China’s PCPPIC protects children’s personal information in much the same way as COPPA and the GDPR, but with a few differences.
On August 22, 2019, the Cyberspace Administration of China (CAC) released a new data privacy regulation related to children, the Provisions on Cyber Protection of Personal Information of Children (儿童个人信息网络保护规定)(PCPPIC). The regulation will come into effect on October 1, 2019, and will apply within the People’s Republic of China (PRC).The PCPPIC’s stated purpose is “protecting the security of children’s personal information and promoting the healthy growth of children in the PRC.” In 29 Articles, the PCPPIC sets forth high-level requirements for the collection, storage, use, transfer, and disclosure of the personal information of children within PRC territory.
Defined Purpose and Parental Consent
The CAC directs network operators to follow the principles of “righteousness, necessity, informed consent, definite purpose, security guarantee and legal use” in their collection, use, and storage of personal information. The handling of personal information must be relevant to the business services provided to child users. Information should be stored only for such period as necessary for the agreed-upon purpose and scope of the business service.
The PCPPIC defines children as minors below the age of 14. Parental or guardian consent must be obtained prior to the collection or use of children’s personal information. Network operators must also provide the option to withhold consent. In obtaining consent, network operators must provide information concerning the following six areas:
In the event of substantial change to any of the foregoing, network operators are required to re-obtain parental or guardian consent.
Information Security and Third-Party Considerations
Network operators are required to set up specific rules for protecting children’s personal information and to enter into an agreement with users. Network operators should take measures to ensure the security of information via encryption or other reasonable methods. Under a principle of minimum authorization, network operators are required to set strict access permissions for personnel responsible for handling children’s personal information.
When network operators engage third-party vendors, they are required to conduct a security assessment of the transferee prior to any transfers of personal information. Network operators should also enter into entrustment agreements with third parties to define the respective responsibilities, nature, purpose, scope, and term of processing personal information.
Children or parents/guardians are entitled to request any changes to or deletions of children’s personal information, and network operators are directed under the PCPPIC to take corresponding measures to comply with such requests.
If any child’s personal information is divulged, damaged, or lost, network operators should provide notice to the parent or guardian and immediately take remedial measures.
Notable Differences Among the PCPPIC, COPPA, and the GDPR
Jurisdictional Age Gate
The analogous US federal law, the Children’s Online Privacy Protection Act (COPPA), has been in force since 1998. Twenty years later, in May 2018, the EU introduced a data privacy regulation related to children under Article 8 of the General Data Protection Regulation (GDPR). Like COPPA and the GDPR, the PCPPIC sets forth requirements for parental/guardian consent and network operator responsibilities to protect children’s data privacy. All three bodies of law require that the collection and use of children’s personal information be constrained within the relevant, specific scope required by the business service, pursuant to valid, informed, and voluntary parental/guardian consent. However, one notable difference among the three bodies of law is the jurisdictional age gate for children. Under COPPA, the age gate requiring consent is set at 13, while the age gate under the GDPR is 16 (with the provision that Member States may adopt even younger markers, as low as 13). In contrast, the PCPPIC age gate is 14.
Another notable difference is that COPPA broadly applies to any online service, regardless of the country of origin, as long as the service is directed to US users. As a result, COPPA provides protection even for children outside of the US if the network operator is US-based. In contrast, the GDPR focuses on the geographic location of children and applies only to companies processing and holding personal information of data subjects residing within the EU, regardless of the company location. Similar to the GDPR, the PCPPIC applies to children within the territory of the PRC and is silent as to whether it has any extraterritorial effect.
The PCPPIC provides for penalties generally. Article 26 states simply that violators of the PCPPIC will be penalized under relevant laws and regulations as determined by the CAC and other relevant government agencies (g., the PRC’s Cyber Security Law). In contrast, COPPA and the GDPR are both specific in their respective penalties. Operators in violation of COPPA can be held liable for civil penalties of up to US$42,530 per violation. A US court assessing penalties will balance the egregiousness of the violations, any prior violations, the number of children involved, and the amount, type, and use of personal information collected, among other factors. The GDPR imposes administrative fines for violations under Article 8 of up to €10 million, or up to 2% of the total worldwide annual turnover of the network operator’s preceding financial year — whichever is higher. In contrast, the PCPPIC does not expressly provide any maximum penalties.
Uncertain Future for Implementation
In the last decade, implementation of COPPA has generated controversy. Some observers argue that parental consent and age verification are poor solutions to the issue of protecting privacy or warding off predatory advertising. Others maintain that COPPA has a chilling effect on children’s right to freedom of speech and self-expression. How implementation of the PCPPIC will change the cybersecurity landscape for children in the PRC remains unclear. The PCPPIC appears intent on prompting network operators to establish industry norms and codes of conduct. Whether the PRC’s cyberspace will self-regulate around the interests of children’s data privacy remains to be seen as the new law takes hold.