Kinding Law Firm
China Game Law
Minors’ Personal InformationCompliance AuditCyberspace Administration Authorities

Countdown! A Practical Guide for Game Companies on Minor Personal Information Compliance Audits

倒计时!游戏公司未成年人信息合规审计实操指南

January 13, 2026
6 views

Summary

This article provides a practical, step-by-step guide for game companies on conducting and reporting annual compliance audits for the protection of minors’ personal information. Against the backdrop of newly clarified regulatory requirements issued by the Cyberspace Administration of China, it explains why such audits have become a mandatory and routine compliance obligation for the game industry, outlines key audit focus areas, and details reporting entities, materials, and official submission channels. The article emphasizes that minors’ personal information compliance audits are critical not only for regulatory risk mitigation, but also for corporate reputation, user trust, and overseas expansion readiness.

Last night, the Cyberspace Administration of China (CAC) issued an announcement clearly requiring that all entities processing minors’ personal information must conduct annual compliance audits concerning the protection of minors’ personal information, and complete submission to the competent municipal-level cyberspace administration authorities by the end of January 2026.

As an industry in which minor users are highly concentrated and data-processing scenarios are complex and diverse, does the game industry need to conduct minors’ personal information compliance audits? What issues require particular attention?

Why Game Companies Must Attach Importance to Minors’ Personal Information Compliance Audits

The game industry is characterized by a high concentration of minor users and complex data-processing scenarios. Compliance audits for minors’ personal information are no longer an “additional task,” but rather a core compliance obligation directly affecting a company’s survival and development.

1. Minors’ Personal Information Audits Will Become a Routine Compliance Requirement for Game Companies

Regulations such as the Regulation on the Protection of Minors in Cyberspace and the Measures for the Administration of Personal Information Compliance Audits have clearly stipulated that entities processing minors’ personal information shall, either independently or by engaging professional institutions, conduct annual compliance audits of their processing activities and timely report the audit results to cyberspace administration authorities and other relevant regulators.

In practice, the user base of game products inherently includes a large number of minors. The entire lifecycle of game products—including registration and login, real-name authentication, in-game interactions, and recharge and consumption—inevitably involves the processing of minors’ personal information. This means that game companies have, in substance, already become “processors of minors’ personal information.” Accordingly, compliance audits concerning minors’ personal information have become an unavoidable compliance requirement for game companies.

2. Preventing Increasingly Severe Personal Information Regulatory Penalties

Regulatory authorities continue to place heightened emphasis on personal information protection. Pursuant to Article 66 of the Personal Information Protection Law, illegal processing of personal information may result in fines of up to 5% of annual turnover or RMB 50 million, and regulators may also order the suspension of relevant business operations or business rectification.

Given that a certain proportion of game users are minors, any compliance loopholes in the processing of minors’ personal information may not only trigger regulatory penalties, but may also directly affect the normal operation of game products. For game companies, conducting minors’ personal information compliance audits in advance can effectively reduce compliance risks and ensure stable business operations.

3. Helping Game Companies Build a Responsible Social Image and Consolidate User Trust

The protection of minors’ personal information is a focal point of public opinion, and the game industry is particularly subject to public scrutiny. Once incidents such as data leaks or illegal collection of minors’ personal information occur, they are highly likely to provoke resistance from parents and public opinion crises, directly undermining brand reputation.

Proactively completing compliance audits not only demonstrates a company’s compliance capabilities to regulators, but also sends a clear signal of compliant operations to parents and users. This is conducive to reputation building and the establishment of long-term user trust.

4. Addressing Compliance Challenges Arising from the Globalization of Game Products and Facilitating Overseas Expansion

As game companies accelerate overseas expansion, foreign markets impose equally stringent requirements on the protection of minors’ personal information. For example, the EU GDPR requires explicit consent or authorization from guardians for the processing of children’s data, and similar rules exist in the United States, Southeast Asia, Japan, and South Korea.

Domestic compliance audits constitute a baseline threshold for overseas expansion. Only by first identifying and rectifying risks through domestic audits can companies adapt to varying compliance requirements across jurisdictions, avoid overseas delisting or massive fines, and ensure the smooth advancement of global strategies.

