DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · APP PI IDENTIFICATION METHOD

Method for Identifying the Unlawful Collection and Use of Personal Information by Apps.

App违法违规收集使用个人信息行为认定方法

FILED UNDER · Personal Information App Compliance

Promulgated by: Secretariat of the Cyberspace Administration of China, General Office of the Ministry of Industry and Information Technology, General Office of the Ministry of Public Security, and General Office of the State Administration for Market Regulation. Document No.: 国信办秘字〔2019〕191号. Issued and effective November 28, 2019. Publicly released December 30, 2019.

(1) The following conduct may be identified as “failure to publicly disclose rules for the collection and use of personal information”:

  1. There is no privacy policy within the app, or the privacy policy does not contain rules for the collection and use of personal information.

  2. Upon first launch of the app, users are not prompted in a conspicuous manner — such as a pop-up window — to read the privacy policy or other collection and use rules.

  3. The privacy policy or other collection and use rules are difficult to access — for example, accessing them from the app’s main interface requires more than four clicks or equivalent operations.

  4. The privacy policy or other collection and use rules are difficult to read — for example, the text is too small, too densely set, too faintly coloured, or blurred, or no Simplified Chinese version is provided.

(2) The following conduct may be identified as “failure to clearly state the purpose, method, and scope of collecting and using personal information”:

  1. The app does not list, item by item, the purpose, method, and scope of its collection and use of personal information.

  2. When the purpose, method, or scope of collecting and using personal information changes, users are not notified in an appropriate manner.

  3. When requesting permission to enable functions that collect personal information, or requesting collection of sensitive personal information such as identity document numbers, bank account numbers, or location trajectories, the app does not simultaneously inform users of the purpose for doing so, or the stated purpose is unclear or difficult to understand.

  4. The content of the collection and use rules is obscure, lengthy, or complex, making it difficult for users to understand.

(3) The following conduct may be identified as “collecting and using personal information without user consent”:

  1. Collection of personal information, or activation of permissions capable of collecting personal information, begins before the user’s consent is obtained.

  2. After a user has expressly indicated non-consent, the app continues to collect personal information or to activate permissions capable of collecting personal information, or it repeatedly solicits the user’s consent in a manner that interferes with normal use.

  3. The personal information actually collected, or the permissions capable of collecting personal information that are actually activated, exceed the scope of the user’s authorization.

  4. User consent is sought through non-explicit means such as pre-selected agreement to a privacy policy by default.

  5. Permission settings for personal information collection that the user has configured are altered without the user’s consent.

  6. The app uses personal information and algorithms to deliver targeted information push notifications without providing users an option to receive non-targeted information push notifications.

  7. Users are misled into consenting to the collection of personal information or the activation of permissions capable of collecting personal information through improper means such as deception or inducement.

  8. No channel or method is provided for users to withdraw consent to the collection of personal information.

  9. Personal information is collected and used in violation of the collection and use rules the app itself has declared.

(4) The following conduct may be identified as “violating the necessity principle by collecting personal information unrelated to the services provided”:

  1. The type of personal information collected, or the permissions capable of collecting personal information that are activated, is unrelated to existing business functions.

  2. When a user refuses to consent to the collection of non-essential personal information or the activation of non-essential permissions, the app refuses to provide its business functions.

  3. When a new business function is added to the app, the personal information sought for that new function exceeds the scope of the user’s original consent.

  4. The frequency or other aspects of personal information collection exceed what is actually required by the business function.

  5. Users are compelled to consent to collection of personal information solely on the grounds of improving service quality, enhancing user experience, delivering targeted information, or developing new products.

  6. Users are required to grant multiple permissions capable of collecting personal information in a single all-or-nothing consent, and refusal to do so renders the app unusable.

(5) The following conduct may be identified as “providing personal information to third parties without consent”:

  1. Without either the user’s consent or anonymization of the data, the app client directly provides personal information to a third party.

  2. Without either the user’s consent or anonymization of the data, personal information collected by the app is provided to a third party after it has been transmitted to the app’s backend servers.

  3. The app integrates a third-party application and, without the user’s consent, provides personal information to that third-party application.

(6) The following conduct may be identified as “failure to provide deletion or correction functions for personal information as required by law” or “failure to publish complaint and reporting channels and other information”:

  1. No effective function is provided for correcting or deleting personal information or for cancelling a user account.

  2. Unnecessary or unreasonable conditions are imposed on the correction or deletion of personal information or the cancellation of a user account.

  3. Although functions for correcting or deleting personal information and for cancelling a user account are provided, the app fails to respond to users’ corresponding requests in a timely manner; where manual processing is required, the app fails to complete the verification and handling within the committed time limit (the committed time limit must not exceed fifteen working days; where no time limit is committed, fifteen working days shall apply).

  4. An operation by a user to correct or delete personal information or to cancel a user account has been completed on the user’s side but has not been completed in the app’s backend.

  5. No personal information security complaint and reporting channel has been established and published, or the app fails to accept and handle complaints and reports within the committed time limit (the committed time limit must not exceed fifteen working days; where no time limit is committed, fifteen working days shall apply).

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.