DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
Back
§ 023 · ENFORCEMENT

MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse

MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel.

DCC Editorial SOURCE · ZH .MD ↓

Editor’s Note — DCC.

The MIIT public-naming bulletin series is the most consistent enforcement signal in the Chinese mobile-app PI regime. The May 21, 2026 bulletin (the third 2026 batch, the 56th overall) names 31 apps and SDKs for violations of the PI-collection rules and for window-redirect abuse. DCC publishes this as the first entry in our enforcement tracker because it lets us establish the structural reading of the series that every subsequent batch will fit into: the joint-campaign architecture, the four-statute legal basis, the rectify-then-enforce pathway, and the cadence. The 31-app list itself is in MIIT’s attachment; DCC’s brief focuses on what the regime does with the list and what overseas teams should infer from the batch’s existence.

The bulletin

The Information & Communications Administration Bureau of the Ministry of Industry and Information Technology (工业和信息化部信息通信管理局) issued Bulletin on Acts Infringing User Rights and Interests by APPs (SDKs) — Batch 3 of 2026, Total Batch 56, dated May 21, 2026.

The bulletin states that 31 apps and SDKs were found by third-party testing institutions, retained by the Ministry, to engage in conduct infringing user rights and interests — with the headline conduct categories called out in the bulletin title being illegal collection of personal information and window-redirect abuse. The detailed list of named apps and SDKs is in MIIT’s attachment to the bulletin.

The bulletin closes with the formula MIIT has used since the series began: the named operators shall rectify in accordance with the regulations; if rectification is not fully implemented, MIIT will, in accordance with law and regulation, organize related disposition work.

The campaign infrastructure

The bulletin is issued under the authority of the Notice on Carrying Out the 2026 Personal Information Protection Series of Special Campaigns (关于开展2026年个人信息保护系列专项行动的公告) — a joint announcement by the Cyberspace Administration of China (CAC), MIIT, and the Ministry of Public Security (MPS). The 2026 special campaign continues a multi-year inter-agency framework for organized enforcement of the mobile-app PI rules.

The structure overseas counsel should understand:

  • Annual campaign authorizing the cadence. Each year the three agencies jointly issue a special-campaign announcement. The MIIT batches that follow during the year operate under that authorization.
  • MIIT executes the mobile-app testing tier. MIIT’s Information & Communications Administration Bureau, in cooperation with retained third-party testing institutions, performs the actual technical testing of apps and SDKs against the PI-collection and user-rights rules. The named bulletins are MIIT’s published output of that testing program.
  • CAC and MPS run parallel tiers. CAC handles the administrative-penalty tier (fines and operational restrictions on internet platforms); MPS handles the criminal tier (Article 253-1 PI offenses and other criminal conduct). The three-agency joint authorization stitches the campaign across the regulatory and criminal lines.

The campaign also operates against a parallel statutory cadence: PIPL Article 64 (CAC corrective-order power), the Personal Information Protection Compliance Audit Management Measures (which require regular audits and provide an audit-driven enforcement pathway), and the Network Data Security Management Regulations (which extend the regulatory perimeter to network-data scenarios beyond strict PI).

The bulletin invokes four statutes as the legal basis for the testing and the named-and-shamed action:

  • Personal Information Protection Law (PIPL). The dominant statute since 2021. PI-collection violations — collecting beyond declared scope, collecting without consent, retaining beyond purpose — sit under PIPL.
  • Cybersecurity Law (CSL). The foundational network-security and network-product / service-security statute. App and SDK conduct that violates network-product certification or that creates security defects can be cited under CSL.
  • Telecommunications Regulations (电信条例). The 2000 administrative regulations governing the telecom sector. Provide MIIT with the sector-specific authority to police telecom-service-related conduct, including conduct of internet-access service providers and value-added telecom services (most apps fall within the latter category).
  • Telecom and Internet User Personal Information Protection Provisions (电信和互联网用户个人信息保护规定). The 2013 MIIT departmental rule that pre-dates PIPL by eight years and remains the operational sector-specific instrument for telecom / internet-channel PI protection. It is the rule that MIIT’s testing program most directly enforces against.

The four-statute citation is the standard one for MIIT batched bulletins. It establishes that the same conduct can be characterized as a PIPL violation (general statute), a CSL violation (network-security statute), a Telecommunications Regulations violation (sector-administrative-regulation statute), and a Telecom and Internet User PI Provisions violation (sector departmental rule). The redundancy is intentional: each statute provides MIIT with a separate vector for sanctions.

The rectify-then-enforce pathway

The bulletin’s closing formula is the operative one. Named operators face a two-stage process:

Stage 1 — Rectification. The operator has a defined window (typically 5–10 working days, sometimes specified separately in MIIT communications) to rectify the cited conduct. Rectification means fixing the identified violations and, in many cases, submitting a rectification report to MIIT or the testing institution.

Stage 2 — Disposition for non-rectification. Failure to rectify, or incomplete rectification, triggers MIIT-organized “related disposition work.” In practice this can include:

  • App-store removal. MIIT coordinates with the major Chinese app stores to remove the offending app from distribution.
  • Operator-restriction administrative penalties. Under CSL Article 64 / PIPL Article 66 / Telecommunications Regulations Article 70, MIIT can order corrective action, impose fines (PIPL provides for fines up to 5% of prior-year turnover under Article 66 ¶ 2 for severe cases), and restrict business operations.
  • Onward referral. Where the conduct may rise to a criminal threshold — particularly under PRC Criminal Law Article 253-1 (the PI-protection criminal offense) — MIIT can refer to MPS for criminal investigation.
  • Recidivism flag. Operators repeatedly named in successive batches face escalating sanctions and increased scrutiny under MIIT’s annual oversight rating system.

