<!-- Source: https://melinasecurity.com/knowledge/faq/pipl-consent-vs-cac-assessment/  License: CC BY 4.0 with attribution to Melina Security  Last-updated: 2026-06-12 -->

# What's the difference between PIPL cross-border consent and CAC security assessment?

**slug:** `faq-pipl-consent-vs-cac-assessment` · **URL:** `/knowledge/faq/pipl-consent-vs-cac-assessment/` · **reviewer:** Tatiana + legal

### Short answer

Separate consent is a per-individual data-subject mechanism that every transfer needs in some form. CAC security assessment is a regulatory-approval mechanism that only certain transfers need, based on data category and volume. They operate at different layers and one does not replace the other.

### The two mechanisms

Under PIPL (Personal Information Protection Law), data crossing the mainland-China border requires both a legal basis and a transfer-mechanism qualification.

The legal basis component typically requires **separate consent** from the data subject — distinct from the general consent for processing, and specifically informed about the cross-border transfer (the overseas recipient identity, processing purpose, retention period, and channels for exercising rights). This is a data-subject-facing mechanism.

The transfer-mechanism component requires one of three paths to be in place: a CAC security assessment (the strictest, mandatory for CII operators and for transfers above volume thresholds), a CAC-approved standard contractual clause (SCC), or a personal-information-protection certification. This is a regulator-facing mechanism.

A transfer almost always needs both — separate consent satisfies the legal basis; one of the three transfer mechanisms qualifies the transfer pathway itself.

### The thresholds that trigger CAC security assessment

The CAC security-assessment route is mandatory rather than optional when:
- The data exporter is a CII operator
- The transfer involves Important Data as classified under DSL
- The volume of personal information transferred crosses thresholds set by CAC guidance (these have been revised; current thresholds should be confirmed at engagement time)

For organizations below these thresholds, the SCC route or certification route are typically more practical.

### Related

- [What is PIPL?](/knowledge/glossary/pipl/)
- [What is DSL?](/knowledge/glossary/dsl/)
- [What is CII?](/knowledge/glossary/cii/)
- [Does PIPL apply if my product never touches mainland-China users but my Chinese subsidiary processes their data?](/knowledge/faq/pipl-subsidiary-scope/)

---