Chinese data law imposes a minimization requirement that data be retained for the minimum period necessary to achieve its processing purpose. Businesses have tended to neglect this based on a cost benefit analysis, where the lack of regulatory enforcement actions in the past combined with the technical costs associated with implementing the requirement meant non-compliance would pay off. However, Chinese regulatory agencies began aggressively cracking down on violations of the right to request deletion in 2025, and issued several new regulations requiring data protection audits to closely inspect data deletion policies and mechanisms. In this article, we will explain China’s law on data deletion, recent regulatory enforcement actions, and provide recommendations about what the best practices are for the local market.
Contents
What Are the Deletion Requirements?
Determining the Retention Period
Time Periods by Processing Purpose
Designing a Personal Information Retention and Deletion Policy
Deletion Mechanism Compliance Audit Requirements
Recent Regulatory Enforcement Actions
What Are the Deletion Requirements?
Under the China Personal Information Protection Act § 17, businesses must describe how data is used and how retention is minimized in a conspicuous notice before collecting personal information. The data can only be retained for the minimum duration necessary to achieve its processing purpose or necessary to comply with another legal requirement. The data retention period must be defined in such a way as to comply with the duty to notify and cannot exceed the minimum amount of necessary time, which in some cases is a period defined by statute. After this time elapses, the data must be deleted or anonymized. Internal policies and procedures should be kept up to date to avoid regulatory risks for excessive data retention.
Despite how central data retention and deletion policy is to Chinese businesses today, these data privacy requirements are actually extremely challenging in practice. The legal requirements on the duty to notify and its performance is not derived from the retention period; instead, personal data controllers have to define a retention period within the context of the notice. This is despite how in privacy professional practice, notice of the retention period uses a granularity approach. Therefore, the focus here will be on determining what data retention period you should use and how to set up and carry out the policy.
Determining the Retention Period
Determining an appropriate retention period is challenging. The China Personal Information Protection Act § 19 provides you must follow any administrative regulations that govern retention, otherwise a processor must retain data for the minimum amount of time needed to achieve the processing purpose. China data retention law follows a few generally applicable issues to watch for:
- Employee management data will often be covered by industry specific regulations that must be followed.
- Information must be retained long enough to satisfy applicable anti-money laundering, consumer protection, and employment law rights requirements, but there are cases where continuing to retain such data is not permitted.
- There is lack of clarity about how conflicting requirements under certain Chinese government agency rules or local laws that provide for industry specific regulatory requirements are resolved, because the Act § 19 has a provision stating data may not be retained for longer than necessary to satisfy its processing purpose “except as otherwise provided by law.” There are no rules indicating which of the two would apply if industry specific rules specify a minimum retention period that exceeds the actual time needed. This could put businesses into a catch-22 situation when determining which rules to follow.
Time Periods by Processing Purpose
Chinese law does not assign a specific retention period of many types of data, instead it must be reasonably based on its underlying processing purpose. That implies personal information processors should analyze how long each type of data needs to be retained in order to realize its processing purpose, and store these conclusions in a Personal Information Retention Period Table that lists each of these items individually. The processing purpose can be for the performance of a contract, for internal human resources requirements, to comply with statutory requirements, or in anticipation of commercial litigation.
An e-commerce site should store consumer personal information for the period of time necessary to complete the sale and retain the contracts and order data throughout the dispute statute of limitation periods provided by the China E-Commerce Act § 62. The data should be securely stored and not used for marketing analytics or advertising, unless there is another applicable statutory obligation.
During the period of time after the purpose no longer exists but before the end of the retention period, you must cease all activities not connected to data storage, and be able to ensure traceability when proceeding to deletion. (See Act § 47) To avoid regulatory fines and litigation during this time, the business operation in China should establish data life cycle management practices that achieve “post-sale deletion, sealing for litigation, and secure storage.”
Therefore, the Retention Period Table should be reviewed and revised to ensure legal compliance with the applicable law on data retention periods. Businesses will actually generally retain personal information they process for longer than the minimum necessary time for achieving the declared processing purpose when the data was collected.
For example, businesses often want to retain Chinese job applicants’ personal information for extended periods of time. It is no longer legally “necessary” for the business to retain the job applicant’s personal information after they have decided against hiring this person. In this case, changing the processing purpose to something like building a talent database is justifiable, and it will be necessary to reestablish the legality of the business’s relevant personal information processing practices.
Designing a Personal Information Retention and Deletion Policy
Your data compliance depends on having an effective process, mechanism, and policy in place in your China operations to ensure that that personal information stored on your computer systems is deleted or destroyed within the retention period; it should be designed based on what your personal Information Retention Period Table shows what is needed. A business that has already designed a Data Deletion Policy will need processes and mechanisms that implement it.
