All data controllers processing personal data under the age of 14 (“minors“) must now submit an annual report to Chinese data regulator, the Cyberspace Administration of China (“CAC“). For 2025, the report must be submitted by 31 January 2026. There is no volume threshold, meaning that any data controller processing any minors’ data – even if just in an incidental capacity, such as say an employer processing personal data of dependents of their employees – are subject to this new reporting requirement.
This new requirement was published in a CAC notice issued on 29 December 2025 (“Notice“). , by way of further guidance on the Measures on the Protection of Minors in Cyberspace (“Measures“).
The Measures already required data controllers to audit their processing of minors’ personal data annually, either through in-house teams or by engaging third-party professional institutions. The new requirement extends this to a formal filing of a summary of key aspects of the audit report. By the end of January each year, data controllers must now report the audit results to the CAC, covering processing activities in the previous year. To support this, they must also submit a set of prescribed supporting documents outlined in the Notice.
These audits must be carried out in accordance with the applicable requirements of the China Personal Data Protection Law (“PIPL”) and the Management Measures on Personal Information Protection Compliance Audits.
In addition to the generally applicable personal data protection requirements, particular attention should be given during the audit to the data controller’s compliance with the requirements specific to the processing of minors’ personal data, such as:
- minor-facing privacy notices;
- age verification methods;
- parental consent; and
- designated minor data protection policies and procedures.
In addition, since minors’ personal data constitutes sensitive personal data, the requirements applicable to the processing of sensitive personal data must also be audited.
Although submitting the actual audit report is not mandatory, the CAC filing must include information regarding:
- the overall conclusions of the audit;
- the key compliance gaps identified;
- the relevant remediation actions;
- the channels and contexts through which minors’ personal data is collected (e.g. via which apps or websites); and
- the volume of data subjects: (i) under the age of 18, and (ii) under the age of 14.
Reporting can be done either on a per data controller basis or on a per group basis.
The notice does not include any volume threshold requirements, so any processing of minors’ personal data must be reported regardless of whether reported on a per data controller or per group basis.
Strictly speaking, the deadline for reporting processing activities conducted in 2025 is 31 January 2026. Failure to report on time constitutes a violation of the PIPL and may result in penalties such as fines, administrative warnings, orders to make corrections and/or orders to suspend the relevant processing or the underlying business. The data controller’s DPO and/or directly responsible personnel may also be subject to personal liability if the violation is serious (e.g. failure to make corrections in time after being requested by the CAC).
Considering that this is the first time data controllers have been required to report on minor data processing activities, and given the uncertainty surrounding the level of detail required in the reports, there has been discussion in the market as to whether the CAC will actively enforce the deadline against data controllers who only process a limited number of minors’ personal data on an ad hoc basis. However, for data controllers that have been processing large volumes of minor data on a continuous basis, they must urgently and carefully audit their processing of minors’ data and prepare for the reporting. Care should also be taken to ensure this report aligns in terms of processing activities and volumes of data etc. with prior reporting by the data controller to the CAC on, for example, DPO registration and cross-border data transfers.
[View source.]
