On 3 April 2026, the Cyberspace Administration of China (CAC) released for public comment the Provisions on Simplified Personal Information Protection Measures for Small-Scale Personal Information Processors (《小型个人信息处理者个人信息保护简化措施规定(征求意见稿)》). The 22-article draft, whose consultation window closed on 3 May 2026, does something China's data-governance apparatus rarely does explicitly: it lowers the compliance burden on the smallest operators rather than raising it. For a regime built over four years on escalating obligations, that is a notable inflection — and, on the whole, a sensible one.
What the draft actually does
The draft defines a "small-scale personal information processor" as any handler processing the personal information of fewer than 100,000 individuals. The CAC's own consultation notice fixes both the release and the comment deadline, and Linklaters' analysis notes the threshold is cumulative — there is "no timebox... such as on an annual basis" — and applies to domestic businesses including foreign-invested ones, which must keep documentation justifying their headcount.
For everyone under that line, the obligations of the Personal Information Protection Law (PIPL) are streamlined rather than removed:
- Compliance audits drop to once every five years, using simplified self-assessment forms appended to the draft. Processors that hold a personal-information-protection certification are exempt from audits for the certificate's validity period.
- Transparency and consent are eased: small handlers operating on a platform, in a business park, or under commercial-property rules may rely on those entities' unified processing rules instead of drafting their own, and may use abbreviated privacy notices or post them physically.
- Breach notification can be satisfied via in-app pop-ups or conspicuous on-premises notices where individual notification is impracticable.
- Cross-border transfers get a streamlined path: provincial CAC offices may run the security assessment and forward a recommendation to Beijing, and non-sensitive transfers under defined conditions are largely exempt from full security assessments and standard contracts.
- Enforcement turns lenient — the CAC's drafting explanation states that for "minor violations that are voluntarily corrected with no harmful consequences," penalties "shall be waived or reduced" (不予处罚或者减轻处罚), with first-time and cooperative conduct further mitigated.
The case for the old, heavier baseline
The steelman for uniform, demanding rules is real and worth stating plainly. Small firms are not small targets: a corner clinic, a neighbourhood app developer or a single-store retailer can hold sensitive health, biometric or location data on tens of thousands of people, and a breach there is no less harmful to those individuals than a breach at a tech giant. A flat baseline also closes the obvious avoidance route — structuring a business to stay nominally "under 100,000" while still touching sensitive data. Regulators reasonably fear that tiered leniency becomes a loophole.
Those concerns argue for guardrails, not against tiering. And the draft keeps the substantive PIPL standard intact — lawful basis, purpose limitation, security duties and individual rights all still apply. What changes is the paperwork and procedure, which is exactly where the deadweight cost of compliance concentrates for a business with no in-house counsel.
Why right-sizing is the better policy
Proportionality is not a loophole; it is what good regulation looks like. The marginal cost of a full compliance-audit cycle, a bespoke privacy-notice regime, and a cross-border security assessment falls almost entirely on firms least able to absorb it. A two-yearly audit obligation that a ten-million-record processor can staff is, for a five-person startup, a tax on existing — one that deters the marginal entrant without measurably protecting anyone.
The contrast is instructive. Under the Measures for Personal Information Protection Compliance Audits, effective 1 May 2025, processors handling more than 10 million individuals' data must audit at least every two years. The new draft asks the smallest handlers to do so once every five — a calibration that tracks actual risk exposure rather than applying one clock to all. That is the correct direction: obligations should scale with the scope and sensitivity of processing, which is precisely the logic the GDPR gestures at (and arguably under-delivers on) with its SME carve-outs.
The draft also names its purpose without euphemism — "reducing compliance costs for small-scale processors" and "constructing a favourable policy environment for SME innovation." In a year when China is racing to commercialise physical AI and robotics, much of it through small studios collecting real-world data, lowering the fixed cost of lawful data handling is industrial policy as much as privacy policy.
The catch: enforcement discretion cuts both ways
The weakness is that the draft trades bright-line rules for discretion. "Minor," "no harmful consequences," and "promptly corrected" are judgment calls, and a leniency regime is only as predictable as the regulator applying it. That matters because, one day before this draft, the CAC announced its 2026 special enforcement campaigns against unlawful collection and use of personal information. Small firms now face a softer rulebook and a more active enforcer simultaneously — relief on paper, uncertainty in practice.
The fix is in the CAC's hands during finalisation: publish objective criteria for the leniency tiers, confirm the threshold's treatment of sensitive data and minors explicitly, and pair the certification exemption with accessible, low-cost certification so it is a real option rather than a privilege of the already-resourced. Get that right, and the draft becomes a model worth exporting — proof that a serious data-protection regime can still treat a five-person startup differently from a platform with a hundred million users, because it should.