--- title: "MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse" author: "DCC Editorial" published: 2026-05-28T02:00:00.000Z url: https://datacompliancechina.com/posts/miit-2026-batch-3-31-app-public-naming/ description: "MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel." tags: ["enforcement", "miit", "app-compliance", "pipl", "public-naming"] laws_cited: ["pipl", "csl", "personal-info-audit-measures", "network-data-security-regulations"] domains: ["enforcement", "personal-information", "app-compliance"] account: "miit-weibao" original_title: "违规收集个人信息、窗口乱跳转……这31款APP及SDK被通报!" original_author: "工业和信息化部信息通信管理局 (MIIT Information & Communications Administration Bureau)" original_publication: "工信微报 WeChat Official Account" original_url: "https://mp.weixin.qq.com/s/pI6fsJpm6O9u7Icntw8guA" source_language: "zh" --- > *Editor's Note — DCC.* > > The MIIT public-naming bulletin series is the most consistent > enforcement signal in the Chinese mobile-app PI regime. The May 21, > 2026 bulletin (the third 2026 batch, the 56th overall) names 31 apps > and SDKs for violations of the PI-collection rules and for > window-redirect abuse. DCC publishes this as the first entry in our > enforcement tracker because it lets us establish the structural > reading of the series that every subsequent batch will fit into: the > joint-campaign architecture, the four-statute legal basis, the > rectify-then-enforce pathway, and the cadence. The 31-app list itself > is in MIIT's attachment; DCC's brief focuses on what the regime > *does* with the list and what overseas teams should infer from the > batch's existence. ## The bulletin The Information & Communications Administration Bureau of the Ministry of Industry and Information Technology (工业和信息化部信息通信管理局) issued *Bulletin on Acts Infringing User Rights and Interests by APPs (SDKs) — Batch 3 of 2026, Total Batch 56*, dated **May 21, 2026**. The bulletin states that **31 apps and SDKs** were found by third-party testing institutions, retained by the Ministry, to engage in conduct infringing user rights and interests — with the headline conduct categories called out in the bulletin title being **illegal collection of personal information** and **window-redirect abuse**. The detailed list of named apps and SDKs is in MIIT's attachment to the bulletin. The bulletin closes with the formula MIIT has used since the series began: the named operators **shall rectify in accordance with the regulations**; if rectification is not fully implemented, **MIIT will, in accordance with law and regulation, organize related disposition work**. ## The campaign infrastructure The bulletin is issued under the authority of the *Notice on Carrying Out the 2026 Personal Information Protection Series of Special Campaigns* (关于开展2026年个人信息保护系列专项行动的公告) — a joint announcement by the **Cyberspace Administration of China (CAC), MIIT, and the Ministry of Public Security (MPS)**. The 2026 special campaign continues a multi-year inter-agency framework for organized enforcement of the mobile-app PI rules. The structure overseas counsel should understand: - **Annual campaign authorizing the cadence.** Each year the three agencies jointly issue a special-campaign announcement. The MIIT batches that follow during the year operate under that authorization. - **MIIT executes the mobile-app testing tier.** MIIT's Information & Communications Administration Bureau, in cooperation with retained third-party testing institutions, performs the actual technical testing of apps and SDKs against the PI-collection and user-rights rules. The named bulletins are MIIT's published output of that testing program. - **CAC and MPS run parallel tiers.** CAC handles the administrative-penalty tier (fines and operational restrictions on internet platforms); MPS handles the criminal tier (Article 253-1 PI offenses and other criminal conduct). The three-agency joint authorization stitches the campaign across the regulatory and criminal lines. The campaign also operates against a parallel statutory cadence: PIPL Article 64 (CAC corrective-order power), the *Personal Information Protection Compliance Audit Management Measures* (which require regular audits and provide an audit-driven enforcement pathway), and the *Network Data Security Management Regulations* (which extend the regulatory perimeter to network-data scenarios beyond strict PI). ## The four-statute legal basis The bulletin invokes four statutes as the legal basis for the testing and the named-and-shamed action: - **Personal Information Protection Law (PIPL).