How Should Game Companies Conduct Minors’ Personal Information Compliance Audit Reporting?

(I) Selection of the Compliance Audit Entity

There are two options for game companies to conduct minors’ personal information compliance audits:
(1) self-audits conducted by internal teams; or
(2) audits conducted by external professional compliance institutions.

We recommend engaging external professional institutions, for the following reasons:

1. Independence of External Audit Institutions Enhances Regulatory Recognition

Audit conclusions issued by third-party professional institutions inherently possess independence and objectivity, and their audit reports are more consistent with regulators’ expectations regarding audit independence and impartiality.

2. Combined Legal and Technical Expertise

Minors’ personal information processing scenarios in the game industry are relatively complex and require the integration of legal and technical expertise. Auditors must not only possess legal knowledge, but also understand computer systems and data-processing mechanisms.

3. About Kenting Law Firm

Kenting Law Firm has teams specializing in the game industry as well as lawyers with long-term experience providing personal information compliance audit services to leading internet companies. The firm can provide specialized minors’ personal information protection compliance audit services. Game companies with audit needs are welcome to contact us.

(II) Key Focus Areas of Minors’ Personal Information Compliance Audits

Compliance audits may focus on the following aspects:

  1. Scale of Information Processing:
    Including the scale of personal information, minors’ personal information, and personal information of minors under the age of fourteen.

  2. Scope of Audit Objects:
    Websites, mobile applications, mini-programs, and application systems may all be included within the annual audit scope.

  3. Audit Conclusions and Rectification Status:
    By reference to the Cybersecurity Practice Guide — Requirements for Personal Information Protection Compliance Audits, auditors may organize and review the legality of personal information processing activities, rule formulation, notification and consent mechanisms, and clearly identify audit findings and rectification measures.

(III) Key Points for Reporting Compliance Audit Results

After completing the audit, materials must be submitted strictly in accordance with regulatory requirements, with the following core points:

1. Confirmation of the Reporting Entity

When fulfilling reporting obligations, game companies may adopt appropriate reporting methods based on their operational structures and affiliations:

(1) Group-structured game companies with multiple development studios or branch institutions may have the headquarters centrally coordinate reporting, provided that the report clearly specifies all covered organizational entities.

(2) Where there are multiple affiliated personal information processors related to game operations—such as multiple game subsidiaries within a group, or third-party partners providing data services or outsourced customer support—reporting may be conducted on a consolidated basis, with the covered organizational scope clearly specified.

2. Reporting Materials

(1) 20XX Annual Minors’ Personal Information Protection Compliance Audit Reporting Form

(2) Letter of Commitment

(3) Minors’ Personal Information Protection Compliance Audit Report (if available)

The audit report may be prepared with reference to Appendix C of TC260-PG-20255A Cybersecurity Practice Guide — Requirements for Personal Information Protection Compliance Audits, which provides a template for personal information protection compliance audit reports.

3. Reporting Channels

Audit reports must be submitted through official systems, either by:
(1) directly accessing the Personal Information Protection Business System; or
(2) entering the Personal Information Protection Business System through the “National Cyberspace Administration Government Services Hall” section on the official website of the Cyberspace Administration of China.

Game companies should ensure submission of the previous year’s audit results by the end of January each year, so as to avoid adverse impacts on compliance records due to late submission.

中文原文

昨天晚上,国家互联网信息办公室发布公告,明确要求所有处理未成年人个人信息的主体,需按年度开展未成年人个人信息保护合规审计,并于2026年 1 月底前向属地设区的市级网信部门完成报送。

游戏行业作为未成年人用户高度聚集、数据处理场景复杂多样的领域,是否需要进行未成年个人信息审计?有什么注意事项?

为什么游戏公司必须重视未成年人信息合规审计?

