Children’s Data Privacy: PRC and U.S. State Law Updates for Colleges and Universities
- Emma Bahner, XL Law & Consulting
- 2 days ago
- 6 min read
Following a December 29, 2025 notice published by the Cyberspace Administration of China, institutions that handle personal information of children in China must report on their handling activities by January 31 each year (starting January 31, 2026);
Several recently effective U.S. state comprehensive data privacy laws impact whether/how institutions may engage in targeted advertising to minors;
The same U.S. state laws also impact whether/how institutions may “sell” minors’ personal information.
Several recent regulatory developments in the People’s Republic of China (PRC or China) and the U.S. impact how U.S. institutions of higher education (IHEs) may handle minors’ personal information in accordance with applicable laws and regulations.
As discussed further below, new PRC reporting obligations require U.S. IHEs to file reports concerning their annual auditing of how they handle personal information of children in China under the age of 14.
Separately, there are also several recently effective U.S. state comprehensive data privacy laws that in some cases outright prohibit U.S. IHEs from using minors’ personal information for purpose of targeted advertising and/or data “selling,” while other such laws require affirmative consent prior to engaging in such activities.
New PRC Reporting Obligations
On December 29, 2025, the Cyberspace Administration of China (CAC) published a notice (Notice) providing guidance on the auditing and reporting requirements under the Measures on the Protection of Minors in Cyberspace (Measures). According to the Measures, promulgated in 2023, U.S. IHEs that handle personal information of children in China under the age of 14 must (inter alia) conduct annual audits of whether their handling complies with PRC laws and regulations, and they must file reports on the audits.
As the Measures do not specify the required content of the reports or where and when they must be filed, the Notice now further explains that institutions subject to the Measures must file the reports with the CAC by the end of January each year. Accordingly, reports on audits for 2025 must be filed with the CAC by January 31, 2026.
The Notice also outlines the required content of the reports, which must include the audit’s overall findings, identified compliance risks, and corrective actions. Each report must also describe how the IHE collects personal information of children in China under the age of 14, and it must quantify the number of children in China under the age of 14 and the number of those under the age of 18 whose personal information the IHE handled during the relevant audit year.
How the Measures Apply to U.S. IHEs
U.S. IHEs engage in several types of activities that may trigger applicability of the auditing and reporting requirements under the Measures. For example, many U.S. IHEs:
Engage in research involving research participants in China who are under the age of 14;
Cooperate with schools in China to provide pre-college programs to children in China under the age of 14;
Register children in China under the age of 14 to attend U.S.-based pre-college programs; and/or
Support faculty or staff working in China who have dependents under the age of 14 living with them in China, whose personal information the IHE may handle in administering employment benefits.
New U.S. State Law Requirements
Several U.S. state laws potentially applicable to non-profit IHEs have recently taken effect, which (inter alia) restrict the ways IHEs subject to the laws may collect and handle personal information of minors residing in such states, particularly with respect to targeted advertising and data “selling” activities. These laws include:
Colorado Privacy Act (Colorado Act);
Delaware Personal Data Privacy Act (Delaware Act);
Maryland Online Data Privacy Act of 2024 (Maryland Act);
New Jersey Data Privacy Act (New Jersey Act); and
Oregon Consumer Privacy Act (Oregon Act).
Each state law goes above and beyond the scope of the federal Children’s Online Privacy Protection Act (COPPA), which protects children under the age of 13 (noting that IHEs subject to these state laws must nevertheless comply with COPPA as well). In some cases, as discussed further below, these state laws extend to all minors under the age of 18.
Targeted Advertising
“Targeted advertising” is defined slightly differently under each state’s law, but it essentially refers to displaying advertisements that are selected based on personal information obtained or inferred from an individual’s activities over time and across websites or online applications, in order to predict their preferences or interests. Many IHEs use cookies and similar technologies, like Google Ads and Meta Pixel, that process personal information for the purpose of targeted advertising.
IHEs subject to the Delaware Act or the Maryland Act are outright prohibited from using personal information of Delaware or Maryland resident minors under the age of 18 for the purpose of targeted advertising. IHEs subject to the New Jersey Act or the Oregon Act are likewise prohibited from using personal information of New Jersey or Oregon resident minors under the ages of 17 or 15, respectively, for the purpose of targeted advertising (though there is some ambiguity in these statutes).
Such IHEs must ensure that they do not use cookies and similar technologies to process personal information for the purpose of targeted advertising with respect to Delaware or Maryland minors under the age of 18, New Jersey minors under the age of 17, or Oregon minors under the age of 15.
IHEs subject to the Colorado Act must obtain affirmative consent prior to using personal information of Colorado resident minors under the age of 18 for the purpose of targeted advertising. Such IHEs must ensure that such minors (or their parents in cases where such minors are under 13 years of age) are provided proper notice and take a clear affirmative action to opt in to the IHE’s use of their personal information for the purpose of targeted advertising (e.g., by toggling a switch or clicking a button in a cookie banner).
Data Selling
Data “selling” is also defined slightly differently under each state’s law, but it essentially refers to the exchange of personal information for monetary or other valuable consideration. For example, data “selling” may (but does not always) occur when IHEs use cookies and similar technologies that process personal information for the purpose of providing web user analytics, particularly when such cookies and similar technologies transmit personal information to a third-party analytics service provider that is able to use such personal information for its own business purposes.
IHEs subject to the Maryland Act or the New Jersey Act are outright prohibited from “selling” the personal information of resident minors under the ages of 18 or 17, respectively (though there is some ambiguity in the New Jersey Act, as mentioned above).
IHEs subject to the Delaware Act or the Colorado Act must obtain affirmative consent prior to “selling” the personal information of resident minors under the age of 18, and IHEs subject to the Oregon Consumer Privacy Act must obtain affirmative consent prior to “selling” the personal information of resident minors under the age of 15.
Takeaways and Recommendations for IHEs
The following table summarizes the U.S. state law requirements discussed above:
State Law | Targeted Advertising to Minors | “Selling” Minors’ Personal Information | Relevant Age of Minors |
Colorado Privacy Act | Requires affirmative consent | Requires affirmative consent | Under 18 |
Delaware Personal Data Privacy Act | Prohibited | Requires affirmative consent | Under 18 |
Maryland Online Data Privacy Act of 2024 | Prohibited | Prohibited | Under 18 |
New Jersey Data Privacy Act | Prohibited | Prohibited | Under 17 |
Oregon Consumer Privacy Act | Prohibited | Requires affirmative consent | Under 15 |
IHEs should act now to assess whether they are subject to China’s Measures on the Protection of Minors in Cyberspace and/or the U.S. state laws discussed above and implement appropriate compliance measures, including:
In accordance with the Measures, annually auditing the IHE’s handling of personal information of children in China under the age of 14 and reporting on such audits to the CAC by January 31 of each calendar year; and
In accordance with the state laws discussed above:
Deactivating targeted advertising cookies and similar technologies with respect to Delaware and Maryland resident minors under the age of 18, New Jersey resident minors under the age of 17, and Oregon resident minors under the age of 15;
Obtaining affirmative consent prior to using targeted advertising cookies and similar technologies with respect to Colorado resident minors under the age of 18;
Ensuring that the IHE does not “sell” the personal information of Maryland resident minors under the age of 18 or New Jersey resident minors under the age of 17; and
Obtaining affirmative consent prior to “selling” the personal information of Colorado or Delaware resident minors under the age of 18 or Oregon resident minors under the age of 15.
