PIPL Pre-LOI Due Diligence.

The five investigation areas for PE deal teams evaluating targets with China data exposure. Cross-border transfers, data localization, consent architecture, third-party sharing, and enforcement risk.

Area 1: Cross-Border Transfer Mechanisms

The first and most critical area of investigation is whether the target has a lawful mechanism in place for transferring personal information out of China. Under PIPL Article 38, cross-border transfers of personal information require one of three mechanisms: a security assessment organized by the CAC, personal information protection certification by a specialized institution, or a standard contract filed with the CAC. There is no adequacy decision equivalent. There is no self-certification option.

The diligence question is binary at this stage: does the mechanism exist, or does it not? If the target is transferring personal information of China-based individuals to servers, analytics platforms, CRM systems, or any infrastructure outside of China, one of these three mechanisms must be in place. If none is in place, the transfer is non-compliant. The follow-up questions are about volume (how much data is being transferred), duration (how long has the non-compliant transfer been occurring), and category (is any of the data "important data" or sensitive personal information, which triggers the mandatory CAC security assessment path).

In practice, we find that most portfolio companies with China operations are transferring data to US or EU infrastructure without any PIPL-compliant mechanism. The marketing stack alone typically routes data through multiple cross-border paths: analytics platforms (Google Analytics, Mixpanel), CRM systems (Salesforce, HubSpot), email service providers, and ad platforms. Each of these data flows constitutes a cross-border transfer under PIPL. The remediation is not simply filing a standard contract. It requires mapping every data flow, categorizing the data, and determining which mechanism applies to each flow.

Area 2: Data Localization Obligations

PIPL Article 40 requires that critical information infrastructure operators (CIIOs) and personal information processors handling personal information above certain volume thresholds store personal information collected and generated within China domestically. The thresholds have been specified in implementing regulations: companies processing personal information of more than 1 million individuals, or that have cumulatively transferred personal information of more than 100,000 individuals (or sensitive personal information of more than 10,000 individuals) outside China since January 1 of the preceding year, must undergo a CAC security assessment before any cross-border transfer.

The diligence question is whether the target triggers any of these thresholds. For PE-backed companies with consumer-facing digital products in the China market, the 1 million individual threshold is reached more quickly than most teams expect. A mobile app with modest market penetration in China can accumulate 1 million user records within a year of operation. A SaaS platform serving Chinese enterprise customers may process employee personal information from client organizations that aggregates past the threshold.

When the threshold is triggered, the implications are significant. The company must store the relevant personal information on servers physically located in China. Cross-border transfers require a CAC security assessment (not the simpler standard contract option). The security assessment process involves government review of the data transfer's necessity, the recipient's data protection capabilities, and the risk to national security and public interest. Processing times for security assessments have ranged from 45 to 90 days, though delays are common.

Area 3: Consent Architecture

PIPL consent requirements are more prescriptive than GDPR in several important respects. The diligence review must verify that the target's consent architecture addresses PIPL-specific requirements, not just GDPR requirements applied to the China market.

PIPL requires separate consent for several specific processing activities. Cross-border transfer of personal information requires its own distinct consent, separate from general processing consent. Processing of sensitive personal information (biometric data, financial accounts, personal location, health information, and information of minors under 14) requires separate explicit consent with specific disclosure of the processing necessity and impact on the individual. Sharing personal information with third parties requires separate consent that identifies the recipient, the purpose, the categories of information shared, and the recipient's data protection practices. Public disclosure of personal information requires separate consent.

The practical gap we find most consistently: companies running a single consent flow designed for GDPR compliance that bundles all purposes into one consent action. Under PIPL, this approach is non-compliant because it does not provide separate consent for cross-border transfer, sensitive data processing, or third-party sharing. The remediation requires redesigning the consent user experience to present separate, granular consent requests, then re-consenting existing users for processing activities that were not separately consented. Re-consent campaigns for existing users typically achieve 30-50% completion rates, meaning the remaining user base must either be re-contacted through alternative channels or excluded from the relevant processing activities.

Area 4: Third-Party Data Sharing

PIPL imposes specific obligations on data sharing that create exposure in MarTech stacks. Article 23 requires that when personal information processors entrust processing to a third party, both parties must agree on the purpose, duration, method of processing, categories of personal information, protective measures, and the rights and obligations of both parties. Article 21 requires separate individual consent for sharing personal information with third-party processors.

In a MarTech context, third-party data sharing is pervasive. Every SaaS tool in the stack that processes personal information of China-based users is a third-party processor under PIPL. The ad platforms, the analytics tools, the email service providers, the CDP, the CRM. Each requires a processing agreement that meets PIPL standards (which differ from GDPR data processing agreements), and each requires separate consent from the data subject for the sharing.

The diligence review should request a complete inventory of third-party data processors handling China user data, the processing agreements in place with each, and evidence that individual consent for third-party sharing has been obtained. In most portfolio companies, the processing agreements either do not exist, are based on the vendor's standard GDPR DPA (which does not meet PIPL requirements), or were signed by a team that did not assess PIPL-specific obligations. The consent gap is typically even wider: most companies have not obtained separate consent for sharing data with specific third parties because the consent architecture was not designed to do so.

Area 5: CAC Enforcement Exposure

The final investigation area is the target's enforcement exposure. The CAC has been actively enforcing PIPL since 2023, with a focus on cross-border transfer violations, excessive data collection by mobile applications, and failure to implement required security measures. Enforcement actions have included app removals from domestic app stores, mandatory rectification orders, public naming, and financial penalties.

The diligence review should check for any prior enforcement actions, regulatory inquiries, or rectification orders issued against the target or its subsidiaries by the CAC or other Chinese data protection authorities. It should also assess the target's current compliance posture against known enforcement priorities. If the target is operating a mobile app in China that collects personal information without PIPL-compliant consent, or transferring data cross-border without a lawful mechanism, the enforcement risk is not theoretical. It is a matter of when, not whether, regulatory attention arrives.

For PE acquirers, enforcement exposure affects three deal variables. First, the direct financial risk of penalties (up to 50 million RMB or 5% of annual revenue). Second, the operational risk of mandatory remediation orders that may require restructuring data infrastructure on a compressed timeline. Third, the market access risk: app removal or service suspension in China eliminates the revenue stream that may be part of the acquisition thesis. All three belong in the deal model.

Field observation In a 2025 cross-border acquisition, the target operated a B2B SaaS platform serving 340 Chinese enterprise customers. The target had no CAC standard contract filing, no data localization infrastructure, and a GDPR-based consent flow applied uniformly across all markets. The PIPL remediation scope included: local data infrastructure deployment ($800K), standard contract filing and legal preparation ($180K), consent architecture redesign and re-consent campaign ($350K), and third-party processor agreement renegotiation ($120K). Total: $1.45M over 9 months. This was not in the original deal model.

Next Step

Scope the PIPL exposure before the LOI.

We assess cross-border transfer compliance, data localization triggers, consent architecture, and enforcement exposure for PE deal teams. Delivered within two weeks.

Request a Briefing →