Provisions on the Protection of Children's Personal Information Online

Article 1: These Provisions are formulated on the basis of the "Cybersecurity Law of the P.R.C.", the "P.R.C. Law on Protection of Minors" and other relevant laws and regulations so as to protect the security of minors' personal information and promote the healthy growth of children.

Article 2: 'Children' as referred to in these Provisions refers to minors who are not yet 14 years-old.

Article 3: These Provisions are applicable to activities such as the collection, retention, use, transfer, or disclosure of children's personal information through the internet in the mainland territory of the People's Republic of China.

Article 4: Information that harms the security of children's personal information must not be produced, published, or broadcast by any organization or individual.

Article 5: Children's' guardians shall correctly perform guardianship duties, teaching and guiding children to strengthen their awareness and ability to protect personal information, and protecting the security of children's' personal information.

Article 6: Internet industry organizations are encouraged to guide and urge network operators to draft industry specifications, behavioral norms, and so forth for protection of children's personal information, strengthening industry self-discipline and fulfilling social responsibility.

Article 7: Where network operators collect, retain, use, transfer, or disclose children's personal information, they shall follow the principles of legitimate necessity, informed consent, clear purposes, security safeguards, and lawful use.

Article 8: Network operators shall set up special rules and user agreements on the protection of children's personal information, and designate personnel with responsibility for protection of children's information.

Article 9: Where network operators collect, use, transfer, or disclose children's personal information, they shall inform the children's guardians in a conspicuous and clear manner, and shall acquire the children's guardians' consent.

Article 10: When network operators acquire consent, they shall concurrently provide an option to refuse, and give clear information of the following matters:

(1) The purpose, methods, and scope of the collection, retention, use, transfer, or disclosure of children's personal information;

(2) The location and time period for storage of children's personal information, and the means by which it is processed after the period ends;

(3) Security safeguard measures for children's personal information;

(4) The consequences of refusing;

(5) Channels and methods for making complaints and reports;

(6) Channels and means for making corrections or deletions of children's personal information;

(7) Other matters on which information shall be given.

Where substantive changes occur in the information items provided for in the preceding paragraph, the consent of children's guardians shall be acquired again.

Article 11: Network operators must not collect children's personal information unrelated to the services they provide; and must not violate the provisions of laws, administrative regulations or agreements between the parties to collect children's personal information.

Article 12: Network operators' retention of children's personal information must not exceed the time period necessary to realize the purpose of collecting or using it.

Article 13: Network operators shall employ measures such as encryption of stored children's personal information to ensure information security.

Article 14: Network operators' use of children's personal information must not violate the provisions of laws and administrative regulations or the purpose and scope agreed upon by the parties. Where it is truly necessary to exceed the agreed upon purpose and scope due operational requirements, the consent of children's guardians shall be acquired again.

Article 15: Network operators are to have the principle of smallest possible authorization for their personnel and strictly put in place limits on information access authority, controlling the scope of those aware of children's personal information. Staff access to children's personal information shall be upon review of the persons responsible for protection of children's personal information or managers that they authorize, shall record the circumstances of the access, and employ technical measures to avoid unlawful reproduction or downloading of children's personal information.

Article 16: Where network operators retain third-parties to process children's personal information, they shall conduct security assessments of the retained party, the retained conduct, and so forth; and shall sign a retention agreement clarifying the responsibilities of both sides, the period for processing, the nature and goals of the processing, and so forth; and conduct by the retained party must not exceed the scope of authorization.

Retained parties provided for in the preceding paragraph shall perform the following obligations:

(1) Process children's personal information in accordance with laws and administrative regulations and network operators' requirements;

(2) Assist network operators in responding to applications from children's' guardians;

(3) Employ measures to safeguard information security, and when discovering security incidents leaking children's personal information, promptly reflecting this to the network operators;

(4) promptly deleting children's personal information when the retention relationship is dissolved;

(5) the retention must not be transferred;

(6) Other obligations to protect children's personal information that shall be performed in accordance with law.

Article 17: Where network operators transfer children's personal information to third-parties, they shall conduct security assessments, either on their own or by retaining a third-party body.

Article 18: network operators must not disclose children's personal information, except where laws and administrative regulations provide it shall be disclosed, or where disclosure is allowed based on agreements with children's guardians.

Article 19: Where children's guardians discover that children's personal information gathered, stored, used. or disclosed by network operators has errors, they have the right to request the network operators make corrections. Network operators shall promptly employ corrective measures.

Article 20: Where children or their guardians request that network operators delete their children's personal information that has been collected, retained, used, or disclosed; the network operators shall promptly employ measures to delete it, including but not limited to the following circumstances:

(1) Where network operators violate the provisions laws, administrative regulations, or the terms of agreements between the parties on the collection, retention, transfer, or disclosure of children's personal information;

(2) Where the purpose, scope, or time period for the collection, retention, use, transfer, or disclosure of children's personal information was exceeded;

(3) Where the children's guardians withdraw consent;

(4) Where children or their guardians terminate use of the products or services through methods such as deregistration.

Article 21: Where network operators discover that leaks, destruction, or losses of children's personal information has occurred or might occur, they shall immediately initiate emergency response plans and employ remedial measures; where serious consequences are caused or might be caused, they shall immediately report to the relevant competent departments and inform impacted children and guardians of the incident by means such as e-mail, post, phone, or push message; and where it individual notice is difficult, shall employ reasonable and effective measures to publish related warning information.

Article 22: Network operators shall cooperate with oversight and inspections lawfully carried out by the network information departments and other relevant departments.

Article 23: Where network operators stop product or service operations, they shall immediately stop activities collecting children's personal information, delete children's information in their possession, and immediately inform children's guardians of the operation stoppage.

Article 24: Where any organization or individual discovers conduct violating these Provisions, they may report it to the internet information departments or other relevant departments.

The internet information departments and other relevant departments shall promptly address reports they receive in accordance with their duties.

Article 25: Where network operators insufficiently implement responsibility for security management of children's personal information, and there are larger security risks or security incidents occur, the internet information departments are to give them a talking to in accordance with their duties, and the network operators shall promptly employ measures to carry out corrections, and eliminate the threats.

Article 26: Where these Provisions are violated, the Internet information departments and other relevant departments are to address in accordance with their duties and based on the "Cybersecurity Law of the P.R.C., the "Measures on the Administration of Internet Information Services", and other relevant laws and regulations; and where a crime is constituted, criminal responsibility is pursued in accordance with law.

Article 27: Where legal responsibility is pursued for violations of these Provisions, record it in the credit archives and make it public in accordance with relevant laws and administrative regulations.

Article 28: Where computer information systems automatically retain or process information and there is no way to identify that the information being retained or processed is children's personal information, it is handled in accordance with other relevant provisions.

Article 29: These Provisions take effect on October 1st, 2019.