Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · CHILDREN'S PI PROVISIONS

Provisions on the Online Protection of Children's Personal Information.

儿童个人信息网络保护规定

Promulgated by: Cyberspace Administration of China. Document No.: Order of the Cyberspace Administration of China No. 4. Adopted and promulgated on August 22, 2019. Effective October 1, 2019.


Article 1. These Provisions are formulated in accordance with the Cybersecurity Law of the People’s Republic of China, the Law of the People’s Republic of China on the Protection of Minors, and other laws and regulations, in order to protect the security of children’s personal information and promote the healthy growth of children.

Article 2. For the purposes of these Provisions, “children” means minors under the age of 14.

Article 3. These Provisions apply to activities such as the collection, storage, use, transfer, and disclosure of the personal information of children through networks within the territory of the People’s Republic of China.

Article 4. No organization or individual may produce, publish, or disseminate information that infringes the security of children’s personal information.

Article 5. A child’s guardian shall properly perform guardianship duties, and shall educate and guide the child to strengthen awareness and capability in personal information protection and to safeguard the security of the child’s personal information.

Article 6. Internet industry organizations are encouraged to guide and promote network operators in formulating industry norms and codes of conduct for the protection of children’s personal information, to strengthen industry self-discipline, and to fulfill social responsibilities.

Article 7. A network operator that collects, stores, uses, transfers, or discloses the personal information of children shall follow the principles of legitimacy and necessity, informed consent, clear purpose, security assurance, and lawful use.

Article 8. A network operator shall establish dedicated rules and user agreements for the protection of children’s personal information, and shall designate dedicated personnel responsible for the protection of children’s personal information.

Article 9. Where a network operator collects, uses, transfers, or discloses the personal information of children, it shall notify the child’s guardian in a conspicuous and clear manner, and shall obtain the consent of the child’s guardian.

Article 10. When obtaining consent, a network operator shall at the same time provide a refusal option, and shall expressly notify the following matters:

(1) the purpose, method, and scope of collecting, storing, using, transferring, and disclosing the child’s personal information;

(2) the place and period of storage of the child’s personal information, and how it will be handled after the period expires;

(3) the security measures for the child’s personal information;

(4) the consequences of refusal;

(5) the channels and methods for complaints and reports;

(6) the means and methods for correcting and deleting the child’s personal information; and

(7) other matters that should be notified.

Where there is a substantive change to the matters to be notified set out in the preceding paragraph, the consent of the child’s guardian shall be obtained again.

Article 11. A network operator shall not collect personal information of children that is unrelated to the services it provides, and shall not collect personal information of children in violation of laws, administrative regulations, or the agreement between the parties.

Article 12. A network operator shall not store personal information of children beyond the period necessary to achieve the purpose of collection and use.

Article 13. A network operator shall store personal information of children by adopting measures such as encryption to ensure information security.

Article 14. A network operator’s use of personal information of children shall not violate laws, administrative regulations, or the purpose and scope agreed by the parties. Where it is genuinely necessary, owing to business needs, to use such information beyond the agreed purpose and scope, the consent of the child’s guardian shall be obtained again.

Article 15. A network operator shall, on the principle of minimum authorization, strictly set information-access permissions for its staff and control the scope of persons who may have knowledge of children’s personal information. Staff access to children’s personal information shall be subject to approval by the person in charge of children’s personal information protection or a management person authorized thereby; the access shall be recorded; and technical measures shall be taken to prevent the unlawful copying or downloading of children’s personal information.

Article 16. Where a network operator entrusts a third party with the processing of children’s personal information, it shall conduct a security assessment of the entrusted party and of the entrustment, and shall sign an entrustment agreement specifying the responsibilities of both parties, the matters entrusted, the period of processing, and the nature and purpose of processing; the entrustment shall not exceed the scope of authorization.

The entrusted party referred to in the preceding paragraph shall perform the following obligations:

(1) process children’s personal information in accordance with laws and administrative regulations and the requirements of the network operator;

(2) assist the network operator in responding to applications made by children’s guardians;

(3) take measures to ensure information security, and promptly report to the network operator in the event of a security incident involving the leakage of children’s personal information;

(4) delete children’s personal information promptly upon termination of the entrustment relationship;

(5) not sub-entrust the processing; and

(6) perform other obligations to protect children’s personal information that are required by law.

Article 17. Where a network operator transfers personal information of children to a third party, it shall conduct a security assessment by itself or entrust a third-party institution to do so.

Article 18. A network operator shall not disclose personal information of children, except where disclosure is required by laws or administrative regulations, or is permitted under an agreement with the child’s guardian.

Article 19. Where a child or the child’s guardian discovers an error in the personal information of the child that has been collected, stored, used, or disclosed by a network operator, they have the right to require the network operator to make corrections. The network operator shall promptly take measures to correct the information.

Article 20. Where a child or the child’s guardian requests a network operator to delete personal information of the child that it has collected, stored, used, or disclosed, the network operator shall promptly take measures to delete it, including but not limited to the following circumstances:

(1) where the network operator collects, stores, uses, transfers, or discloses the child’s personal information in violation of laws, administrative regulations, or the agreement between the parties;

(2) where it collects, stores, uses, transfers, or discloses the child’s personal information beyond the scope of purpose or the necessary period;

(3) where the child’s guardian withdraws consent; or

(4) where the child or the child’s guardian terminates use of the product or service through means such as account deregistration.

Article 21. Where a network operator discovers that personal information of children has been, or may have been, leaked, damaged, or lost, it shall immediately activate its emergency response plan and take remedial measures. Where serious consequences have been or may be caused, it shall immediately report to the relevant competent authority, and shall notify the affected children and their guardians of the relevant circumstances by means such as email, letter, telephone, or push notification. Where individual notification is difficult, it shall adopt reasonable and effective means to issue the relevant warning information.

Article 22. A network operator shall cooperate with the supervision and inspection lawfully carried out by the cyberspace administration authorities and other relevant authorities.

Article 23. Where a network operator ceases operation of a product or service, it shall immediately stop collecting personal information of children, delete the personal information of children that it holds, and promptly notify children’s guardians of the cessation of operation.

Article 24. Any organization or individual that discovers conduct in violation of these Provisions may report it to the cyberspace administration authorities and other relevant authorities.

Upon receiving such reports, the cyberspace administration authorities and other relevant authorities shall promptly handle them in accordance with their respective duties.

Article 25. Where a network operator inadequately implements its responsibility for the security management of children’s personal information, resulting in a relatively high security risk or the occurrence of a security incident, the cyberspace administration authorities shall conduct a regulatory interview in accordance with their duties, and the network operator shall promptly take measures to rectify the situation and eliminate the hazard.

Article 26. Violations of these Provisions shall be handled by the cyberspace administration authorities and other relevant authorities, in accordance with their respective duties, pursuant to the Cybersecurity Law of the People’s Republic of China, the Administrative Measures for Internet Information Services, and other relevant laws and regulations; where a crime is constituted, criminal liability shall be pursued in accordance with law.

Article 27. Where legal liability is pursued for a violation of these Provisions, the violation shall be recorded in credit archives and made public in accordance with the provisions of relevant laws and administrative regulations.

Article 28. Where information is automatically retained and processed through a computer information system, and it is impossible to identify whether the retained and processed information is the personal information of children, other relevant provisions shall apply.

Article 29. These Provisions shall come into force on October 1, 2019.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →