New draft Regulations on the Online Protection of Minors (Draft Regulations) were released by the Cyberspace Administration of China (CAC) on 14 March 2022. They update the 2016 Draft Regulations of the same name which were released for public comment but never adopted.
The latest Draft Regulations have been issued pursuant to the PRC Law on Protection of Minors (LPM), PRC Cybersecurity Law and PRC Personal Information Protection Law (PIPL) and reflect the government’s growing concern about the negative impact of the internet on society, particularly its youth – and come hot on the heels of the rules introduced last year that prescribe the amount of time minors are allowed to spend on video games on a weekly basis.
Scope of Application
The LPM defines “minors” as individuals under the age of 18. As the name suggests, the Draft Regulations focus on the protection of minors online, and specifically address and impose obligations on online product and service providers, personal information handlers (Data Controllers) and the manufacturers or sellers of smart terminals1 — with additional requirements for important internet service providers.2 However, they also apply in general to other internet users.
High Level Obligations
Broadly worded, value-based requirements are imposed on online product and service providers (Online Providers), Data Controllers, and the manufacturers or sellers of smart terminals to “respect social mores”, “comply with professional ethics”, “be truthful and credible” and “take social responsibility”. They also require these entities to establish effective and clear complaint channels and policies, and address complaints promptly.3
Important Internet Service Providers
Important internet service providers with a “large base of minor users or with influence on minors as a group” are required to fulfill the following further obligations:
- Periodically carry out impact assessments on the protection of minors online;4
- Provide “Youth Modes” and special areas for minor users;5
- Establish an independent body to conduct oversight of the online protection for minors;6
- Draft special rules and alert minor users in a conspicuous manner of the rights they enjoy for protection online in accordance with the law and of remedies for harms suffered online;7
- Stop providing services to providers of products or services on the platform who seriously violate laws and administrative regulations and harm minors’ rights and interests;8 and
- Annually publish a special report on their online protection of minor users.9
These requirements for important internet service providers are quite onerous, and require the establishment of separate processes (special reports, independent oversight body etc.), although it is unclear whether such companies would need to separately retain a professional entity to conduct audits or exercise oversight of their compliance.
More generally, the Draft Regulations also prohibit the use of networks to:
- Reproduce, publish or transmit content harmful to minors’ physical or psychological health;10
- Send minors content harmful to or that might impact minors’ physical or psychological health; and11
- Entice or compel minors to produce, reproduce, publish or transmit text, pictures and audiovisual content of pornographic nature.12
Online Providers must also ensure that any information that may lead or entice minors to imitate unsafe conduct, carry out conduct that violates social mores, or impact minors’ physical or psychological health must be accompanied with conspicuous content warnings before the content can be displayed (Sensitive Content).
The CAC is expected to release more detailed guidance on what constitutes Sensitive Content.13 This is something to pay close attention to as the Draft Regulations also prohibit the production, reproduction, publication or transmission of Sensitive Content in online products or services aimed at minors, and the embedding of Sensitive Content in “eye-catching positions”, or areas of the products or services that are likely to draw users’ attention, such as landing pages, pop-up windows or even suggested searches.14
Online Providers are also required to put into place necessary mechanisms enabling them to take down Sensitive Content upon discovery, store relevant records and make a report to relevant departments.15
The Sensitive Content provisions do not currently distinguish between content organically created by Online Providers, and advertisements. Accordingly, since these “eye-catching positions” are often made available to advertisers (and perhaps beyond direct control of Online Providers), Online Providers with an application or website accessible by minors in the PRC may have to review their advertising policies and exercise more control over their online content.16
Software Pre-installed Requirement
Smart terminal products intended for use by minors are required to have content-filtering features facilitating prevention of minors’ exposure to Sensitive Content, or employ noticeable methods to inform users about the channels and methods for installing such software.17 It is anticipated that the CAC will further clarify the relevant technical standards and requirements for these smart terminal products.
