[co-author: Ken Dai]
On December 29, 2025, the Cyberspace Administration of China ("CAC") officially released the Notice on the Filing of Compliance Audit Results for the Protection of Minors’ Personal Information ("Filing Notice"). The Filing Notice explicitly requires personal information handlers that process minors’ personal information to submit the previous year’s personal information protection compliance audit results to the competent municipal cyberspace administration in their locality by the end of January each year. The issuance of this notice indicates the further concretization and normalization of regulatory thresholds in the field of minors' personal information protection in China. It represents the substantive implementation of relevant provisions within the Personal Information Protection Law of China ("PIPL") and the Regulation on the Network Protection of Minors. This article focuses on the background to the Filing Notice, the practical filing thresholds, and—taking into account current implementation challenges—provides targeted compliance recommendations for enterprises.
- Regulatory Background
Personal information compliance audit (“Compliance Audit”) was stipulated as early as 2021 with the implementation of the PIPL in China. Article 54 of the PIPL clearly states: "Personal information handlers shall conduct periodic compliance audits of their personal information processing activities to ensure compliance with applicable laws and administrative regulations." Compliance Audit is a statutory obligation that must be fulfilled by all types of personal information handlers (regardless of whether they process minors' information)—including enterprises within China and enterprises outside China subject to the jurisdiction of the PIPL.
The Administrative Measures for Personal Information Protection Compliance Audits ("Compliance Audit Measures"), which came into effect on May 1, 2025, detailed the specific thresholds for such audits. The Compliance Audit Measures stipulate two types of compliance audits: regular compliance audits conducted by the enterprise itself and mandatory compliance audits required by authorities. Regarding the frequency of self-audits, personal information handlers processing the personal information of more than 10 million individuals must conduct a compliance audit at least once every two years; there is no mandatory frequency threshold for other enterprises. Regarding the obligation to report to authorities, the Compliance Audit Measures only impose a reporting obligation in the context of mandatory audits.
The Regulation on the Network Protection of Minors, effective January 1, 2024, sets out special rules specifically for scenarios involving the processing of minors’ personal information. Article 37 of the Regulation on the Network Protection of Minors stipulates that "Personal information handlers shall, on their own or by engaging a professional institution, conduct an annual compliance audit of their processing of minors’ personal information for compliance with applicable laws and administrative regulations, and promptly report the audit status to the cyberspace administration and other relevant authorities." Compared to the self-audits in the Compliance Audit Measures, the Regulation on the Network Protection of Minors (i) further specifies the audit frequency for minors’ personal information by requiring an audit “annually,” and (ii) introduces a reporting obligation for personal information handlers, enabling Chinese authorities to oversee the implementation of the annual audit threshold.
Against this backdrop, the release of the Filing Notice on December 29, 2025, has propelled the implementation of regulatory thresholds for minors' personal information compliance audits. The Filing Notice clarifies the specific time, channels, and content of filing, marking the transition of minors' information protection compliance audits from an obligatory duty on paper to a concrete compliance action that Chinese regulators can verify and enforce.
- Filing Content and Procedure
- Who shall submit
Unlike the Compliance Audit Measures, the Filing Notice released this time does not set a clear quantitative threshold. Whether filing is required does not depend on whether minors are the primary service object or on the scale of the enterprise, but solely focuses on whether it "actually processes minors' personal information". Therefore, not only industries and enterprises with a large number of minor users—such as operators of games and entertainment, education and training, children's products, and apps—need to pay attention, but other types of enterprises that may actually process minors' personal information incidentally during business activities also fall within the scope of filing.
The Filing Notice does not distinguish between domestic and overseas enterprises. Article 3 of the PIPL explicitly stipulates that overseas-established enterprises shall be governed by the PIPL in the event that they process the personal information within the territory of China for the provision of products or services to such individuals. Therefore, enterprises outside of China that meet the aforementioned criteria and process the personal information of minors are equally subject to the filing obligation.
In the absence of explicit exemptions from the authorities, any enterprise processing minors' personal information bears the obligation of compliance auditing and filing.
- To Whom to Submit
Article 37 of the Regulation on the Network Protection of Minors only requires reporting to the “cyberspace administration and other relevant authorities,” without specifying the competent authority level. The Filing Notice clarifies that personal information handlers shall submit the relevant materials to the municipal-level cyberspace administration in the locality where they are located.
