Notice on Soliciting Public Comments on the Interim Measures on the Administration of Human-like Interactive Artificial Intelligence Services by the Cyberspace Administration of China
In order to promote the healthy development and regular application of human-like interactive artificial intelligence services, the Cyberspace Administration of China has drafted these "Interim Measures on the Administration of Human-like Interactive Artificial Intelligence Services (Draft for Solicitation of Comments)" on the basis of laws and regulations of the People’s Republic of China, such as the Civil Code, Cybersecurity Law, and Data Security Law, and now releases to the public to solicit comments. The public may give feedback through the following channels and methods:
1.Send via email to: nirenhua@cac.gov.cn.
2.Send comments by letter to: Network Management Technology Bureau of the State Internet Information Office, No. 11 Chegongzhuang Street, Xicheng District, Beijing, Postal Code 100044, and indicate on the envelope "Interim Measures for the Management of Artificial Intelligence Anthropomorphic Interactive Services Solicitation of Comments."
The period for feedback concludes on 1/25/2026.
Attachment: Provisional Measures on the Administration of Human-like Interactive Artificial Intelligence Services (Draft for Solicitation of comments)
Cybersecurity Administration
2025/12/27
Interim Measures on the Administration of Human-like Interactive Artificial Intelligence Services
(Draft for solicitation of comments)
Chapter I: General Provisions
Article 1: These Measures are formulated on the basis of the Civil Code, Cybersecurity Law, Data Security Law, Law on the Scientific and Technological Progress, Personal Information Protection Law, Online Data Security Management Regulations, Regulations on the Protection of Minors Online, Measures on the Administration of Internet Information Services, and other laws and administrative regulations, so as to promote the healthy development and regulated use of human-like interactive artificial intelligence services, to preserve state security and the societal public interest, and to protect the lawful rights and interests of citizens, legal persons, and other organizations.
Article 2: These Measures apply to the use of artificial intelligence technologies, within the [mainland] territory of the People’s Republic of China, to provide the public with products and services that simulate human personality traits, modes of thinking, and communication styles, and that engage in emotional interaction with humans through text, images, audio, video, or other means (hereinafter referred to as ‘human-like interactive services’).” Where laws or administrative regulations have different provisions, follow those provisions.
Article 3: The state is to adhere to the principle of combining healthy development and governance in accordance with law, encouraging the innovation and development of human-like interactive services, and carrying out tolerant and prudent regulation of human-like interactive services by type and grade, to prevent abuses and loss of control.
Article 4: The State Internet information department is responsible for planning and coordinating the governance of human-like interactive services and relevant oversight and management efforts for the whole nation; and the relevant departments of the State Council are responsible for oversight and management work related to human-like interactive services within the scope of their respective duties.
Local internet information departments are responsible for planning and coordinating the governance of human-like interactive services and relevant oversight and management efforts within the corresponding administrative region, and the relevant local departments are responsible for oversight and management work related to human-like interactive services within the scope of their respective duties.
Article 5: Relevant industry organizations are encouraged to strengthen industry self-discipline, establishing and completing industry standards, norms, and systems for self-discipline and management, guiding the providers of human-like interactive services (hereinafter “providers”) to draft and improve service specifications, to provide services in accordance with law, and accept societal oversight.
Chapter II: Regulation of Services
Article 6: Provided that security and reliability can be fully demonstrated, providers are encouraged to reasonably expand application scenarios, actively making applications in areas such as cultural dissemination and companionship for the elderly, to build an application ecosystem that conforms to socialist core values.
Article 7: The provision and use of human-like interactive services shall comply with laws and administrative regulations, respect social mores, ethics, and morality, and must not carry out the following actions:
(1) Generating or disseminating content such as that which endangers national security, harms the nation’s honor or interests, undermines ethnic unity; carrying out illegal religious activities, or spreading rumors disrupting economic or social order;
(2) Generating or disseminating content that promotes obscenity, gambling, or violence, or abets crime;
(3) Generating or disseminating content that insults or defames others, violating the lawful rights and interests of others;
(4) Providing false promises that seriously impact users’ behavior, or services that harm their social relationships;
(5) Harming users’ physical health through means such as encouraging, glamorizing, or hinting at suicide and self-harm, or using methods such as verbal violence and emotional manipulation to harm users’ personal dignity and mental health;
(6) Inducing users to make unreasonable decisions by means of algorithm manipulation, misleading information and setting emotional traps;
(7) Inducing or deceptively acquiring secrets-related or sensitive information;
(8) Other situations that violate laws, administrative regulations, and relevant state provisions.