For overseas operators with a Chinese app or SDK in distribution, the named-and-shamed stage is the first warning — but it is also a public warning, immediately visible to enterprise customers, business partners, and Chinese app stores. The reputational and commercial consequences begin at Stage 1, not Stage 2.

The cadence — 56 batches and counting

The MIIT batched-bulletin series is now mature. The May 21, 2026 bulletin is Batch 3 of 2026 and Batch 56 overall — meaning MIIT has issued approximately one bulletin per month-and-a-half on average since the series began (the first batches date from 2019). The 2026 cadence so far suggests roughly bimonthly batches.

The cumulative effect is significant: across 56 batches, MIIT has publicly named hundreds of apps and SDKs. Operators that appear in successive batches without addressing the underlying conduct face the recidivism-escalation pathway. The series has, in DCC’s reading, durably normalized the MIIT testing-and-naming pattern as the dominant enforcement modality for mobile-app PI protection in China.

The recurring violation patterns

While DCC has not extracted MIIT’s specific 31-app list for this batch, the bulletin title — “illegal collection of personal information, window-redirect abuse…” — and the cumulative pattern across the 56 batches surface a stable set of recurring violation types. The most frequently cited:

  • Collection beyond declared scope. App collects PI categories not disclosed in its privacy policy or beyond the user’s actual consent. Includes collecting precise location for a service that only needs city-level location, collecting contacts for a service that doesn’t need contacts, etc.
  • Mandatory permission requests for non-essential function. App refuses to operate unless the user grants permissions for functions unrelated to the service. PIPL’s “essential function” principle prohibits this.
  • Difficulty exiting account / withdrawing consent. App makes the account-deletion or consent-withdrawal pathway disproportionately difficult. PIPL Article 16 prohibits.
  • Excessive frequency of PI collection. App repeatedly requests PI (e.g., location every few seconds) where infrequent collection would suffice.
  • Window-redirect abuse (窗口乱跳转). This batch’s named conduct. The user opens the app or a specific screen and is rapidly redirected through multiple windows (commonly ad windows or third-party offer pages) before reaching the intended content. The conduct violates user-experience and user-control rules; MIIT has been targeting it consistently since 2023.
  • SDK conduct hidden from the host app. Third-party SDKs embedded in the host app collect PI on the SDK provider’s account in ways the host app’s privacy disclosure doesn’t cover. SDK testing has been a growing focus of the MIIT batches over 2024–2026.

For each violation type, the operational fix is well-documented in MIIT’s published rectification guidance. The published bulletin’s lasting value to compliance teams is the implicit prioritization: it tells them which violations are actually attracting testing-program attention this batch.

What this tells overseas compliance teams

  • MIIT batched bulletins are the operational floor of mobile-app PI compliance in China. Treat them as the enforcement baseline. Internal compliance reviews should specifically test against the most recently surfaced violation patterns from the last 3–4 batches.

  • Being named is itself the sanction. The bulletin’s reputational and commercial consequences begin immediately, not at the disposition stage. Operators should pre-position to rectify quickly — and to communicate rectification to enterprise customers — once named.

  • Third-party SDK risk is increasingly weight-bearing. Where the named entity is an SDK rather than a host app, downstream apps embedding that SDK face cascading scrutiny. Overseas teams using Chinese SDKs (advertising, analytics, push notification, payment) should monitor MIIT’s SDK callouts and have a documented response process when an embedded SDK is named.

  • The annual joint-agency campaign sets the year’s enforcement priorities. Read the joint CAC + MIIT + MPS annual campaign announcement closely: it telegraphs which conduct categories the year’s batches will focus on. The 2026 announcement establishes PI-protection violations and window-redirect abuse as the headline categories, which is consistent with this batch’s cited conduct.

  • PIPL Article 64 and the audit measures are the parallel enforcement levers. MIIT’s batched bulletins are public; CAC’s PIPL Article 64 corrective orders and the audit-driven enforcement under the PI Audit Measures operate in parallel and often without public notice. Operators that fix the conduct surfaced in an MIIT batch may still face CAC or audit-driven enforcement on the same conduct.

The deeper point of this batch — and the bulletin series as a whole — is that the Chinese mobile-app PI regime is enforced through visible, repeated, batched, third-party-tested public naming, not through a “big-fine, big-case, big-headline” model that overseas compliance teams familiar with EU GDPR enforcement might expect. The regime grinds. The MIIT bulletin is the grinding-stone. Compliance teams that map their internal review to the bulletin’s recurring violation patterns operate it well; teams that wait for a headline case will be named before they react.

工业和信息化部信息通信管理局, 违规收集个人信息、窗口乱跳转……这31款APP及SDK被通报!(31 APPs and SDKs Cited for Illegal PI Collection and Window-Redirect Abuse), 工信微报 WeChat Official Account, May 21, 2026. Original bulletin (Chinese).

Not legal advice. The above is DCC’s structural analysis of the bulletin and the underlying campaign architecture. The 31-app list and the specific cited conduct are in MIIT’s published attachment; this brief focuses on framing the regulatory mechanism for overseas counsel.

FILED UNDER

— Not legal advice.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.