A data policy tailored for China should include selecting appropriate staff for a policy design team, as designing a functional policy requires multidisciplinary expertise spanning IT, legal, compliance, security and sometimes data governance.
Identify the appropriate control locations. Businesses in practice manage retention periods by using a data marking system where they add labels that consider how the same data may be transferred between different systems.
Data marking is generally done in the control layer, but only if this approach is appropriate to the business process and system’s application logic.
Appoint appropriate supervising staff in China. Aside from determining an appropriate control point, a data controller needs to designate supervising staff to be responsible for executing and monitoring the data marking process and to coordinate deletion or destruction on the system once the retention period is reached.
Staging environment. Even moderately sized businesses using the Internet will be using a large number of software systems that process personal data, and doing a single full audit of all of them is prohibitively expensive. You can instead use an environment that is representative of your business overall as a staging environment to test a retention period and deletion policy, and then push the strategy to other systems.
Take into account both the data categories governed by the retention period and the software configuration, because not all types of data will have an applicable retention period. Trying to use a fine-grained retention period that covers every database field will be too expensive to realistically put into practice. An adequate data governance approach specific to China is to classify data into categories and set up data retention and deletion rules for each of those categories. Also account for software limitations that may require custom code changes, for example if it cannot delete data by category or field,
Procedures for changing retention periods. The data retention period should be lengthened or shortened to fit the organization’s evolving way of doing business in China’s markets. Be ready for change by setting up procedures that will lengthen or shorten the data retention period in a way that takes into account existing business processes and how onward data transfers will occur.
Litigation holds. Data lifecycle management processes will be running automated data deletion, but in the event of litigation that subjects the data to a preservation order, the automated deletion must be terminated. That implies the data retention and deletion process must have a termination mechanism that will stop automated deletion in the event of a litigation hold.
Data privacy policy training. Data controllers are required to offer training sessions as necessary to ensure their staff fully understands and can implement the organization’s data privacy policy.
Deletion Mechanism Compliance Audit Requirements
Two regulations issued in February 2025 have supplemental data rights protection rules:
- Personal Information Protection Compliance Audits Administrative Procedures
- Personal Information Protection Compliance Audit Guidelines
The right to request deletion is central to the Audit Guidelines; § 3 requires audits focus on “whether the account deletion or consent revocation mechanisms are clear and easy to use.”
- 16 governing on deletion requires audits focus on “whether the business stopped providing services to the individual or they requested account deletion.”
- 17 requires audits focus on whether a business facilitates users’ personal data rights requests and “how quickly user requests receive a response and the extent to which user questions about processing are quick, thorough, and accurate.”
While building automated app account deletion features that comply with Chinese law can be expensive, this step is justified by recent regulatory enforcement trends. Getting reviews or audits to ensure compliance with the right to request deletion is also advisable.
Recent Regulatory Enforcement Actions
The Cyberspace Administration of China on February 19, 2026 published a regulatory bulletin, Legal Probes Into Several Apps Illegally Infringing on Personal Information Rights, which resulted in four apps being taken offline, and a cease and desist order issued to 78 apps with a short correction deadline.
On February 26, the Shanghai CAC summoned the app owners for a hearing, which was done as part of its 2025 campaign to enforce personal information deletion rights and put an end to existing willful and repeated noncompliance. The CAC announced the following data privacy noncompliance penalty statistics:
- Failing to offer account deletion features (26 apps)
- Account deletion features did not work (39 apps)
- Account deletion unreasonably difficult (5 apps)
- Account deletion took longer than 15 days (8 apps).
These penalties follow the 2024 Shanghai CAC regulatory guidance covering ten major personal information protection legal violations, with the worst one being “ineffective account deletion mechanism,” which was manifested as having no deletion button, or the process does not delete the user’s personal information, or the app prevents users from re-registering after deletion.
These regulatory requirements have actually been around for a long time under the China Personal Information Protection Act § 47, which requires data controllers to delete data when the processing purpose is no longer relevant, and gives individuals the right to request deletion. These specific practices were enumerated as violations under the 2019 CAC Methods for Determining Illegal Collection Practices.
Based on earlier CAC internal investigation guidance and enforcement cases, the agency also prohibits apps from asking consumers to also delete other app accounts or requesting unnecessary additional personal information during account deletion.
The CAC and Shanghai Consumer Protection Commission in the 2024 Shanghai Resident Personal Information Q&A guidance state that apps do not have to code an account cancellation feature, but they have to at least offer a way to contact customer service to request it.
Conclusion
In this article, we learned that the China Personal Information Protection Act imposes strict requirements for businesses to minimize the time they retain data, and to ensure that consumer right to request deletion is protected. Moreover, the law is now being aggressively enforced by regulators. If you are processing data related to Chinese consumers, employees, or business partners, consider reviewing your China data privacy policies to ensure compliance.