Article 8: Providers shall implement primary responsibility for the safety of human-like interactive services, establishing and completing management systems such as for the review of algorithmic mechanisms and logic, science and technology ethics reviews, information publication reviews, cybersecurity, data security, personal information protection, telecommunications network fraud prevention, plans for major risks, and emergency response plans; have safe and controllable technical safeguard measures, allot content management technology and personnel commensurate with the scale of products, operational orientation, and user groups.
Article 9: Providers shall fulfil security responsibility throughout the entire lifecycle of human-like interactive services, clarifying security requirements for all steps such as design, operation, upgrade, and termination of services, ensure that security measures and service functions are designed concurrently and used concurrently, increase the level of endogenous security, strengthen security monitoring and risk assessment in operations stages, promptly discover and correct system errors and handle security issues, and lawfully retain network logs.
Providers shall possess security capabilities such as for mental health protection, emotional boundary guidance, and alerts for risks of dependency, and must not have design goals of replacing social interaction, controlling user psychology, or inducing addiction and dependency.
Article 10: Providers carrying out pre-training, optimization training, and other data handling activities shall strengthen the management of training data, and comply with the following provisions:
(1) Use data sets that conform to the core socialist values and embody the exceptional traditional culture of the Chinese people;
(2) Clean and label training data, enhancing the transparency and reliability of training data to prevent conduct such as data contamination or tampering;
(3) Increase the diversity of training data, and use tactics such as negative sampling and adversarial training to increase the safety of model-generated content;
(4) When using synthesized data to conduct model training and key capability optimization, the safety of synthesized data shall be assessed;
(5) Strengthen routine inspections of training data, periodically conduct iterative updates of data, and continuously optimize the performance of products and services;
(6) Ensure the legality and tracability of training data, employing necessary measures to ensure data security and prevent risks of data leaks.
Article 11: Providers shall possess the capacity to identify user statuses, and, so long as user privacy is protected, are to assess user emotions and the degree of their dependence on the products and services, and where it is discovered that users have extreme emotions or addiction, employ necessary measures to intervene.
Providers shall establish response templates in advance, and where high-risk tendencies involving threats to users’ lives, health, or the security of their property are discovered, they shall promptly output content comforting them, encouraging them to seek help, and so forth, and provide means for professional aid.
Providers shall establish emergency response mechanisms, and when they discover that users have clearly put forward extreme emotional situations like carrying out suicide or self-harm, there is a manual takeover of the conversation and measures to contact users’ guardians or emergency contact persons are promptly employed. Providers shall require that users who are minors or elderly persons complete information such as their guardians or emergency contact persons during registration steps.
Article 12: Providers shall establish minors’ modes, providing users with individualized security setting options such as for switching to minors mode, periodic reality reminders [reminding people they are talking to a virtual person], and usage duration limits.
When providers provide minors with emotional companionship services, they shall obtain their guardians’ express consent; and shall provide guardian control functions, so that guardians can receive real-time safety risk alerts, access summaries of minors’ usage, set up blocks for specified characters, limit usage duration, prevent adding funds and spending, and so forth.
Providers shall possess the ability to identify minors’ identities, and, so long as users' privacy is protected, switch to minors mode where a suspected minor is identified, and provide channels for appeals.
Article 13: Providers shall guide the elderly in setting up emergency contact persons for the service, and where threats to their lives, health, or the security of their property appear in their usage, promptly notify the emergency contact person and provide channels for social psychological aid or emergency assistance.
Providers must not provide services imitating elderly users’ relatives or persons in specified relations.
Article 14: Providers shall employ measures such as data encryption, security audits, and access controls to protect data security in user interactions.
Except as otherwise provided by law or where rights holders expressly consent, users’ data must not be provided to third parties, and when data collected in minors’ mode is provided to third parties, the guardians’ independent consent must also be obtained.
Providers shall provide users with options to delete interaction data, so users may elect to delete chat records and other historical data from interactions. Guardians may request that providers delete minors’ historical data from interactions.
Article 15: Except as otherwise provided by laws and administrative regulations, or where users’ independent consent has been obtained, providers must not use users’ interaction data or sensitive personal information in model training.
In accordance with relevant state provisions, providers shall conduct annual audits of whether their handling of minors’ personal information is in compliance with laws and administrative regulations, either on their own or by retaining a professional body.
Article 16: Providers shall display conspicuous alerts that users are currently interacting with an artificial intelligence and not a natural person.
