what we think

By Norah Chen, Maarten Roos

On 29 December 2025, the Cyberspace Administration of China (CAC) issued the Announcement on Submitting the Compliance Audit Status of Minor Personal Information Protection (the "Announcement"). It introduces a recurring, annual filing obligation: any personal information (PI) handler that processes personal information of minors is expected to conduct a compliance audit of its processing activities of minor's personal information and submit the audit status to the competent CAC by 31 January of the following year.

The filing package should comprise of:

• Undertaking Letter;
• Minor Personal Information Protection Compliance Audit Report (if available); and
• Annual Compliance Audit Status Form.

While the Annual Compliance Audit Status Form is mandatory, the submission of a standalone audit report is required only where such a report has already been prepared. In practice, this structure allows companies that have not yet completed a formal audit report to file their audit status first, without detracting from the underlying obligation to conduct a meaningful compliance review.

The Annual Compliance Audit Form requires the handler to disclose, at a minimum:

• Processing scale (unique natural persons, rounded to 10,000):
  • overall personal information processed;
  • minors' personal information processed; and
  • personal information of children under 14 processed.

• Audit scope: the websites, apps, mini-programs, systems, etc. covered by the annual audit.

• Audit conclusion and remediation: a consolidated assessment highlighting key findings and rectification progress.

The Announcement signals a move from "general compliance expectations" to standardized, periodic supervisory reporting for personal information processing of minors.

Brief Trajectory: How Minors' PI Obligations in China Reached This Point

China's framework for minors' personal information protection has developed in stages, and this Announcement should be read as the latest step in an increasingly operational set of obligations:

2021 – PIPL (Personal Information Protection Law): establishes the general requirement for personal information handlers to conduct periodic compliance audits of their personal information processing activities (Article 54).

2024 – Regulation on the Online Protection of Minors: further specifies that processing activities involving minors should be subject to compliance audits and reporting to competent authorities (Article 37).

2025 – Policy direction and enforcement readiness: regulatory messaging continues to push companies toward routine self-checks and governance improvements, especially where minors' personal information is involved.

Now – CAC Announcement (29 December 2025): turns the "audit and report" obligation into a clear annual submission requirement with defined deliverables and a hard filing deadline (end of January each year).

"Key Coverage" Industries to Prioritize Action

While the Announcement applies to any handler that processes minors' personal information, the industries most likely to fall within its practical focus are those that serve minors on a stable, long-term basis, including:

• online gaming and live streaming (incl. audio/video platforms);
• education and training (including online tutoring and learning platforms);
• online medical consultation / healthcare services;
• mother-and-baby / parenting services; and
• children's wearables and smart devices.

These sectors typically either directly provide services to minors and/or, given the nature of their services, need to collect PRC ID numbers (for example, for real-name verification, eligibility checks, healthcare delivery, or learning-related features). As a result, they are more likely to process real, identifiable minors' personal information on a recurring basis, and therefore sit squarely within the practical "coverage" of the Announcement.

Key Takeaways

We expect the Announcement to have the most immediate and material impact on the "key coverage" industries above, where minors are a consistent user group or where service design necessitates the collection of PRC ID numbers. For companies operating in these sectors, we recommend treating the Announcement as directly applicable and ensuring that the required minors' personal information compliance audit arrangements are implemented in time to meet the annual filing deadline of 31 January.

For companies in other sectors, the compliance focus should be on maintaining a robust, auditable governance baseline, including keeping PIAs updated on an annual cycle where relevant (and in (and in any event where triggers are met), and closely tracking regulatory developments relating to minors' PI protection and audit/reporting expectations.

R&P's data privacy team supports international clients on compliance with China's extensive framework on data privacy. For more information on how the new Provisions will impact your business, please contact Maarten Roos ([email protected]), Norah Chen ([email protected]), or your trusted contact at R&P.