DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
Back
§ 011 · PERSONAL-INFORMATION

Is There Such a Thing as 'Game Data Compliance' in China? — Li Wenlong's Field Notes

Li Wenlong (科技利维坦) reports field observations on personal-data collection inside Chinese games, framed around three questions: is there an industry-specific 'game data compliance' mode; where is enforcement actually concentrated; and does the Chinese picture differ from abroad. His read: domestic game-data compliance is still at a 'wild-west stage' — the violations being caught are the blunt, clearly-unlawful kind (a game demanding photo-album permission), and the enforcement frontier is no different from any other app ecosystem. A principle-level framework was in place before 2023, but the yardstick stays crude, with no breakthrough on concrete evaluation standards — which caps how deep either enforcement or compliance can go. Overseas (GDPR and consumer law), games were under-scrutinised until the last year or two. The forward warning: games will be the main carrier of VR and will embed many models, so the compliance picture is about to get far more complex. For overseas counsel advising game studios on the China market: a reality check on what is — and isn't — being enforced.

DCC Editorial SOURCE · ZH .MD ↓

Editor’s Note — DCC.

This brief summarises the framing observations Li Wenlong (李汶龙) published on the 科技利维坦 channel to accompany a talk — 《游戏内个人数据收集的界限和合法性基础》— given to game-industry practitioners at the invitation of Kaiying Network (恺英网络). The substance of the talk lived in a slide deck that was not part of the public post, so this brief reports Li’s stated observations and the three questions that framed them, not the slide-by-slide detail. We run it because the headline finding — that there is, as yet, no industry-specific “game data compliance” in China, only generic app enforcement — is exactly the kind of ground-truth a counsel advising a game studio on the China market needs, and is rarely stated this plainly.

The three questions

Games are a business form Li says he had touched little, so he used the invitation to probe the domestic compliance ecosystem and enforcement frontier around three questions:

  1. Is there an industry-specific compliance mode that could be called “game data compliance” — i.e., game-scenario-specific rules and standards, rather than generic app rules applied to games?
  2. Where is game-data-compliance enforcement actually concentrated?
  3. Does the domestic picture differ from abroad?

What he found

Still a “wild-west stage” (草莽阶段). Almost everything being caught is a serious, clearly-unlawful violation — his example is a game demanding access to the user’s photo album (索取相册权限) with no legitimate basis. The discussion has not yet reached the industry-specific scenarios that would make “game data compliance” a distinct discipline; the enforcement frontier for games is, in practice, no different from any other app ecosystem.

A framework without a fine yardstick. At the level of principle, a full system was in place before 2023 — the familiar PIPL-and-app-rules stack on notice, consent, minimisation and lawful basis. But the yardstick stays crude: there has been no breakthrough on the concrete evaluation standards that would let a regulator (or a compliance team) judge a borderline collection practice inside a game. That gap directly caps how deep enforcement and compliance can go — you cannot adjudicate fine questions with blunt instruments.

Abroad was late too. Looking at GDPR and overseas consumer law, Li notes that games were comparatively under-scrutinised for years; only in the last year or two have game-specific complaints and litigation begun to appear. So China is not uniquely behind here — the whole field is early.

The complexity is coming. His forward note: games will be the main carrier of virtual reality, and will increasingly embed models. Once that happens, the compliance picture — today dominated by blunt permission-overreach cases — becomes far more complex, layering AI and immersive-environment data issues on top of ordinary app collection.

Why overseas counsel should care

  • Don’t over-engineer for rules that don’t exist yet. There is no game-specific Chinese data regime to map to; the operative framework is PIPL and the general app/network-data rules, including the Network Data Security Management Regulations. Compliance effort is better spent on the basics that are actually enforced — permission minimisation, lawful basis, honest notice.
  • The blunt stuff is what gets caught. Photo-album, contacts, location and similar over-collection — not subtle, game-specific processing — is the live enforcement risk today.
  • Build for the next phase now. Studios moving into VR or embedding models should anticipate that the standards will tighten and the scenario-specific scrutiny that is absent today will arrive.

For the same author on where AI-specific rules are hardening, see DCC’s note on system prompts as a regulatory instrument.

DCC sources

This is an editorial summary of Li Wenlong’s published observations, not a translation, and not based on the slide deck (which was not public). Any simplification or error of emphasis is DCC’s. Not legal advice.

FILED UNDER

— Not legal advice.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.