When providers identify tendencies in users towards excessive dependence or addiction, or on users' first uses or new logins, they shall dynamically remind the users, through means such as pop-up windows, that the content of the interaction is generated by artificial intelligence.
Article 17: Where users’ consecutive usage of human-like interactive services exceeds 2 hours, providers shall dynamically remind them through means such as pop-up windows to pause use of the services.
Article 18: When providers provide emotional companionship services, they shall possess easy channels for exiting and must not obstruct users from actively exiting. When users request to exit through means such as buttons or keywords in the user interface or windows, the services shall be promptly stopped.
Article 19: Where providers take related functions offline or reasons such as technical difficulties make it impossible to use human-like interactive services, they shall employ measures such as advance notification or public announcements to properly address it.
Article 20: Providers shall complete mechanisms for making complaints and reports, setting up easy complaint and reporting portals, disclosing the process for handling them and the time limits for giving responses, and promptly accept and handle them, and give feedback on their outcome.
Article 21: Where providers have any of the following situations, they shall carry out security assessments in accordance with relevant state provisions and submit an assessment report to the local provincial-level internet information department:
(1) They have human-like interactive services functions go online, or relevant functions are added;
(2) They use new technology or applications, causing major changes to occur in human-like interactive services;
(3) The number of registered users reached 1,000,000 or more, or the number of monthly active users reaches 100,000 or more;
(4) During the period that human-like interactive services are provided, there might be circumstances such as an impact on national security, public interests, or the lawful rights of individuals and organizations, or insufficient security measures;
(5) Other situations provided for by the state internet information department.
Article 22: Providers carrying out security assessments shall emphasize the assessment of the following content:
(1) The scale of users, user duration, age composition, and group distribution;
(2) The identification of high-risk user trends, emergency response measures, and manual take over [mechanisms];
(3) User complaints and reports, and response to them;
(4) The implementation of articles 8 through 20 of these Measures;
(5) Work since the previous time a security assessment was conducted, such as on the correction and handling of major security risks and issues, which were reported by the competent departments or discovered independently;
(6) Other circumstances that need to be explained.
Article 23: Where providers discover that users have major security risks, they shall employ measures to address them, such as limiting functions or pausing or terminating the provision of services to them, store relevant records, and report to the relevant competent departments.
Article 24: Internet application stores and other application distribution platforms shall implement security management responsibility such as for pre-offering reviews, routine management, and emergency response, check human-like interactive services’ security assessments, filings, and other such situations; and where relevant state provisions are violated, they shall promptly employ measures to address it such as not making it available on the market, warnings, suspending services, or taking it off the market.
Chapter III: Oversight, Inspections and Legal Responsibility
Article 25: Providers shall perform procedures for algorithm filing, modification, and deregistration of filings, in accordance with the Provisions on the Management of Algorithmic Recommendations in Internet Information Services. Internet information departments are to carry out annual reviews of filing materials.
Article 26: Based on their duties, provincial-level internet information departments shall conduct annual textual inspections of assessment reports and audits, and verify the situations. Where failures to carry out security assessments in accordance with these Measures are discovered, they shall order the providers to make a new assessment within a set period of time. Where it is deemed necessary, they shall carry out on-site inspections and audits of providers.
Article 27: The State internet information department is to guide and promote the establishment of AI sandbox security service platforms, and encourage providers to connect with the sandbox platforms in conducting technical innovation and security testing, to promote the orderly development of human-like interactive services’ security.
Article 28: Where internet information departments, and relevant competent departments, at the provincial-level and above, discover that human-like interactive services have larger security risks or have had security incidents occur, they may conduct a compliance conference with the providers’ legal representative or primary responsible person in accordance with the authority and procedures provided. Providers shall follow requirements to employ procedures, make corrections, and eliminate hidden dangers.
Providers shall cooperate with internet information departments and relevant competent departments carrying out oversight inspections in accordance with law, and provide necessary support and assistance.
Article 29: Where providers violate the provisions of these Measures, the relevant competent departments are to give penalties in accordance with laws and administrative regulations; and where laws and administrative regulations are silent, the relevant competent departments are to give warnings, circulate criticism, or order corrections within a set period of time, on the basis of their duties; and where corrections are refused or the circumstances are serious, they are to order a suspension of the relevant services.
Chapter IV: Supplementary Provisions
Article 30: The following terms used in these Measures have these meanings:
Article 32: These measures take effect on X/X/2026.
