Five years after the Personal Information Protection Law (PIPL) took effect on November 1, 2021, China's data regulator is doing something that has eluded most privacy regimes: admitting that one rulebook cannot fit a corner shop and a super-app alike. On April 3, 2026, the Cyberspace Administration of China (CAC) opened a one-month public comment period — closing May 3 — on draft Simplified Measures for Personal Information Protection for Small Personal Information Handlers. The draft carves out a lighter-touch tier for any controller processing the personal information of fewer than 100,000 individuals, defined purely by data-subject count, with no regard to revenue or headcount.
The relief is concrete. Under the draft, small handlers may shrink privacy notices to the essentials, satisfy notice obligations by posting rules at their premises or embedding them in service agreements, and lean on consolidated rules published by the platform, park, or commercial property they operate within. Breach notifications can go out via in-app pop-ups rather than individual messages. Compliance audits — a real cost center — drop to once every five years using simplified self-assessment forms. For the SMEs that make up the long tail of China's digital economy, this is the difference between PIPL as a manageable checklist and PIPL as a full-time legal burden.
The steelman for keeping it strict
The case against carve-outs is not frivolous. A privacy harm does not shrink because the company causing it is small; a 50,000-record breach at a clinic can be more damaging than a 5-million-record leak of low-sensitivity data. Uniform rules are also simpler to enforce and harder to game — once you create a threshold, firms have an incentive to structure themselves to stay just under it. Regulators who have watched the GDPR's SME exemptions get exploited have reason to be wary. Beijing's own enforcers clearly share the concern, which is why the simplification is deliberately narrow.
And it is narrow. The CAC's draft offers no relief for sensitive personal information or for cross-border data transfers — the two highest-risk categories. The same week, on April 2, 2026, the CAC, the Ministry of Industry and Information Technology, and the Ministry of Public Security jointly announced a 2026 special enforcement campaign spanning seven domains: apps and SDKs, internet advertising, education, transportation, healthcare, finance, and criminal trafficking of personal data. Penalties range from app-store removal to criminal liability. The signal is unmistakable — flexibility for low-risk, low-volume processing; sharpened teeth where the stakes are real.
Why this is the right shape, even if the motives are mixed
From a pro-innovation standpoint, risk-tiering is the correct design. Compliance cost is a regressive tax: a fixed audit-and-documentation burden consumes a far larger share of a 10-person startup's resources than a platform's. Flat regimes don't protect users better; they just price small entrants out and entrench incumbents who can amortize a compliance department. By scaling obligations to actual data-subject exposure, the CAC is targeting the variable that correlates with harm rather than the one that correlates with a firm's ability to lobby. The January 2026 CAC guidance pointed the same direction, treating facial recognition and other sensitive processing as requiring mandatory impact assessments regardless of scale — concentrating scrutiny where it belongs.
This matters beyond China. The EU is reopening parts of the GDPR precisely because uniform obligations strangled small operators, and the proportionality instinct on display here — calibrate the rule to the risk, not the logo — is one other jurisdictions are converging on independently. That a one-party state arrives at it for its own reasons doesn't make the design wrong.
The caveats are equally real, and worth stating plainly. The cross-border regime stays heavy: PIPL's Article 38 still forces overseas transfers through one of three gates — a CAC security assessment, certification, or a standard contract. The new Certification Measures, issued jointly by the CAC and the State Administration for Market Regulation and effective January 1, 2026, only opened the certification door to processors moving the data of between 100,000 and one million people (and fewer than 10,000 sensitive records). For everyone above that, friction remains the point. A regime that frees a coffee chain from paperwork while keeping the open internet's data flows tightly valved is proportionate in one dimension and protectionist in another.
There is also the matter of who holds the dial. A tiered system administered by a regulator with broad discretion and an annual "special campaign" is a system that can be loosened or tightened at will, by sector, on political cue. Proportionality administered transparently is a virtue; proportionality as an instrument of selective pressure is something else.
The takeaway
China's privacy regime is maturing from a blunt instrument into a graduated one — and the direction is sound. Easing the load on sub-100,000-user processors while reserving enforcement firepower for sensitive data and cross-border flows is closer to evidence-based, risk-weighted regulation than most first-generation privacy laws managed. The open question is whether the same hand that calibrates so sensibly for small firms will keep cross-border data flows hostage to security review — and whether the discretion that makes tiering possible stays a tool of proportionality rather than control.