China’s Cyberspace Administration Office has issued new regulations to protect kids’ data privacy online, due to take effect on 1 October 2019. The Regulation on Protection of Children’s Personal Information Online puts into practice the principles of the broader Cyber Security Law (CSL) and the standards set by the Personal Information Security.
Standard, effective since May 2018.
Among other things the new rules:
- apply to children under the age of 14;
- classify kids’ personal data as ‘sensitive information’;
- require operators to obtain consent from parents before processing such data;
- impose stringent security obligations (such as restricted access and encryption);
- require companies to appoint a kids’ personal data ‘protection officer’; and
- oblige them to tightly control any third parties that process personal data from kids.
Note that while the various Chinese laws and regulations contain conflicting definitions of personal information, the base definition under the CSL (information “that can by itself or in combination with other information be used to identify a natural person”) mirrors that given in Article 4.1 of the GDPR, and is presumed to include unique technical identifiers (such as cookie IDs, IP addresses, device IDs) used for profiling and targeted advertising.
This move puts China on par with the US and the EU in terms of protecting the data privacy of children. It goes one step further with the requirement for companies to appoint a person to be responsible for kids’ data privacy, an idea that is catching on with other regulators.
A number of practical questions remain, including which methods of obtaining consent are acceptable, and how much effort operators must make to verify the identity of a parent or guardian. Note that Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486), in comparison, does not carve out a separate regulatory regime for children and you should consider that any activities of an app or website that occur in China, even if operated from offshore, will fall under the scope of the Regulation.
TL;DR for advertisers: if you have been applying the principles of the Personal Information Security Standard by only running contextually targeted ads and avoiding any profiling or behavioral targeting of kids: no change. If not, ensure that your partners are fully aware they should not collect such data, or profile kids, in China. Whilst it is unclear as yet whether advertisers with no physical operations in China are in scope of the law, it is likely that your delivery partners have a presence there and so we recommend taking a cautious stance.
TL;DR for content owners: apply the same principles to your websites and apps that are targeted at Chinese consumers as you apply in the EU under GDPR: minimise data collection; post clear privacy notices; don’t collect personal data from kids without prior parental consent; protect and secure kids’ personal data; and—if you do business in China—be sure to appoint a children’s data privacy officer.