Compliance Audit for the Protection of the Personal Information of Minors Due January 31

A minors’ personal information protection audit is now required under CAC regulations, with initial materials due by January 31, 2026. This mandate is based on China’s Personal Information Protection Law and related measures, targeting companies that process data of individuals under the age of 18. Foreign businesses should urgently review their data handling activities to ensure compliance. 

The Cyberspace Administration of China (CAC) has issued a notice requiring companies that process the personal information of minors in China to submit an annual compliance audit.

Find Business Support

Our cybersecurity and compliance advisory helps companies strengthen defenses, prepare for audits, and build privacy programs that transform data compliance from a risk into a competitive advantage.

This requirement follows the release of the Measures for the Administration of Compliance Audits on Personal Information Protection, effective May 1, 2025, requiring all companies processing certain volumes of personal information to conduct and submit regular compliance audits to assess the company’s compliance with China’s personal information protection laws and regulations. 

The new requirements are based on the Personal Information Protection Law (PIPL), the Regulations on the Protection of Minors Online (the “Online Protection Regulations”), and the Measures for Compliance Audits of Personal Information Protection, the latter of which outline requirements for compiling the compliance audits. 

Companies will have until January 31, 2026, to submit the initial materials, although a full audit report is not mandatory at this time. 

Foreign companies in China should take immediate steps to assess whether their scope of personal information processing could include the data of individuals under the age of 18 – even if this is done inadvertently – to ascertain whether they are required to conduct and submit the audit report.

What are the new audit requirements? 

Conducting a personal information compliance audit 

Under Article 37 of the Regulations on the Protection of Minors Online (the “Online Protection Regulations”), companies are required to conduct an annual compliance audit of their handling of the personal information of minors. This is more frequent than companies handling general personal information, which are required to conduct an audit at least every two years, depending on the volume of personal information they handle. Unlike the general personal information audits, there is no threshold for the volume of personal information of minors that is processed before an audit is necessary – any amount of personal information collected from a minor will trigger the audit obligations.

The annual compliance audit can be carried out either independently by the company itself, or by entrusting a professional institution to do it on its behalf. Currently, there are very few accredited institutions, and many do not offer services to the public. As a result, most compliance audits are expected to be carried out internally, with the option to seek assistance from third-party experts acting in the company’s name. 

China’s Law on the Protection of Minors defines “minors” as citizens under the age of 18. However, the PIPL defines “sensitive personal information” as including the personal information of minors under the age of 14, and is therefore subject to stricter protection measures. The compliance audit requires differentiated assessment of the handling of these two categories of minors’ personal information.

Submitting the audit report 

The annual audit reports must be submitted promptly to the municipal-level cyberspace administration department where the company is located. 

Find Business Support

Get help with software selection, system design, and project management for ERP systems that are fully compliant with local tax, HR, and audit standards.

The previous year’s audit must be submitted by the end of January each year. This means the first audit reports are due January 31, 2026, and should cover the period from January 1, 2025 to December 31, 2025. However, the notice notably only mandates the submission of the “Compliance Audit Status Form for the Protection of Minors’ Personal Information”, suggesting that a full audit report is not mandated at this time. 

Submission can be done online through the Personal Information Protection Business System (the “Business System”). Alternatively, companies can access the Business System through the “National Cyberspace Administration Service Hall” section at the bottom of the CAC homepage. 

According to the Instructions for Submitting Compliance Audit Reports on the Protection of Minors’ Personal Information (Version 1) (the “Submission Instructions”), which can be downloaded from the Business System’s homepage, the following materials must be submitted: 

1. An Annual Compliance Audit Status Form for the Protection of Minors’ Personal Information (“Audit Status Form”);
2. A Letter of Commitment;
3. A Compliance Audit Report for the Protection of Minors’ Personal Information (“Audit Report”) (if any);
4. Scanned copies of other relevant materials. 

Templates for the Audit Status Form and the Letter of Commitment can be found in the Submission Instructions, while the optional Audit Report can be compiled according to Appendix C of the Cybersecurity Standard Practice Guide – Personal Information Protection Compliance Audit Requirements. 

