A pivot from promulgation to prosecution
China's Personal Information Protection Law (PIPL) turned four-and-a-half in November 2025, and for most of that life it has been a law of decrees rather than dockets. That changed on April 2, 2026, when the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), and the Ministry of Public Security (MPS) jointly published 中央网信办、工业和信息化部、公安部关于开展2026年个人信息保护系列专项行动的公告 — a single notice laying out a coordinated, year-long enforcement programme across seven sectors.
The seven sub-campaigns target apps and software development kits (SDKs), internet advertising and personalised recommendations, education, healthcare, transport, financial services, and criminal trafficking of personal information. The CAC explicitly reserved discretion to adjust priorities "dynamically" through the year. Within 25 days the regulator demonstrated what that meant in practice: on April 27, 2026, it named 33 mobile apps for failures ranging from missing privacy policies to undisclosed third-party SDKs and unreasonable account-deletion conditions, giving operators 15 business days to remediate.
The steelman case for the campaign
It would be a mistake to dismiss this as theatre. China's pre-PIPL data ecosystem was, by any honest reckoning, extractive. The 2022 DiDi Global case alone surfaced 64.7 billion illegally processed personal records and produced an RMB 8.026 billion (USD 1.2 billion) penalty under the joint enforcement of PIPL, the Cybersecurity Law, and the Data Security Law. Chinese consumers — not just regulators — have lobbied loudly for years against forced consent walls, opaque SDKs, and the use of facial recognition as a sole login method.
The shape of the 2026 campaign reflects substantive choices, not arbitrary ones. Children's data in education, sensitive medical records in hospitals, and biometric authentication in transit are precisely the categories where market incentives are weakest and citizen harm sharpest. Picking the SDK layer is technically astute: one non-compliant ad SDK embedded across thousands of apps creates a supply-chain exposure that app-by-app review cannot fix.
Where proportionality will be tested
A pro-innovation observer should welcome enforcement of rules already on the books rather than the perpetual issuance of new ones — provided three conditions hold. The targets must be proportionate to harm, due process must be real, and the rules must be knowable in advance. The April 2026 campaign tests all three.
Scale. The CAC's February 2025 enforcement bulletin reported that regulators reviewed 11,159 platforms, sanctioned 4,046, ordered 585 to suspend functions, and removed 200 apps in 2024, alongside 10,946 website shutdowns coordinated with MIIT. The Chambers 2026 Global Practice Guide notes that MPS "Clean Network" operations handled more than 7,000 personal-information cases in 2024 alone, and that the Beijing Internet Court took on 113 PI cases between October 2023 and October 2024 — nearly double the 58 it heard in the preceding five years combined. Multiply those 2024 baselines by a seven-sector 2026 mandate and the enforcement volume is unprecedented. That is also a recipe for inconsistent application across the 31 provincial cyberspace administrations that will actually deliver most of the sanctions.
Foreign exposure. Chambers flags a September 2025 case in which the Shanghai subsidiary of a European luxury brand became the first multinational prosecuted for non-compliant cross-border transfer of personal information under PIPL's extra-territorial provisions. With separate cross-border certification rules taking effect on January 1, 2026, and a new national standard classifying combinations of "non-sensitive" data as sensitive when they affect "personal dignity," foreign operators are navigating live enforcement against a still-moving rule-book.
The SDK pile-on problem. Many apps deployed in China by non-Chinese vendors integrate local SDKs for payments, analytics, and push notifications. Under PIPL the app operator carries downstream liability even when the violating code belongs to a third party. The April 27 notice's "undisclosed SDK" category is doctrinally clean but practically punishing — it forces operators to audit supply chains they did not build, on timelines the regulator sets.
The proportionate response
Regulators are increasingly concerned with whether PIPL principles — necessity, purpose limitation, and data minimisation — are actually embedded in business operations. (China Briefing analysis of the April 2 notice.)
We agree with that ambition. The PIPL's substantive principles — purpose limitation, separate consent for sensitive data, real account-deletion mechanisms — are sensible standards that most democratic privacy regimes share. What separates good enforcement from arbitrary enforcement is whether it follows the DiDi template (large operators, mass harm, a written reasoned decision) or whether it slides into discretionary spot-checks on smaller players whose violations are technical rather than substantive.
Three signals will tell us which path Beijing has chosen by year-end. First, the ratio of remediation orders to outright app-store removals: a healthy ratio favours fix-it-first over kill-it-first, and the 33-app notice's 15-day remediation window is a hopeful start. Second, the share of published decisions that name the specific PIPL article violated; the April 27 notice does this well, many provincial actions do not. Third, whether multinational operators receive the same procedural rights — written notice, response periods, appeal channels — as domestic firms.
If those three indicators move in the right direction, the April 2026 campaign will mark PIPL's legitimate maturation into a working enforcement regime worth taking seriously. If they do not, the campaign will entrench the perception, already common among foreign investors and many domestic founders, that China's data rules are a permission slip the state can withdraw at will. The open internet — and the very real privacy interests of Chinese users — deserve the former.