Many cities around the world are increasingly embedding technological infrastructure in urban spaces. These infrastructures aim to collect vast amounts of data from citizens with an apparent purpose of improving public services. This article discusses privacy concerns generated by China’s nationwide smart city campaign and further investigates why China’s latest Cybersecurity Law is not adequate to address the risks to citizens’ privacy. We argue that there is no functional privacy law in China that would apply to most data collected by smart city infrastructure; nor is there any law that would protect any personal data collected under this framework. We therefore propose practical suggestions to better protect citizens’ data in China’s ongoing smart city campaign.