As we wrote in June, when a draft of the regulation was released by the Cyberspace Administration of China, the regulation contains elements similar to those found in both the United States’ Children’s Online Privacy Protection Act (“COPPA”) and the European Union’s General Data Protection Regulation (“GDPR”). A few highlights of the regulation:
- Age limits:
The regulation applies to the personal data of children under age 14.
- Parental consent:
As with COPPA and the GDPR, online service providers attempting to obtain personal information regarding children would be required to obtain parental consent prior to the collection of information.
- Designation of a specific individual in charge of child data:
The regulation requires online service providers to appoint an individual to be in charge of protection of children’s personal data. Unlike the GDPR’s requirements related to personal representatives, the regulation does not require that the individual be based or located in China.
- Reporting of data breaches:
The regulation requires reporting of data breaches affecting children’s personal data. The threshold for reporting is somewhat unclear, as the regulation refers to the reporting of serious, but not necessarily all, data breaches, and may be further clarified.
The way that the regulation will apply to online service providers located outside of China remains unclear. Even under the GDPR, where the law is more explicit regarding extraterritorial application, it is not always obvious whether the GDPR applies to a given business activity. Thus, online service providers looking to do business in China should examine the regulation carefully as part of an overall strategy of complying with the rapidly evolving landscape of data privacy regulation in China.