DCC summary, not a translation. GB/T 42574-2023 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase of the standard’s framework, for overseas compliance teams.
Scope
GB/T 42574-2023 provides implementation guidance for the notification and consent obligations that arise when processing personal information — what information must be conveyed to the personal-information subject, how the notification should be presented, and how, when and in what form consent should be obtained, changed and withdrawn. It applies to handlers designing their notice-and-consent mechanisms, and is a reference for assessors and regulators.
It is a recommended standard, and is best read as the practical companion to PIPL’s notice-and-consent provisions.
Key contents
The standard separates the two obligations — telling the subject (notification) and getting agreement (consent) — and gives design rules for each.
Notification (告知). Guidance on the content that must be disclosed (the handler’s identity and contact details; the purposes and methods of processing; the categories of personal information processed and the retention period; the means and procedures for the subject to exercise their rights; and the matters that must be disclosed for sharing, public disclosure, cross-border transfer, and automated decision-making). It also addresses the manner of notification — clarity, conspicuousness, plain and accurate language, timing (generally before processing), layered/just-in-time notice, and accommodations for different interfaces and for individuals with accessibility needs.
Consent (同意). Guidance on obtaining consent that is voluntary, explicit and fully informed, and on the situations requiring heightened consent:
- Separate consent (单独同意) — distinct, transaction-specific consent for sharing personal information with other handlers, public disclosure, cross-border transfer, processing sensitive personal information, and certain other high-impact activities.
- Written consent (书面同意) — where laws or regulations require consent to be in writing.
- Guardian consent — consent of a parent/guardian for processing the personal information of minors under 14.
- Re-consent — obtaining fresh consent when the purpose, method or categories of processing change.
It also covers withdrawal of consent (providing an easy means to withdraw, with withdrawal not affecting the lawfulness of prior processing), and the principle that a handler must not refuse to provide a product or service merely because the subject declines consent that is not necessary for that product or service.
Statutory exceptions. Guidance noting the circumstances in which processing may proceed without consent (e.g., performance of a contract to which the subject is a party, statutory duties, emergencies, news reporting, and processing of already-public information within reasonable limits).
The annexes provide reference examples of notice content and consent interface design.
How it fits the regime
GB/T 42574 is the implementation manual for one of PIPL’s core mechanisms. PIPL builds much of its consent architecture on notice: Article 13 makes consent a primary lawful basis (alongside enumerated alternatives); Articles 14–16 require informed, voluntary, explicit consent, allow withdrawal, and bar conditioning services on unnecessary consent; Article 17 prescribes the matters to be notified; Articles 23, 25, 29 and 39 require separate consent for sharing, public disclosure, processing sensitive personal information, and cross-border transfer respectively; and Article 31 requires guardian consent for minors under 14.
The statute sets these requirements; GB/T 42574 turns them into concrete UX and content design rules. For overseas compliance teams, it is the document to consult when building privacy notices, consent flows and withdrawal mechanisms for Chinese-facing products, and it works hand-in-hand with GB/T 35273 (privacy-policy specification) and the app- and platform-specific rules that police notice-and-consent in practice.