Currently, the CAC's personal information protection business system provides the Instructions for Filling in the Filing System for Minors' Personal Information Protection Compliance Audit Results (First Edition) ("Filling Instructions"), which only list contact phone numbers for provincial-level cyberspace administration. Given the short time since the release of the Filing Notice, and the possibility that unified working methods have not yet been formed across all localities, it is recommended that enterprises directly consult the provincial-level cyberspace administration if they encounter problems during the filing process.
- Specific Thresholds for Filing
3.1 Filing Time
The Filing Notice stipulates that personal information handlers shall conduct a minors' personal information protection compliance audit at least once annually and submit the audit situation and related documents for the previous year to the local municipal-level cyberspace administration before January 31 of each year. Considering that the Regulation on the Network Protection of Minors came into effect in 2024 and the Filing Notice was released in 2025, the reporting for the 2025 compliance audit results should be completed before January 31, 2026. The release of the Filing Notice affords enterprises that process minors’ personal information only a short lead time to prepare for filing.
3.2 Filing Method
The Filing Notice requires that the filing of minors' information protection compliance audit result shall be conducted online (Personal Information Protection Business System: https://grxxbh.cacdtsc.cn). It should be noted that for personal information handlers operating in the form of a group company with multiple branches, the headquarters may fulfill the filing procedures uniformly; if multiple personal information handlers have related relationships (multiple subsidiaries, office areas, chain stores, third-party service enterprises, etc.), they may also merge their filing procedures.
3.3 Filing Materials
According to the Filling Instructions, the system only requires two mandatory materials: the Annual Minors' Personal Information Protection Compliance Audit Situation Table (the "Audit Situation Table") and a Commitment Letter. There is no mandatory threshold to submit the minors' personal information protection compliance audit report, nor are there thresholds regarding the format of the compliance audit report. Regarding the compliance audit report, the Filling Instructions only suggest that enterprises may refer to TC260-PG-20255A Cybersecurity Practice Guide — Personal Information Protection Compliance Audit Thresholds, Appendix C: Personal Information Protection Compliance Audit Report Template for compilation. Therefore, we understand that the current review focus of the cyberspace administrations is the Audit Situation Table. In addition to basic business registration information and information on the legal representative and handling person, the main information required to be filled in the Audit Situation Table includes:
- Personal Information Scale: Distinguished into three levels: (1) The overall amount of personal information processed by the enterprise; (2) The amount of minors' personal information processed; and (3) The amount of personal information processed regarding minors under the age of fourteen. If the enterprise has previously reported its personal information amount to the authority for reasons such as data export, attention should be paid to the consistency of the reported content.
- Audit Object Scope: This refers to the scope covered by the compliance audit, such as websites, APPs, mini-programs, systems, etc.
- Audit Conclusion and Rectification Situation: This part corresponds to the conclusion section of the compliance audit report and needs to be filled in by the enterprise according to the actual situation after completing the compliance audit work.
- Practical Guidance
Considering that the CAC released the Filing Notice at the end of 2025, and the filing deadline of late January 2026 is imminent, for enterprises—especially those that have not yet conducted a minors' personal information protection compliance audit—we suggest:
First, in the absence of a clear filing threshold from official sources, enterprises should still sort out their processing of minors' personal information as soon as possible according to the thresholds and complete the filing in a timely manner to reduce compliance risks.
Second, given the tight schedule and heavy workload of this filing, it is recommended that enterprises grasp the key points and advance in steps during the minors' personal information protection compliance audit work. Currently, the filing material thresholds released by the CAC are relatively concise and do not place excessive limits on the format and content of the audit report. Therefore, enterprises can prioritize focusing on business scenarios involving minors' personal information for review. On the premise of meeting basic compliance thresholds, enterprises can first form a simplified report and submit it promptly. This move not only satisfies the current filing deadline thresholds but also leaves room for improvement for potential subsequent detailed thresholds, allowing the enterprise to still be deemed as having fulfilled the obligation within the prescribed period.
Finally, as personal information compliance auditing is still a relatively new regulatory threshold, authorities will likely dynamically adjust and update relevant regulatory standards based on actual execution. Therefore, it is recommended that enterprises continue to pay attention to the regulatory trends, communicate with local authorities in a timely manner, and also layout future compliance audit work in advance to avoid compliance risks once supervision becomes normalized. For multinational enterprises, although the filing obligation does not exclude overseas companies, the current design of the filing system and the relevant forms is still primarily tailored to domestic entities (for example, an account for the filing system must be registered based on a China Unified Social Credit Code). Therefore, multinational companies with subsidiaries in China are advised to submit in the name of their China-based subsidiary. For overseas companies without a China presence, it is recommended that they consult with the relevant cyberspace administrations to clarify the appropriate filing method.