To complete the Audit Status Form, companies must provide basic information about the company, including the company name, corporate structure, funding type, and address, as well as information about the company’s legal representative (法定代表人) and the person in charge (经办人). Regarding the audit itself and the handling of the personal information of minors, the following information must be provided: 

• The total scale of personal information processing calculated based on the number of unique individuals, accurate to the nearest ten thousand;
• The total scale of processing of minors’ personal information calculated based on the number of unique individuals, accurate to the nearest ten thousand;
• The total scale of processing personal information of minors under the age of fourteen calculated based on the number of unique individuals, accurate to the nearest ten thousand;
• Audit scope: list of websites, apps, mini-programs, and application systems covered by the annual audit; and
• Audit conclusions and correction status: a comprehensive evaluation of the annual audit items, including but not limited to audit findings and an overview of the correction status. 

The Audit Report Form template provided in the Submission Instructions clarifies that the reports of branches and subsidiaries can be consolidated and submitted jointly at the group level. In this case, the name of the organization submitting the consolidated report (including its unified social credit code) must be noted in the “remarks” column of the report. If different branches or subsidiaries submit information separately, each entity must complete the forms separately. 

Other key questions 

Who needs to file an audit report? 

The notice states that “personal information processors” are required to conduct annual compliance audits in accordance with Article 37 of the Online Protection Regulations. 

Article 6 of the Online Protection Regulations stipulates that all online product and service providers, personal information processors, and manufacturers and sellers of smart terminal products must “abide by laws, administrative regulations, and relevant national provisions, [and] fulfill their obligations to protect minors online”. 

Importantly, these regulations do not distinguish between general personal information processors and those specifically targeting minors, meaning that any company that provides these services is covered by laws and regulations on the protection of minors. Moreover, a company does not need to be specifically targeting minors in order for them to be subject to the personal information protection obligations.

Find Business Support

Our in-house technology advisory practice offers clients specialized support in cloud services, cybersecurity, business applications, enterprise systems, and network infrastructure

The practical implication of these provisions is that any company that processes the personal information of minors is required to submit an annual audit. Under the PIPL, “personal information processing” includes the collection, storage, use, technical processing (加工), transmission, provision, disclosure, and deletion of personal information. 

The difficulty for companies lies in ascertaining whether or not any of their data processing activity involves minors. For companies whose services directly target minors, such as education providers, or whose scope of services regularly includes minors, such as healthcare or entertainment providers, there will be no doubt as to the applicability of the audit requirements, or the content the report should cover. 

Complexity arises for companies that do not directly target minors (or which have some services that are not aimed at minors) or may even have mechanisms in place to prevent minors from using their services, such as having age limitations in place for real-name registration. While such providers may believe themselves to be exempt from the audit requirements, in reality it is impossible to prove that no personal information of minors has been collected, in particular for large platforms that handle huge volumes of personal information.  

Moreover, even services that are used primarily by adults can inadvertently collect the personal information of minors, such as through the taking of images or videos, or even by allowing minors to use an adult’s account (under the PIPL and related regulations, personal information can include things such as personal communication, such as SMS messages and emails, internet browsing history, personal location information such as information on transportation, and other various types of information related to an identified or identifiable natural person).  

For this reason, any company providing online services should make a thorough assessment of whether their activities could include the processing of personal information of minors, and which services provided could inadvertently be collecting the personal information of minors.  

What falls within the scope of personal information of minors? 

The definition of the personal information of minors is spread across various laws and regulations, including the PIPL, the Online Protection Regulations, the Law on the Protection of Minors, the Regulations on the Protection of the Personal Information of Minors Online (which apply to minors under 14), as well as other standards and regulations. 

A recent official Q&A from the CAC consolidates the definition of personal information as including (but not limited to) the following types of data: 

• Basic information such as name, birthday, and age of an individual;
• Personal identification information such as ID card, military officer’s certificate, and passport information;
• Biometric information such as facial features, genetic information, voiceprints, iris scans, and fingerprints;
• Online identity information, such as account number, and user identifier (user ID);
• Personal education and employment information such as education history, profession, and job information;
• Information on personal assets, such as financial accounts, consumption records, income status, and loan information;
• Identity authentication information such as account passwords and digital certificates;
• Personal communication information such as communication records, SMS messages, and emails;
• Contact information such as address books and friend lists;
• Personal internet browsing history such as web browsing history and software usage history;
• Personal device information such as International Mobile Equipment Identity (IMEI);
• Personal location information such as transportation information;
• Personal tagging information such as user tags and profile information;
• Personal information on exercise, such as steps and cadence; and
• Any other information related to identified or identifiable natural persons. 

