News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | China has released its version of COPPA Related reading: FTC considers relaxing children’s privacy rules

rss_feed

China has finally released its own version of the U.S. Children's Online Privacy Protection Act. On Aug. 23, the Cyberspace Administration of China released the final version of the "Measures on Online Protection of Children’s Personal Data," which will come into force Oct. 1. The measures provide further clarity on how to protect children’s personal data online under the framework of China's Cyber Security Law.

Not only do the measures have a broader application compared to its counterpart in the U.S., but these measures also include prescriptive requirements on management measures to safeguard children’s personal data. This article analyzes the difference between the measures and two prominent legislations on the protection of children’s personal data, i.e., the EU General Data Protection Regulation and the U.S.'s COPPA and introduces the key requirements under the measures.

The applicability

The measures apply to any collection, storage, processing, transfer and disclosure of personal data of the children who are under the age of 14 by using the network in China. The application of the measures do not look at if the network operator’s website or online services are “directed to children” or the network operator has any “actual knowledge” of processing of children’s personal data. But in practice, it is foreseeable that to establish jurisdiction in law enforcement action, CAC would also need to consider objectively whether the network operators indeed process children’s personal data by looking at the contents of the websites or online services, unless the network operator provides the statistics of the users’ age to prove that there is indeed no children’s personal data.

'Network' in China

The CSL defines the network broadly to include internet, intranet and industrial control system. Collection and processing children’s data via websites or apps would fall into the scope of the Children Data Protection Measures. Uploading the data to an intranet or internal information system subsequent to offline paper-based collection of children’s personal data would also render the companies subject to the measures.

Extraterritorial effect?

Although the CSL does not include a similar provision for exterritorial application as Article 3(2) of the GDPR, the draft "Measures on Administration of Data Security," which were released by the CAC in June for public consultation seem to suggest the extraterritorial application of the CSL. Given CAC’s interest in protecting data subjects in China targeted by network located outside of China, CAC may have a consistent take on the extraterritorial effect for the measures, as well. Foreign websites operators and online service operators that directing to children in China may also be subject to the measures. 

Possible carve-out?

There seems to be a carve-out of the application of the measures, i.e., the automatic collection of information in the network log which alone cannot identify or determine if it is related to a child. For those general audience websites or business-to-business websites, it is arguable that the website operators may not be able to identify if the website user is a child or not before the user registers and logs in to the website. However, for companies operating websites or apps that have content that likely attracts children, it is arguable that the safe harbor provision would not apply because these website or app operators will be processing the personal data of children (e.g., IP address or device ID and other browsing history) in case of automatic collection of information when children visit the websites or use the online services. General audience websites or online service operators in China can identify the contents that attract children and accordingly revisit the consent mechanism on a website or app for compliance with the measures.

Parental consent

The measures provide the requirement on “notice + parent consent” for processing children’s data. 

  • The measures require the notice to be directed to the parent and the notice shall be specifically for children. The notice requirements in the measures are not so different from the notice requirements under the GDPR. In the past two years, the Chinese authorities have been promoting the transparency of processing of personal data and protection of personal data. Chinese authorities also announced their new law enforcement agenda to cure certain privacy practices, such as bundled consent and released guidance on privacy notice.
  • On consent, the final version of the measures did not include the requirement of "explicit consent." The explicit consent in the draft version of the measures requires that the consent shall be clear, specific, unambiguous and freely given. The consent requirement in China has been subject to heavy debate mostly because the CSL does not clearly define such requirements. It is worth watching the space how much CAC is willing to consider the practices in the U.S. on obtaining "verifiable parental consent" in China.
  • The final version of the measures removed the exemptions to parental consent, i.e., processing in the national interest or public interest, to mitigate the danger to children’s property or personal safety, or other circumstances provided by laws. It is worth noting that the CSL does not include exceptions to consent as well. Recognizing the necessity of exceptions in practice, the recommended national standard "Personal Information Security Specification" includes a few exemptions of consent, such as compliance with laws, performance of contract, processing in the national and public interest. While the recommended national standard has been largely endorsed by the relevant regulators and law enforcers in practice, it is yet to be seen how the regulators and law enforcers reconcile the recommended national standard and the measures particularly on handling sensitive personal data like children’s personal data.

Mandatory limited retention

Article 12 of the measures specifically provides the limited retention principle and filled in the gap in the CSL. It is time for network operators in China that process the personal data of children to prepare the retention schedule to identify the retention period requires by the business and the minimum retention period under various Chinese laws and regulations.

Dedicated responsible person to protect children’s data

The measures require network operators to appoint a dedicated person to protect children’s personal data. While there is no residency requirement on such dedicated person to be responsible for protecting children’s data, looking at the responsibilities provided by the measures, it is very clear that CAC would expect such dedicated person to be responsible for day-to-day operation. Although there is no clear requirement that such person should be based in China, depending on the nature and volume of data that are processed, having the internal data protection office located in the headquarters outside China to shoulder these daily operational tasks may not practical, and it may not be able to meet such regulator’s expectation considering the accessibility of the internal data protection office outside China.

Outsourcing

Article 16 of the measures provides that in the context of outsourcing the processing activities in relation to children’s personal data, the network operator shall conduct security assessment on the outsourcing and sign data-processing agreements. The mandatory clauses in the measures are similar to Article 28 of the GDPR. 

Data subject’s right to deletion

The CSL provides that the right to deletion is only exercisable when the network operator violates the law or is in breach of the agreement with the data subject. The measures provide that the right to deletion can also be exercised by withdrawing the parental consent. Imagine the situation in which the parents have just scolded the children for playing a game excessively and notifying the game operator to withdraw the consent to their children’s registration on the game platform. Should the game operator delete the children’s account and user information immediately? Or within a specific period? There is no clear “cooling-off” period in the measures.  

Reportable data breach threshold

The Children's Data Protection Measures specified a reportable data breach threshold, i.e., reporting to relevant departments and the affected data subject is only mandatory if the data breach has or may result in serious impact. What constitutes “serious impact” is not clearly set out in the measures.

Expect future updates to children's privacy as 2019 comes to a close. 

Photo by Yasmin Dangor on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Gil Zhang, CIPP/A, CIPP/E, CIPM, FIP IAPP Member Contributor
Headshot Kate Yin Nonmember Contributor
Tags
Children's Privacy
Privacy Law
Comments

If you want to comment on this post, you need to login.

Related Stories
FTC considers relaxing children’s privacy rules
MediaPost reports the U.S. Federal Trade Commission may consider less stringent rules related to children's privacy. FTC Consumer Protection Bureau Director Andrew Smith said changes could be made that would allow YouTube to collect user data from those watching children's content. "We have heard th...
Read More queue Save This
YouTube to create child-friendly website
The Hill reports YouTube will be rolling out a separate website for children's videos to comply with the Children's Online Privacy Protection Act. The plan is to take the format from the YouTube Kids app and turn it into a website. YouTube also announced parents now have the ability to choose age-ap...
Read More queue Save This
Related Stories
Tags
Children's Privacy
Privacy Law
Recent Comments