China announces audit reporting requirements for minors’ data

On December 29, 2025, the Cyberspace Administration of China (CAC) issued the Announcement on the Reporting of Minors' Personal Information Protection Compliance Audit Status (“Announcement”), requiring all personal information handlers (the equivalent of a controller under GDPR) that process minors' personal data in China to conduct and submit to the CAC the status of specified compliance audits.

We summarise the key obligations imposed by the Announcement below.

Reporting obligation

Personal information handlers processing minors' personal data are required to conduct an annual compliance audit to demonstrate their adherence to applicable laws and administrative regulations. The audit may be conducted either by the personal information handlers themselves or by professional institutions (via entrustment). The status of the compliance audit (which we detail further below) must be submitted to the CAC in the prefecture-level city where the personal information handler is located.

• What Does the Audit Cover? The term "minors” refers to Chinese citizens under the age of 18, as well as foreigners and stateless persons under the age of 18 in China. Additionally, separate reporting is required for "the scale of processing minors' personal information" and "the scale of processing personal information of minors under the age of 14" in the Annual Minors' Personal Information Protection Compliance Audit Status Form (“Form”).
• Joint Reporting. Consistent with the requirements of the CAC’s Announcement on the Reporting of Personal Information Protection Officer Information (issued on July 18, 2025, "CAC PIPO Reporting Announcement", see here for our previous coverage), for personal information handlers operating as group companies with multiple branches, or where multiple personal information handlers have affiliated relationships (e.g., multiple subsidiaries, office locations, chain stores, or third-party service providers), reporting can be made by the headquarters on behalf of all, or by affiliated entities jointly. However, the scope of such organizational structures covered by the report must be clearly specified.
• Required Items. In addition to the aforementioned (i) scope of organizations covered by the report; and (ii) processing scale information, the Form also requires the following to be submitted:
  • Legal representative information and contact person/handler information;
  • Information on the overall scale of personal information processed;
  • Scope of audit: A list of websites, apps, mini-programs, application systems, etc., involved in the annual audit. Unlike the official form for reporting information about the personal information protection officer (“PIPO”) where it requires submission of personal information processing activity details for each application, business or system, the Form does not require such line-item details. Currently, only a comprehensive description is required for this part without specific breakdown items;
  • Audit conclusions and rectification status: A comprehensive and focused overall evaluation of the annual audit matters, including but not limited to identified issues and an overview of rectification progress.
• Minors' Personal Information Protection Compliance Audit Report (if prepared): According to the Guidelines for Completing the Minors' Personal Information Protection Compliance Audit Status Reporting System, the audit report may refer to the template in Appendix C of TC260-PG-20255A Cybersecurity Practice Guidelines – Requirements for Personal Information Protection Compliance Audits. However, as indicated by the CAC, this report does not currently appear to be a mandatory requirement.

It is important to note that for items that have been included in previous submissions to the CAC relating to personal data processing (e.g., reporting of PIPO’s information, facial recognition technology application filing, or regulatory formalities for cross-border data transfers), contents in this submission must be consistent with those of previous submissions to avoid any contradictions or discrepancies.

Submission deadline

All submissions of the previous year’s compliance audit status must be made online via the Personal Information Protection Business System by the end of January each year. Considering that the Regulations on the Protection of Minors in Cyberspace (“Minor Protection Regulations”) (which mandates compliance audits for minors' personal information processing) came into effect on January 1, 2024, the CAC PIPO Reporting Announcement (which covers minors' personal information processing status) was issued on July 18, 2025, and the Announcement was released on December 29, 2025, submission of the 2025 Minors' Personal Information Protection Compliance Audit Status must be completed by January 31, 2026.

Legal liability

Currently, the Announcement does not set out specific penalty provisions, only stating that non-compliant organizations will be held liable according to relevant laws and regulations. The primary legal basis for conducting minors' personal information protection compliance audits and submitting the audit status is Article 37 of the Minor Protection Regulations. However, the legal liability chapter of this regulation does not include special penalty clauses targeting violations of Article 37. Similarly, the Personal Information Protection Law of the People's Republic of China (“PIPL”) and the Measures for the Administration of Compliance Audits on Personal Information Protection (“Compliance Audits Measures”) do not specify penalties for failing to complete the required audits or submit the audit status as mandated by law.

While specific penalty provisions for such non-compliance are pending further clarification from the CAC, Article 66 of the PIPL includes a catch-all liability provision, which may serve as the primary applicable basis for such violations. The PIPL (including Article 66) is also incorporated by reference in the Compliance Audits Measures alongside other laws.

Depending on the severity of violations, the penalties under Article 66 of the PIPL include rectification orders, warnings, confiscation of illegal gains, service suspension or termination, license revocation, fines for personal information handlers (up to RMB one million for non-rectification, or RMB 50 million or 5% of the preceding year’s turnover for serious cases), and fines of RMB 10,000 to RMB one million for directly liable personnel (who may also face professional restrictions in severe scenarios).

Next steps

Given that this is the first wave of urgent compliance requirements imposed for 2026, all personal information handlers that process minors’ personal data are advised to immediately assess and confirm any unified reporting entities, identify and distinguish the applicable audit scope for minors under 18 and those under 14, verify the consistency of reporting information with previous submissions, and complete the online submission via the designated system by the January 31, 2026 deadline. Such personal information handlers should also continue to closely monitor for any guidance or clarifications from the CAC on the mandatory reporting requirements.

Hogan Lovells’ Data, Privacy and Cybersecurity team is actively monitoring for related regulatory developments relevant to your business. Should you require assistance, please reach out to any of the authors or your usual Hogan Lovells contact.

Authored by Sherry Gong, Charmian Aw, and Flora Feng.