** The dominant statute since 2021. PI-collection violations — collecting beyond declared scope, collecting without consent, retaining beyond purpose — sit under PIPL. - **Cybersecurity Law (CSL).** The foundational network-security and network-product / service-security statute. App and SDK conduct that violates network-product certification or that creates security defects can be cited under CSL. - **Telecommunications Regulations (电信条例).** The 2000 administrative regulations governing the telecom sector. Provide MIIT with the sector-specific authority to police telecom-service-related conduct, including conduct of internet-access service providers and value-added telecom services (most apps fall within the latter category). - **Telecom and Internet User Personal Information Protection Provisions (电信和互联网用户个人信息保护规定).** The 2013 MIIT departmental rule that pre-dates PIPL by eight years and remains the operational sector-specific instrument for telecom / internet-channel PI protection. It is the rule that MIIT's testing program most directly enforces against. The four-statute citation is the standard one for MIIT batched bulletins. It establishes that the same conduct can be characterized as a PIPL violation (general statute), a CSL violation (network-security statute), a Telecommunications Regulations violation (sector-administrative-regulation statute), and a Telecom and Internet User PI Provisions violation (sector departmental rule). The redundancy is intentional: each statute provides MIIT with a separate vector for sanctions. ## The rectify-then-enforce pathway The bulletin's closing formula is the operative one. Named operators face a two-stage process: **Stage 1 — Rectification.** The operator has a defined window (typically 5–10 working days, sometimes specified separately in MIIT communications) to rectify the cited conduct. Rectification means fixing the identified violations and, in many cases, submitting a rectification report to MIIT or the testing institution. **Stage 2 — Disposition for non-rectification.** Failure to rectify, or incomplete rectification, triggers MIIT-organized "related disposition work." In practice this can include: - **App-store removal.** MIIT coordinates with the major Chinese app stores to remove the offending app from distribution. - **Operator-restriction administrative penalties.** Under CSL Article 64 / PIPL Article 66 / Telecommunications Regulations Article 70, MIIT can order corrective action, impose fines (PIPL provides for fines up to 5% of prior-year turnover under Article 66 ¶ 2 for severe cases), and restrict business operations. - **Onward referral.** Where the conduct may rise to a criminal threshold — particularly under PRC Criminal Law Article 253-1 (the PI-protection criminal offense) — MIIT can refer to MPS for criminal investigation. - **Recidivism flag.** Operators repeatedly named in successive batches face escalating sanctions and increased scrutiny under MIIT's annual oversight rating system. For overseas operators with a Chinese app or SDK in distribution, the named-and-shamed stage is the **first warning** — but it is also a public warning, immediately visible to enterprise customers, business partners, and Chinese app stores. The reputational and commercial consequences begin at Stage 1, not Stage 2. ## The cadence — 56 batches and counting The MIIT batched-bulletin series is now mature. The May 21, 2026 bulletin is **Batch 3 of 2026** and **Batch 56 overall** — meaning MIIT has issued approximately one bulletin per month-and-a-half on average since the series began (the first batches date from 2019). The 2026 cadence so far suggests roughly bimonthly batches. The cumulative effect is significant: across 56 batches, MIIT has publicly named hundreds of apps and SDKs. Operators that appear in successive batches without addressing the underlying conduct face the recidivism-escalation pathway. The series has, in DCC's reading, durably normalized the MIIT testing-and-naming pattern as the dominant enforcement modality for mobile-app PI protection in China. ## The recurring violation patterns While DCC has not extracted MIIT's specific 31-app list for this batch, the bulletin title — *"illegal collection of personal information, window-redirect abuse..."* — and the cumulative pattern across the 56 batches surface a stable set of recurring violation types. The most frequently cited: - **Collection beyond declared scope.