In early June, the Cyberspace Administration of China released for public comment new draft regulations applicable to the collection of personal information relating to children under 14 by online service providers.
The draft regulations share many of the same structures as those utilized by the Children’s Online Privacy Protection Act (“COPPA”) in the United States:
- online service operators will have to obtain parental consent based on a comprehensive disclosure about the collection, use, and retention of children’s personal data;
- parents will maintain the ability to withdraw consent, or request to inspect or alter data, throughout the period in which data is retained.
The draft regulations also incorporate security requirements more robust than those found in COPPA. These measures include:
- periodic security risk assessments;
- encryption requirements; and
- data breach reporting to both the relevant authorities and impacted persons.
The proposed regulations are just one piece of a broader effort by the Cyberspace Administration to institute tough new controls on the collection and use of personal information by online service providers. The Cyberspace Administration is responding not only to calls by political leaders to speed implementation of the Cybersecurity Law enacted in 2017, but also increasing public consciousness of data gathering activities in the rapidly-growing smartphone market in China.