and the advertising platform layer are simultaneously under scrutiny.

The requirement to list third-party data recipients in advertising processing rules raises the compliance bar for any company buying or selling data-driven advertising inventory in China. The requirement to implement a functional opt-out from personalised recommendations - and to actually stop data collection after opt-out, not just stop personalising - goes beyond what many platforms currently offer. The prohibition on requiring phone number registration for basic transactional functions, such as parking payment, directly constrains data acquisition practices that the Chinese advertising ecosystem has relied on to build audience segments.

China's mandatory AI content labeling standards, which took effect on September 1, 2025, involved the same four agencies - CAC, MIIT, MPS, and the State Administration of Radio and Television - and required explicit labeling across all AI-generated media formats. The 2026 enforcement campaigns add a data collection compliance layer on top of the labeling layer, increasing the overall compliance burden on ad technology operators distributing content through Chinese channels.

The notice states that the three agencies "will work with relevant departments to carry out the various tasks in the series of special campaigns in an orderly manner, concentrate on rectifying various typical illegal and irregular violations, and deal strictly according to law with those who are serious in nature and refuse to rectify." It also notes that enforcement priorities can be "dynamically adjusted according to actual work needs" - meaning the list of targets is not fixed and could expand during the year.

Timeline

Summary

Who: The Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security, acting jointly as China's principal digital governance regulators. Affected entities include internet advertising intermediaries, media platforms, app developers, SDK providers, schools, transport operators, hospitals, and financial institutions operating in China.

What: A joint announcement setting out seven enforcement campaigns for 2026 under China's Personal Information Protection Law. The campaigns target specific violations in internet advertising, apps and SDKs, education, transport, healthcare, finance, and criminal personal information offences. Key issues include exceeding necessary data collection, failing to disclose third-party sharing, not providing functional opt-outs from personalised recommendations, using facial recognition as the sole authentication method, and insider data trafficking.

When: The announcement was published on April 2, 2026. Enforcement campaigns will run throughout 2026 with the agencies reserving the right to dynamically adjust priorities.

Where: The People's Republic of China. The notice was published on the official CAC website and applies to all personal information processing activities by the named categories of entities operating within China's jurisdiction.

Why: The regulators state that while enforcement under PIPL since 2021 has produced positive results, typical violations persist across key sectors. The 2026 campaigns aim to deepen compliance in areas with high public impact - particularly internet advertising, children's data in education, data security in healthcare, and criminal data trafficking networks - while increasing public satisfaction with personal information protection.

Share this article
The link has been copied!