** App collects PI categories not disclosed in its privacy policy or beyond the user's actual consent. Includes collecting precise location for a service that only needs city-level location, collecting contacts for a service that doesn't need contacts, etc. - **Mandatory permission requests for non-essential function.** App refuses to operate unless the user grants permissions for functions unrelated to the service. PIPL's "essential function" principle prohibits this. - **Difficulty exiting account / withdrawing consent.** App makes the account-deletion or consent-withdrawal pathway disproportionately difficult. PIPL Article 16 prohibits. - **Excessive frequency of PI collection.** App repeatedly requests PI (e.g., location every few seconds) where infrequent collection would suffice. - **Window-redirect abuse (窗口乱跳转).** This batch's named conduct. The user opens the app or a specific screen and is rapidly redirected through multiple windows (commonly ad windows or third-party offer pages) before reaching the intended content. The conduct violates user-experience and user-control rules; MIIT has been targeting it consistently since 2023. - **SDK conduct hidden from the host app.** Third-party SDKs embedded in the host app collect PI on the SDK provider's account in ways the host app's privacy disclosure doesn't cover. SDK testing has been a growing focus of the MIIT batches over 2024–2026. For each violation type, the operational fix is well-documented in MIIT's published rectification guidance. The published bulletin's lasting value to compliance teams is the implicit *prioritization*: it tells them which violations are actually attracting testing-program attention this batch. ## What this tells overseas compliance teams - **MIIT batched bulletins are the operational floor of mobile-app PI compliance in China.** Treat them as the enforcement baseline. Internal compliance reviews should specifically test against the most recently surfaced violation patterns from the last 3–4 batches. - **Being named is itself the sanction.** The bulletin's reputational and commercial consequences begin immediately, not at the disposition stage. Operators should pre-position to rectify quickly — and to communicate rectification to enterprise customers — once named. - **Third-party SDK risk is increasingly weight-bearing.** Where the named entity is an SDK rather than a host app, downstream apps embedding that SDK face cascading scrutiny. Overseas teams using Chinese SDKs (advertising, analytics, push notification, payment) should monitor MIIT's SDK callouts and have a documented response process when an embedded SDK is named. - **The annual joint-agency campaign sets the year's enforcement priorities.** Read the joint CAC + MIIT + MPS annual campaign announcement closely: it telegraphs which conduct categories the year's batches will focus on. The 2026 announcement establishes PI-protection violations and window-redirect abuse as the headline categories, which is consistent with this batch's cited conduct. - **PIPL Article 64 and the audit measures are the parallel enforcement levers.** MIIT's batched bulletins are public; CAC's PIPL Article 64 corrective orders and the audit-driven enforcement under the [PI Audit Measures](/posts/pipo-vs-dpo-pi-protection-officer-comparison/) operate in parallel and often without public notice. Operators that fix the conduct surfaced in an MIIT batch may still face CAC or audit-driven enforcement on the same conduct. The deeper point of this batch — and the bulletin series as a whole — is that **the Chinese mobile-app PI regime is enforced through visible, repeated, batched, third-party-tested public naming**, not through a "big-fine, big-case, big-headline" model that overseas compliance teams familiar with EU GDPR enforcement might expect. The regime grinds. The MIIT bulletin is the grinding-stone. Compliance teams that map their internal review to the bulletin's recurring violation patterns operate it well; teams that wait for a headline case will be named before they react. --- — *工业和信息化部信息通信管理局, 违规收集个人信息、窗口乱跳转……这31款APP及SDK被通报!(31 APPs and SDKs Cited for Illegal PI Collection and Window-Redirect Abuse), 工信微报 WeChat Official Account, May 21, 2026. [Original bulletin (Chinese).](https://mp.weixin.qq.com/s/pI6fsJpm6O9u7Icntw8guA)* *Not legal advice. The above is DCC's structural analysis of the bulletin and the underlying campaign architecture. The 31-app list and the specific cited conduct are in MIIT's published attachment; this brief focuses on framing the regulatory mechanism for overseas counsel.*