---
title_en: "Information Security Technology — Implementation Guide for Notification and Consent in Personal Information Processing (GB/T 42574-2023)"
title_zh: "信息安全技术 个人信息处理中告知和同意的实施指南 (GB/T 42574-2023)"
abbreviation: "GB/T 42574"
hierarchy: "standard"
issuing_body: "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)"
effective_date: 2023-12-01
status: "effective"
related_laws: ["pipl"]
domains: ["personal-information"]
url: https://datacompliancechina.com/laws/gbt-42574-notification-consent-guide/
summary: "GB/T 42574-2023 is the recommended national standard that operationalizes PIPL's notification (告知) and consent (同意) obligations. It gives handlers practical guidance on what to tell data subjects and how, when and in what form to obtain consent — including separate consent, written consent, consent from minors' guardians, and withdrawal of consent — across web, app and other interfaces. It is the implementation manual for PIPL Articles 14–17 and 23/25/29/39, turning the statute's notice-and-consent rules into concrete design requirements."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/gbt-42574-notification-consent-guide/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Information Security Technology — Implementation Guide for Notification and Consent in Personal Information Processing (GB/T 42574-2023)", https://datacompliancechina.com/laws/gbt-42574-notification-consent-guide/
> *DCC summary, not a translation.* GB/T 42574-2023 is a copyrighted national standard. The structured summary below is DCC's own paraphrase of the standard's framework, for overseas compliance teams.

## Scope

GB/T 42574-2023 provides **implementation guidance for the notification and consent obligations** that arise when processing personal information — what information must be conveyed to the personal-information subject, how the notification should be presented, and how, when and in what form consent should be obtained, changed and withdrawn. It applies to handlers designing their notice-and-consent mechanisms, and is a reference for assessors and regulators.

It is a **recommended** standard, and is best read as the practical companion to **PIPL's** notice-and-consent provisions.

## Key contents

The standard separates the two obligations — *telling* the subject (notification) and *getting agreement* (consent) — and gives design rules for each.

**Notification (告知).** Guidance on the **content** that must be disclosed (the handler's identity and contact details; the purposes and methods of processing; the categories of personal information processed and the retention period; the means and procedures for the subject to exercise their rights; and the matters that must be disclosed for sharing, public disclosure, cross-border transfer, and automated decision-making). It also addresses the **manner** of notification — clarity, conspicuousness, plain and accurate language, timing (generally before processing), layered/just-in-time notice, and accommodations for different interfaces and for individuals with accessibility needs.

**Consent (同意).** Guidance on obtaining consent that is **voluntary, explicit and fully informed**, and on the situations requiring heightened consent:

- **Separate consent (单独同意)** — distinct, transaction-specific consent for sharing personal information with other handlers, public disclosure, cross-border transfer, processing sensitive personal information, and certain other high-impact activities.
- **Written consent (书面同意)** — where laws or regulations require consent to be in writing.
- **Guardian consent** — consent of a parent/guardian for processing the personal information of minors under 14.
- **Re-consent** — obtaining fresh consent when the purpose, method or categories of processing change.

It also covers **withdrawal of consent** (providing an easy means to withdraw, with withdrawal not affecting the lawfulness of prior processing), and the principle that a handler must not refuse to provide a product or service merely because the subject declines consent that is not necessary for that product or service.

**Statutory exceptions.** Guidance noting the circumstances in which processing may proceed without consent (e.g., performance of a contract to which the subject is a party, statutory duties, emergencies, news reporting, and processing of already-public information within reasonable limits).

The annexes provide reference examples of notice content and consent interface design.

## How it fits the regime

GB/T 42574 is the implementation manual for one of **PIPL's** core mechanisms. PIPL builds much of its consent architecture on notice: **Article 13** makes consent a primary lawful basis (alongside enumerated alternatives); **Articles 14–16** require informed, voluntary, explicit consent, allow withdrawal, and bar conditioning services on unnecessary consent; **Article 17** prescribes the matters to be notified; **Articles 23, 25, 29 and 39** require **separate consent** for sharing, public disclosure, processing sensitive personal information, and cross-border transfer respectively; and **Article 31** requires guardian consent for minors under 14.

The statute sets these requirements; GB/T 42574 turns them into concrete UX and content design rules. For overseas compliance teams, it is the document to consult when building privacy notices, consent flows and withdrawal mechanisms for Chinese-facing products, and it works hand-in-hand with GB/T 35273 (privacy-policy specification) and the app- and platform-specific rules that police notice-and-consent in practice.
