CAC Names 30 Apps and Mini-Programs for PI Violations — Nearly Half for Ineffective Account Cancellation

Editor’s Note — DCC.

This is the second entry in DCC’s enforcement tracker, and the structural complement to the first: where the MIIT Batch 56 bulletin showed the MIIT testing tier of the 2026 joint special campaign, this June 11, 2026 notification is the CAC tier operating directly — testing organized by the Office of the Central Cyberspace Affairs Commission itself, on a perimeter that expressly includes mini-programs, with a 15-working-day rectify-and-report deadline. The repost channel through which DCC surfaced the notification (数据何规) headlined the same point our reading leads to: ineffective account cancellation is the “hardest-hit area” (重灾区), accounting for 14 of the 30 named apps. The four app lists are published as image tables in the original; DCC names only the lead examples CAC itself put in each category heading and focuses on the structural read.

The notification

The Secretariat Bureau of the Office of the Central Cyberspace Affairs Commission (中央网信办秘书局 — the Central Commission Office and the Cyberspace Administration of China, CAC, being one institution under two nameplates) issued the Notification on Personal Information Collection and Use Problems in 30 Apps (关于30款App个人信息收集使用问题的通报), dated June 11, 2026.

The notification reports the results of testing that CAC organized of the personal-information collection and use practices of apps — expressly including mini-programs (小程序) — under the Announcement on Carrying Out the 2026 Personal Information Protection Series of Special Campaigns, the joint CAC + MIIT + MPS campaign document that also authorizes the MIIT batched bulletins. The cited legal basis is the Cybersecurity Law, the Personal Information Protection Law, the Regulation on Network Data Security Management, and the Method for Identifying the Unlawful Collection and Use of Personal Information by Apps (the 2019 four-agency 认定方法).

The four violation categories

The full per-category lists are in the image tables attached to the original notification.

Each category maps directly onto the taxonomy of the 2019 Identification Method — which is why the Method is cited as a legal basis alongside the statutes:

• Category 1 is the Method’s first category verbatim: failure to publicly disclose collection and use rules (typically: no privacy policy, or one that cannot be reached from within the app).
• Category 2 sits on the Method’s consent and necessity categories, read together with the Necessary PI Scope Provisions — repeatedly demanding permissions the declared service does not need, after the user has declined.
• Category 3 maps to the Method’s disclosure category, which expressly requires listing the collection and use of PI by embedded third-party code and plugins — the SDK disclosure obligation.
• Category 4 maps to the Method’s final category, which treats as a violation the failure to provide effective correction, deletion, and account-cancellation functions, or attaching unnecessary or unreasonable conditions to them.

The headline signal: account cancellation, 14 of 30

Nearly half the batch was named for a single violation: no effective account-cancellation function (未提供有效账号注销功能). That concentration is the operational takeaway of the notification.

The legal anchors are familiar — PIPL Article 15 requires that withdrawing consent be as convenient as giving it, PIPL Article 47 obliges handlers to delete PI when the processing purpose ends, and the Identification Method makes an ineffective or unreasonably conditioned cancellation pathway a named violation. What the notification adds is enforcement weighting: of everything CAC’s testing program could have led with in June 2026, exit rights are the category it found most violated and chose to headline.

In testing practice, “ineffective” cancellation typically means one of: no cancellation entry inside the app at all; an entry buried so deep it is effectively undiscoverable; cancellation gated on unreasonable conditions (in-person verification, customer-service-only channels, indefinite review periods); or a flow that confirms “cancellation” without actually terminating the account and deleting the associated PI. Account cancellation is also operationally cheap for a regulator to test at scale — a tester either can or cannot cancel an account — which makes it a natural high-yield category for campaign-driven testing and a likely recurring focus for the rest of the 2026 campaign.

CAC tier vs. MIIT tier

Read against the MIIT Batch 56 bulletin, the notification shows how the two testing tiers of the same campaign differ:

• Perimeter. MIIT tests apps and SDKs in the telecom/app-store distribution channel. CAC’s notification expressly covers mini-programs — the WeChat / Alipay / Douyin in-platform applications that often escape app-store-centric compliance reviews because they are never “installed” through a store.
• Process. MIIT’s formula is rectify-or-we-organize-disposition, with the testing done by retained third-party institutions. CAC’s notification gives named operators 15 working days from publication to complete rectification and report the rectification status to CAC (整改情况报我办). CAC will then verify together with the relevant departments (会同有关部门进行核查) and carry out disposition and penalties in accordance with laws and regulations, informed by the rectification status.
• Standing channel. The notification publishes a campaign contact line and mailbox (010-55635865, [email protected]) — the app-governance channel CAC has used across campaign cycles.

The two tiers are cumulative, not alternative: conduct rectified after an MIIT naming can still be tested and named by CAC, and vice versa. The campaign architecture — annual joint authorization, parallel CAC administrative and MPS criminal tiers — is laid out in DCC’s Batch 56 brief and applies unchanged here.

What overseas compliance teams should do

• Test account cancellation end-to-end, this quarter. From in-app discoverability through identity verification conditions to actual account termination and PI deletion. The 14-of-30 concentration says this is what CAC’s testers are walking through. If your cancellation flow imposes conditions beyond what re-verification genuinely requires, treat that as a finding.
• Put mini-programs inside the audit perimeter. A compliant native app with a non-compliant WeChat mini-program is now a named-notification risk. Mini-programs frequently ship with thinner privacy disclosures and no cancellation pathway because they reuse the platform account — that reuse does not exempt the operator’s own account layer.
• Reconcile the SDK disclosure list. Category 3 is the same SDK-transparency pressure visible in the MIIT batches: the privacy policy must completely and accurately list what embedded third-party SDKs collect, for whom, and why. An SDK update that adds a data flow without a disclosure update is the standard failure mode.
• Pre-position for a 15-working-day window. The CAC pathway requires not just fixing but reporting within three weeks of a public naming. Operators with a Chinese-market app should have a standing rectification playbook — owner, test protocol, report template — rather than improvising one after appearing in a notification.

The deeper continuity with the MIIT brief is the enforcement model itself: visible, batched, testing-driven public naming, now running on two regulator tiers in parallel. What this notification adds is the priority signal inside that model — in 2026, the regime is grinding hardest on whether users can leave.

— 中央网信办秘书局, 关于30款App个人信息收集使用问题的通报 (Notification on Personal Information Collection and Use Problems in 30 Apps), published via the 网信中国 WeChat Official Account, June 11, 2026. Original notification (Chinese). Surfaced via the 数据何规 repost.

Not legal advice. The above is DCC’s structural analysis of the notification. The four per-category app lists are in the image tables attached to the original; this brief names only the lead examples CAC itself placed in each category heading.