Take Aways
· Following the entry into force of the Regulations on the Protection of Minors in Cyberspace in 2024, China has continued to strengthen online protection for minors. This month, the Identification Measures for Internet Platform Service Providers with Massive Minor Users or Significant Impact on Minors were officially released, specifying the criteria and procedures for identifying such platforms. Under these Measures, platforms that are confirmed as meeting the identification criteria must comply with additional obligations, including conducting impact assessments on minor protection and providing a minors’ mode or dedicated section.
· Three national standards, namely Data Security Technology—Requirements for Personal Information Transfer Based on Request of Personal Information Subject, Data Security Technology—Personal Information Protection Compliance Audit Requirements and Cybersecurity Technology—Requirements for the Representation of Elements of Cyberspace Security Knowledge Graph, have been published in full and will take effect on 1 July 2026.
· China has strengthened data security enforcement. The Cyberspace Administration of China (CAC) has launched a special campaign against unlabeled AI-generated misinformation, removing a large number of non‑compliant accounts. Kuaishou Technology was fined CNY 119 million (about USD 17.28 million) by the Beijing Cyberspace Administration for system security vulnerabilities and insufficient management on UGC, which led to the widespread livestreaming of pornographic and vulgar content.
· Overseas, the United States has clarified for the first time that collecting personal information of children under 13 solely for age verification does not require prior notice and consent from guardians, providing compliance support for the application of age verification mechanisms.
· Meanwhile, enforcement actions against large online platforms have continued. X and its built‑in AI Grok were found to enable the generation of sexualized content involving minors, triggering investigations by both UK and EU authorities. In addition, platforms including Reddit, Shein, TikTok and Meta are also under investigation by various regulators.
Regulative Highlights
CAC and Seven Other Departments Issue the Identification Measures for Internet Platform Service Providers with Massive Minor Users or Significant Impact on Minors
On February 28, 2026, CAC and seven other departments jointly issued the Identification Measures for Internet Platform Service Providers with Massive Minor Users or Significant Impact on Minors. Article 20 of the Regulations on the Protection of Minors in Cyberspace (effective January 2024) sets out a series of special obligations for online platforms “with a large number of minor users or with significant influence on minor groups.” Building on this, the Identification Measures issued this time further specify the detailed identification criteria, procedures, and related requirements for these two categories of platforms, and will take effect on April 1, 2026. Key provisions include:
1. A quantitative standard is adopted for determining “a large number of minor users”: (1) For platforms specifically targeting minors, the threshold is more than 10 million registered users or more than 1 million monthly active users; (2) For platforms serving all age groups, the threshold is more than 10 million registered minor users or more than 1 million monthly active minor users.
2. A comprehensive assessment is adopted to determining “significant influence on minor groups”: Factors include platform scale, extent of minor usage, minors’ usage, whether it provides minor‑targeted content or is a representative platform in a vertical sector, and any violations involving minors in the past three years, among others.
3. Assessment procedures: The identification is conducted by the national cyberspace authority, in principle every three years. Platforms may conduct self-assessment and file voluntary applications, or submit a self-assessment report within 20 working days upon notification from the authority.
4. Legal consequences: The list of identified platforms will be released after public consultation. Platforms so designated must fulfill special compliance obligations under Article 20 of the Regulations on the Protection of Minors in Cyberspace, including conducting minor protection impact assessments, providing minor mode or dedicated section, establishing an independent oversight body composed of external members, and formulating dedicated platform rules.
Three National Cybersecurity Standards Approve and Issue
Three national standards administered by the National Technical Committee 260 on Cybersecurity of Standardization Administration of China (TC260) have been officially issued. The standards will take effect on July 1, 2026, with details as follows:
1. Data Security Technology—Requirements for Personal Information Transfer Based on Request of Personal Information Subject: This standard sets out requirements for personal information transfer at the request of data subjects, covering its scope of application, preconditions, procedures, and additional provisions for specific scenarios. It applies to personal information processors responding to data subjects’ requests for personal information transfer, as well as relevant supervision and administration conducted by regulatory authorities and third-party assessment bodies.
2. Cybersecurity Technology—Requirements for the Representation of Elements of Cyberspace Security Knowledge Graph: This standard defines the classification, coding, and graphical symbol expression of elements in cyberspace security graphs. It applies to cybersecurity regulators, industry authorities, network operators, and network service providers in the construction and visual representation of cyberspace security graphs.
3. Data Security Technology—Personal Information Protection Compliance Audit Requirements: This standard sets forth principles for personal information protection compliance audits, and specifies the general requirements, implementation procedures, contents, and methods of such audits. It applies to personal information processors and professional organizations conducting personal information protection compliance audit activities.
Data Standards
On February 11, the draft of recommended national standard Data Security Technology — Capability Requirements for Professional Institutions Specialized in Personal Information Protection Compliance Audit was released for public comment, with a public consultation period of 60 days.
On February 4, the Standardization Administration of China (SAC) issued a plan for recommended national standards. The plan includes the development of a new recommended national standard Cybersecurity Technology — Application Security Guide for Artificial Intelligence Technologies Involving Minors, which is scheduled to be submitted for approval on July 28, 2027. It also covers the revision of Data Security Technology — Personal Information Security Specification, scheduled for submission on May 28, 2027.
On February 10, TC 260 issued the Cybersecurity Standard Practice Guide — Requirements for the Prevention and Handling of New-Type Corruption on Internet Platforms. The guide applies to the prevention and handling of new-type corruption incidents involving platform personnel, including traffic manipulation, data fraud, influence peddling, ranking fraud, and other such practices.