Real Name Registration Requirement
Real-name registration requirement in respect of certain services is also imposed. Online Providers providing minors with information publishing, instant messaging or gaming services are required to obtain from the minors or their guardians the minors’ real-name information18. Where the minors or their guardians do not provide the minors’ real-name information, the Online Providers are prohibited from providing the relevant services to the minors.
Personal Information Protection Law
Articles 34 to 45 also reiterate the applicability of the PIPL provisions relating to minors.
These include ensuring that principles of lawfulness, propriety, necessity and good faith are observed when handling personal information;19 the need to obtain new consent when there are changes to the purpose, method of handling or types of personal information handled;20 and obtaining separate consent when handling sensitive personal information of minors.21
Notably, the Draft Regulations mandate that Data Controllers “strictly set access rights to information and control the scope of access to minors’ personal information (Minors’ PI)”. This requires them to ensure staff accessing Minors’ PI obtain the approval of management, record circumstances of access, and implement technical measures to avoid improper handling of Minors’ PI.22 Data Controllers are also required to conduct an annual compliance audit of their handling of Minors’ PI.23
Industry Specific Obligations
Under the Draft Regulations, providers of online education products and services aimed at minors are not allowed to send advertisements, or other information unrelated to education.24
Providers of online services such as games, live streams, video and social media, are required to employ measures to reasonably limit the amount that minors can spend as single payments and daily totals for online products or services.25 In particular, providers are prohibited from providing payment services to minors that are incongruous with the minors’ “capacity for civil action”.26 The Draft Regulations do not elaborate further on how this capacity is to be determined – for example, whether it relates to their ability to bear any financial liability or otherwise.
Furthermore, online live streaming service providers are required to verify the identities of its users, and ensure that minors under 16 do not register for online live streaming accounts.27
Penalties under the Draft Regulations mirror those under PIPL and include a fine of up to RMB 50 million or 5 percent of the preceding year’s annual turnover, rectification orders, warnings, confiscation of illegal gains, suspension or cessation of services, cessation of operations or revocation of permits or business licenses. In egregious cases, directly responsible personnel may be held personally liable for up to RMB 1,000,000.28
The broad applicability of the Draft Regulations mean that online businesses – even those not specifically catering to minors – may be impacted, so long as their services are accessible by minors. This is particularly the case for online businesses that operate in the gaming, live streaming, video, social media and online education sectors.
In summary, all companies with websites or mobile applications accessible in the PRC by minors should review their policies, processes and guidelines relating to their handling of Minors’ PI.
The authors would like to thank Roslie Liu, Intellectual Property Officer at Mayer Brown, for her assistance with this Legal Update.
1 Article 6 of the Draft Regulations.
2 Article 20 of the Draft Regulations.
3 Article 7 of the Draft Regulations.
4 Article 20 (1) of the Draft Regulations.
5 Article 20 (2) of the Draft Regulations.
6 Article 20 (3) of the Draft Regulations.
7 Article 20 (4) of the Draft Regulations.
8 Article 20 (5) of the Draft Regulations.
9 Article 20 (6) of the Draft Regulations.
10 Article 22 of the Draft Regulations.
12 Article 23 of the Draft Regulations.
13 Article 24 of the Draft Regulations.
14 Article 26 of the Draft Regulations.
15 Article 30 of the Draft Regulations.
16 Article 26 of the Draft Regulations.
17 Article 19 of the Draft Regulations.
18 Article 33 and 53 of the Draft Regulations.
19 Article 34 of the Draft Regulations.
20 Article 35 of the Draft Regulations.
21 Article 37 of the Draft Regulations.
22 Article 42 of the Draft Regulations.
23 Article 44 of the Draft Regulations.
24 Article 29 of the Draft Regulations.\
25 Article 50 of the Draft Regulations.
26 Article 51 of the Draft Regulations.
27 Article 33 of the Draft Regulations.
28 Article 63 of the Draft Regulations.