游戏行业是未成年人用户高度集中、数据处理场景复杂的领域,未成年人信息合规审计早已不是“额外工作”,而是关系企业生存发展的核心要务。

1、未保个人信息审计将是游戏公司的常态化合规要求

《未成年人网络保护条例》、《个人信息保护合规审计管理办法》等法规已明确:处理未成年人个人信息的主体,应当自行或者委托专业机构每年对其处理未成年人个人信息的情况进行合规审计,并将审计情况及时报告网信等部门。

实践中,游戏产品的用户群天然包含大量未成年人,游戏产品的全流程(注册登录、实名认证、游戏互动、充值消费等)均涉及未成年人的信息处理,这使得游戏公司在实质上已成为“未成年人个人信息的处理者”。因此,未成年人信息合规审计已成为游戏公司不可避免的“合规要求”。

2、防范日益严厉的个人信息监管处罚

当前监管对个人信息保护的重视程度持续提升,依据《个人信息保护法》第六十六条的规定,违规处理个人信息最高可处年营业额 5% 或 5000 万元罚款,并可责令暂停相关业务或停业整顿。

游戏行业的用户群体中包含一定数量的未成年人,若在未成年人信息处理环节存在合规漏洞,不仅可能面临监管处罚,还可能影响产品的正常运营。对游戏公司而言,提前开展未成年人信息合规审计工作,能够有效降低合规风险,保障业务平稳运行。

3、有利于游戏公司塑造负责任的社会形象,巩固用户信任

未成年人信息安全是社会舆论的焦点,游戏行业更是公众关注的重点领域。一旦出现数据泄露、违规收集未成年人信息等问题,极易引发家长群体的抵制和舆情危机,直接摧毁品牌口碑。而主动完成合规审计,既能向监管部门证明企业的合规能力,也能向家长和用户传递公司合规运营的信号,有利于游戏企业积累口碑、构建用户信任。

4、应对游戏产品全球化的合规挑战,打通海外市场

随着游戏企业出海加速,海外市场对未成年人信息保护的要求同样严苛:欧盟 GDPR 要求儿童数据处理必须获得监护人明确同意或授权,美国、东南亚、日韩等市场也有类似未成年人个人信息保护规定。国内合规审计是出海的基础门槛,只有先通过国内审计排查风险,才能适配海外不同地区的合规要求,避免产品在海外遭遇下架、巨额罚款,保障全球化布局的顺利推进。


游戏公司应如何做好未成年人信息合规审计报送工作?


(一)合规审计主体选择

游戏公司开展未成年人信息合规审计,有两种主体可选:一是公司内部团队自主审计,二是委托外部专业合规机构实施审计。我们更建议选择外部专业机构,核心原因有两点:

1、外部审计机构的独立性,提升审计结果的监管认可度

第三方专业机构的审计结论具备天然的独立性与客观性,其出具的审计报告更契合监管部门对审计独立性、公正性的要求。

2、法律+技术的专业性

游戏行业的未成年人信息处理场景相对复杂,需要法律+技术的配合,不仅需要具备法律知识,也需要知晓计算机、数据方面的知识。

3、关于垦丁

垦丁律所中既具有熟悉游戏领域的团队,也拥有长期服务头部互联网公司个人信息合规审计项目的律师团队,可以为游戏公司提供未成年人个人信息保护合规审计的专项服务,有审计需求的游戏公司可联系我们。

(二)未成年人信息合规审计重点

合规审计重点可以核查以下内容:

1、处理信息规模:包括个人信息、未成年人信息、不满十四周岁的未成年人信息的规模。

2、审计对象范围:网站、APP、小程序、应用系统等均可纳入年度审计范围。

3、审计结论与整改情况:可以结合《网络安全实践指南——个人信息保护合规审计要求》的规定,对游戏公司个人信息处理活动的合法性、规则规范性、告知同意措施等进行整理审计,并明确审计发现的问题、审计整改情况等。

(三)合规审计情况报送重点

完成审计后,需严格按监管要求报送材料,核心要点如下:

1、确认填报主体

在履行情况报送手续时,游戏公司可以根据自身运营及关联关系情况采用相应的报送方式:

(1)对于以集团化模式运营、设有多个研发工作室、分支机构的游戏公司:可由总部统筹统一履行情况报送手续,同时需在报告中明确列明所覆盖的全部组织机构范围。

(2)存在多个具有关联关系的游戏相关个人信息处理者,例如集团旗下多个游戏子公司以及为游戏业务提供数据服务、客服外包等服务的第三方合作企业等情形:可合并履行情况报送手续,同样需在报告中清晰列明报送所覆盖的组织机构具体范围。

2、报送材料

(1)《20xx年度未成年人个人信息保护合规审计情况表》

(2)承诺书

(3)未成年人个人信息保护合规审计报告(如有)

未成年人个人信息保护合规审计报告可以参考 TC260-PG-20255A《网络安全实践指南——个人信息保护合规审计要求》附录 C 个人信息保护合规审计报告模板进行编制。

3、报送途径

审计报告报送需要通过官方渠道访问系统:一是直接访问“个人信息保护业务系统”(https://grxxbh.cacdtsc.cn),二是通过中国网信网 (https://www.cac.gov.cn)首页“全国网信政务办事大厅”栏目访问“个人信息保护业务系统”。

游戏公司需注意在每年 1 月底前报送上一年度审计情况,避免逾期影响合规记录。

分享文章
Read original article on Zhihu

相关文章

General

【Weekly Gaming Law】Lawyers Comment on miHoYo’s Anti-Fraud Actions; Infringing “Reskinned” Game Ordered to Pay RMB 5 Million

【每周游戏法】律师评米哈游反舞弊;侵权游卡被判赔500万

This weekly update examines three recent legal developments in the gaming industry: miHoYo’s anti-fraud enforcement and supplier blacklist measures; a “reskin” infringement case involving a Three Kingdoms-themed card game resulting in a RMB 5 million damages award based on unfair competition; and Roblox’s launch of AI-powered interactive content generation tools. The article outlines the legal considerations arising from supply chain compliance, the boundary between public domain materials and protectable game design, and the intellectual property and compliance implications of AI-generated interactive content within UGC platforms.

0 views
General

How to Build Official Game Payment Systems in a Compliant Manner (Part II): Overseas

游戏官方支付如何合规搭建(二)海外篇

Against the backdrop of a global economic slowdown and evolving regulatory scrutiny over major app distribution platforms, an increasing number of overseas-oriented game companies are exploring the establishment of official website top-up platforms to reduce reliance on channel commissions. Building on the prior discussion of platform policies regarding payment redirection and third-party payment access, this article reviews practical cases of official website payment models adopted by several game companies, including their login mechanisms, purchasable content, regional availability, and qualification disclosures. Based on these practices, it outlines compliance considerations that overseas game companies should focus on when constructing official website payment systems, particularly in relation to account management, price display, promotional methods, and refund policy design across different jurisdictions.

6 views
General

EU’s DMA Enforcement Push: Apple and Epic Games Reach Temporary Truce

欧盟DMA强监管,苹果与Epic Games暂时握手言和

Since 2020, Apple and Epic Games have been locked in a global antitrust dispute over App Store policies. While Epic lost its U.S. lawsuit, it continued its resistance through noncompliance, resulting in a developer account ban. However, the dynamics shifted with the EU Digital Markets Act (DMA) coming into force on March 6, 2024. Epic reported that Apple, under pressure from the European Commission, agreed to reinstate its developer account in the EU. The DMA’s provisions, especially Article 5(3) and Article 6(4), require gatekeepers like Apple to allow third-party app stores and payment systems on iOS. Apple’s attempt to ban Epic amid DMA implementation triggered regulatory attention, leading to rapid Commission intervention. This incident not only highlights the DMA’s enforcement teeth but also signals a broader shift in platform governance within the EU. For global developers and digital exporters, especially those dependent on app store distribution, DMA compliance represents a strategic inflection point. Non-compliance risks include fines of up to 10–20% of global turnover, exemplified by the €1.84 billion fine Apple recently faced. As more third-party app stores (e.g., Mobivention, MacPaw) emerge, the EU’s digital market is poised for structural transformation.

5 views