Personal Information Protection Certification
On February 11, the Data and Technical Support Center of CAC released the list of certification entrusters obtaining the Personal Information Protection Certification and Data Security Management Certification (first batch of 2025). Beijing Sankuai Technology Co., Ltd., Ping An Property & Casualty Insurance Company of China, Ltd., and Ping An Health Internet Co., Ltd. passed the Personal Information Protection Certification.
Data Enforcement
On February 12, CAC released progress on a special campaign targeting AI-generated misinformation. Targeting issues such as certain online accounts failing to add AI labels and publishing AI‑generated false and misleading content, a total of 13,421 accounts were dealt with and over 543,000 pieces of illegal or non‑compliant information were removed. Typical cases involved fabricating touching or sensational stories for traffic without AI labels, producing videos impersonating public figures through AI face/voice swapping, and maliciously fabricating or hyping fire incidents.
On February 6, Beijing Cyberspace Administration imposed penalties on Kuaishou Technology. The investigation found that Kuaishou failed to fulfill its cybersecurity protection obligations, did not promptly address system vulnerabilities and other security risks, and did not immediately take measures such as stopping transmission or removing illegal content posted by users. This resulted in widespread dissemination of pornographic and vulgar live‑streaming content. Kuaishou was issued a warning and fined CNY 119 million (about USD 17.28 million).
On February 28, Jiangsu Cyberspace Administration released 2025 typical cyber law enforcement cases, which involved multiple issues, including: enterprises failing to fulfill security protection obligations resulting in website being tampered with, data leakage risks, unlawful collection of personal information, and deep synthesis service providers failing to perform security assessment obligations.
On February 3, the National Computer Virus Emergency Response Center (CVERC) detected 72 mobile applications that illegally collect and use personal information. Common problems included: failing to list the purposes, methods, and scope of the personal information collected and used by the app one by one in the privacy policy, failing to provide means for to withdrawing personal information collection consent, and failing to adopt corresponding security measures such as encryption and de-identification.
Cross-Border Data Transfer
On February 11, Nansha District of Guangzhou launched the city’s first dedicated service window for cross-border data transfer. The window serves all types of market entities with data outbound transfer needs, providing enterprises with full-process guidance and support covering the pre-, during-, and post-transfer stages of cross-border data activities.
Data System Development
On February 7, the National Data Administration (NDA) and three other departments issued the Opinions on Fostering Data Circulation Service Institutions and Accelerating the Marketization and Valorization of Data Elements, putting forward 16 measures in three aspects - functional positioning, service capacity and implementation safeguards - to accelerate the prosperity of the data market ecosystem.
On February 10, the NDA issued the Notice on Effectively Conducting Information Disclosure for the Authorized Operation of Public Data Resources, which specifies the entities responsible for information disclosure, basic indicators, timeframes and disclosure channels.
On February 6, the NDA issued the Notice on Conducting the 2025 National Statistical Survey of Data Resources. Compared with the previous year, the survey scope has been expanded to include key focus areas such as major national science and technology infrastructure facilities (large scale scientific facility), generative AI, embodied intelligence, satellite remote sensing, low-altitude economy, biomedicine, intelligent connected vehicles and trusted data spaces.
On February 10, the National Development and Reform Commission (NDRC) and other relevant departments issued the Implementation Opinions on Accelerating the Promotion and Application of Artificial Intelligence in the Bidding and Tendering Sector, clarifying the full-process application of AI in bidding and tendering to drive the industry’s transformation toward standardization, intelligence and higher efficiency.
On February 26, the Shanghai Administration for Market Regulation and Shanghai Municipal Data Bureau, together with Singaporean agencies, launched the country’s first all-online service scenario for foreign-invested enterprise registration based on cross-border digital identity authentication. Investors from Singapore may complete identity authentication and electronic signing entirely online via their authorized signatories, with no need to submit paper documents offline.
Worldwide News
The UK Information Commissioner’s Office (ICO) found in its investigation that Reddit’s user terms claimed to prohibit children under 13 from using its service, but failed to apply any robust age verification mechanism and failed to carry out a data protection impact assessment (DPIA) to assess and mitigate risks to children, lacking a legal basis for handling children’s data. On February 4, the ICO decided to impose a fine of GBP 14.47 million on Reddit.
In January of this year, it was discovered that X’s chatbot Grok could generate sexualized images involving minors in response to user prompts. Grok stated that it was fixing the security vulnerability, but still the issue drew the attention of privacy regulators in both the UK and Ireland. On February 3, ICO opened formal investigations into X and X.AI. On February 17, the Irish Data Protection Commission also announced the investigation into X under Data Protection Act 2018.
In February, the European Commission carried out several cross-border platform regulatory enforcement actions under the Digital Services Act (DSA). It launched an investigation into the Chinese cross-border e-commerce platform Shein, for its addictive design, lack of transparency in its recommender systems, as well as the sale of illegal products, including child sexual abuse materials. The Commission also made a preliminarily finding that TikTok’s addictive design violated the DSA, and notified Meta of possible interim measures to reverse exclusion of third-party AI assistants from WhatsApp.
On February 25, the Federal Trade Commission (FTC) issued a policy statement clarifying that when an online platform collects, uses, and discloses personal information of children under 13 solely for the purpose of age verification—and meets related requirements such as purpose limitation, timely deletion, and security safeguards—the FTC would not take enforcement action even if the platform has not provided prior notice to parents or obtained their consent as required under the Children’s Online Privacy Protection Rule (COPPA). This policy clarifies the legality of information collection under age verification mechanisms and encourages platforms to use such technologies to protect minors' online safety.