The personal information of minors can therefore be generally understood to be any of the above information belonging to a person under the age of 18.  

In addition to general personal information, the PIPL and related standards and regulations provide a separate definition for “sensitive” personal information, which is subject to stricter protection requirements. “Sensitive” personal information includes the personal information of minors under the age of 14. 

What should be included in the audit at this time? 

Given the tight reporting timeline, companies are advised to take a pragmatic, risk-based approach in complying with the new audit requirements.  

To conduct the audit, it is advisable for companies to focus on a few key areas at this time. These may include the following high-risk areas: 

1. Governance and overall protection framework: Existence of dedicated policies and management systems for minors’ personal information that are separate from general personal information rules, as well as coverage of the full data lifecycle, alignment of technical and organizational security measures with the heightened sensitivity of minors’ personal information, and clear internal responsibilities, and report and complaint-handling channels.
2. Identification and differentiation of minors: Whether systems and business processes can accurately identify minors, and especially children under 14, as well as the implementation of differentiated protections once a user is identified as a child. This may include the existence of:
   1. Separate children’s privacy policies / user agreements;
   2. Designated personnel responsible for children’s data protection; and
   3. Security assessments when sharing or entrusting children’s data to third parties. 
3. Notice and transparency obligations: Includes assessments of whether notices to minors and guardians are prominent, clear, understandable, and complete, and whether the necessity of processing minors’ personal information and the potential impacts on minors’ rights and interests has been disclosed.
4. Guardian consent mechanisms: Whether the company has effective, verifiable guardian consent mechanisms where required; audit of age verification and identity confirmation methods, guardian identity verification processes, methods for giving consent (such as checkboxes or SMS verification), and standard requirements for consent (separate, non-permanent consent).
5. Necessity and proportionality of personal information processing: Includes compliance with the principle of least privilege, identification of excessive or irrelevant data collection, the use of minors’ personal information beyond what is necessary for the provision of the service, and alignment with stated purposes for processing.
6. Real-name and dynamic identity verification (where applicable): Network live-streaming services (and similar regulated sectors) should assess the existence and effectiveness of dynamic real-name verification mechanisms and the integration of identity verification with personal information protection controls. Other regulated industries, such as online gaming and brokerage services, should assess compliance with age restrictions.
7. Special regulatory requirements for minors: Assessing compliance with special obligations under the Online Protection Regulations, the Law on the Protection of Minors, and the Regulations on the Protection of Children’s Personal Information Online. 

Legal liabilities for non-compliance 

The notice clarifies that failure to conduct compliance audits on the protection of minors’ personal information and to submit the audit reports “will be dealt with in accordance with the relevant laws, regulations, and rules”. 

Under the PIPL, companies can be fined up to RMB 1 million (US$137,292) for non-compliance if violations are not corrected, while individuals can be fined between RMB 10,000 (US$1,373) and RMB 100,000 (US$13,729). Serious violations can lead to fines of up to RMB 50 million (US$6.9 million) or 5 percent of the previous year’s turnover for companies, or between RMB 100,000 and RMB 1 million for individuals. 

Considerations for foreign companies 

For foreign companies operating in China, the new audit requirements mean that action should be taken sooner rather than later. Businesses whose products or services directly target children or minors, such as education, gaming, entertainment, or youth-oriented platforms, should treat compliance as an immediate priority and ensure that the relevant rules, consent mechanisms, and safeguards are already in place and reflected in their submissions.

Related Reading

Standard Use of Trademarks in China: Compliance Requirements and Legal Risks

Companies in consumer-facing sectors that do not specifically target minors should also proceed with caution. Even where minors are not the intended users, the personal information of minors may still be collected in practice, for example through account sharing, user-generated content, or the taking of images or videos. These companies should promptly assess whether their activities could trigger the audit and filing obligations. 

Other companies whose products or services could indirectly involve the collection of minors’ personal information, including B2B companies with downstream consumer-facing products, should likewise avoid assuming they are outside scope, and should review their data flows and system design accordingly.

• Previous Article US-China Relations in the Trump 2.0 Era: A Timeline
• Next Article