China Announces Annual Filing Requirement for Audits of the Processing of Minors’ Personal Information

On December 29, 2025, the Cyberspace Administration of China (CAC, 国家互联网信息办公室) issued the Announcement on the Filing of Compliance Audits of the Protection of Minors’ Personal Information (the Announcement, 关于报送未成年人个人信息保护合规审计情况的公告), which requires companies to file audit results at the end of January each year on whether their processing of minors’ personal information complies with China’s laws and regulations. The Announcement takes effect immediately, meaning companies that process minors’ personal information must file their 2025 audit results by January 31, 2026. Failure to comply may result in penalties, including substantial fines.

This Advisory analyzes key points from the Announcement and its potential impact on industry.

Audit Requirements

Under the Announcement, data processors¹ (akin to controllers under the General Data Protection Regulation (GDPR)) are required to conduct annual compliance audits on their processing of minors’ personal information and file the audit results online with the provincial CAC. The audits can be conducted by data processors themselves, or by third parties. The audits are intended to check whether data processors are complying with China’s laws and regulations when processing minors’ personal information.

Notably, the Announcement requires all data processors that process any minors’ personal information to file their audit results annually, with no minimum threshold for the volume of data processed. Unlike China’s cross-border data transfer regulations,² which set volume thresholds and contain exceptions for certain categories of cross-border transfers, the Announcement applies regardless of scale. Under China’s Personal Information Protection Law (PIPL) Article 3(2), the Announcement’s audit filing requirements likely extend to foreign companies that process minors’ personal information to provide products or services in China, and the online filing system is designed to accept submissions from companies located overseas. It is possible that the CAC may issue additional clarifications or guidance on the implementation of the Announcement.

Filing Requirements

Data processors are required to conduct an audit of the prior year’s activities and file their audit results online by the end of January of the following year, meaning they will only have one month after year-end to complete and submit their filing.

According to the instructions issued with the Announcement, corporate group headquarters or multiple affiliated data processors (e.g., subsidiaries, multiple office locations, chain stores) may submit a consolidated filing, provided that the covered entities are clearly specified in the filing. This may reduce administrative burden for companies with complex corporate structures, though each covered entity must be individually identified.

The filing should include:

1. A form issued by CAC with basic information on the audit results, including:

• The volume of personal information processed:
  • The total volume of personal information processed
  • The total volume of minors’ personal information processed
  • The total volume of personal information of minors under the age of 14
• Scope of audit coverage: a description of the websites, mobile applications, mini-programs, application systems, and other platforms covered by the audit
• Audit results and remediation status: an overall assessment of the matters covered by the audit, including, but not limited to, key issues identified during the audit and a summary of remediation measures and progress

2. A commitment letter:

• Pledging to comply with China’s laws and regulations on the processing of minors’ personal information
• Attesting that the audit materials submitted are truthful, complete, and accurate
• Affirming that they will cooperate with the CAC’s supervision and management of the compliance audit process

3. A compliance audit report on the protection of minors’ personal information

4. Other relevant supporting materials

The filing instructions note that the compliance audit report should be provided “if available,” though the circumstances under which a report would not be required remain unclear. The filing instructions also cite the Cybersecurity Practice Guide — Requirements for Personal Information Protection Compliance Audits (TC260-PG-20255A) as a point of reference when preparing a compliance audit report.

Given the template form’s requirement that data processors report the volume of personal information belonging to minors under the age of 14, companies that handle such data will likely be required to address the following questions during their audit,³ which reflect existing obligations under PIPL, the Provisions on the Protection of Minors’ Personal Information In Cyberspace (effective October 2024) and the Measures for the Administration of Personal Information Protection Compliance Audits (effective May 2025):

1. Whether there are dedicated processing rules for the personal information of minors under the age of 14

2. Whether the minors and their guardians have been properly notified of the processing purpose, methods, necessity, and the types of personal information to be processed, as well as the methods used to protect their personal information

3. Whether the minors or their guardians are forced to consent to unnecessary processing of the minors’ personal information

Penalties

The Announcement states that data processors who fail to conduct compliance audits and file their audit results will be dealt with in accordance with applicable laws, including PIPL. Potential penalties under PIPL range from warnings to administrative fines up to RMB 50 million ($7,150,000) or 5% of the prior year’s revenue, depending on the severity of the violation.

Next Steps

The Announcement is the newest development in China’s still rapidly evolving regulatory framework for data privacy. How and how strictly this new reporting requirement will be enforced and whether regulators will issue additional guidance on this topic all remain to be seen. As an initial step, companies should:

1. Inventory their data processing activities in China to determine whether minors’ personal information is collected or processed

2. Evaluate internal resources or third-party support needed to complete the audit and filing by January 31, 2026, to the extent applicable

Given the compressed timeline, approximately one month from the Announcement’s issuance to the filing deadline, companies that process minors’ personal information should prioritize this assessment.

For questions on this or any other subject, please reach out to the authors or any of their colleagues in Arnold & Porter’s Privacy, Cybersecurity & Data Strategy practice group.

Zoey Dong contributed to this Advisory. Ms. Dong is employed as an associate in Arnold & Porter’s Shanghai office.

© Arnold & Porter Kaye Scholer LLP 2026 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.