Filed under app-compliance
Every brief tagged "app-compliance".
- § 01 · ENFORCEMENT
MIIT Public-Naming Bulletin 2026 Batch 4 (Total Batch 57): 32 Apps and SDKs Cited for PI Violations, Excessive Permission Demands, and SDK Disclosure Failures
On July 2, 2026, MIIT's Information & Communications Administration Bureau issued its fourth public-naming bulletin of 2026 (total Batch 57), citing 32 apps and SDKs for infringing user rights — unlawful and beyond-scope collection of personal information, forced/frequent/excessive permission demands, frequent self-starting and chained starting, uncloseable and redirect-abusing information windows, and inadequate SDK information disclosure. The batch runs under the same 2026 CAC + MIIT + MPS special campaign as the earlier CAC notification and Shanghai takedown covered in DCC's enforcement tracker, on the same rectify-or-face-disposition pathway. DCC transcribes the full 32-entry list from the bulletin's attached image table. The profile: a mobility-and-transport long tail (ride-hailing driver apps, EV charging, bus-information tools) alongside recognizable names — Neta Auto's app, PetroChina Kunlun's charging app, NetDragon's fortune-telling app, iFlyPlus — plus two WeChat mini-programs, multiple Apple App Store listings, one developer named twice, and three SDKs, one of which (闪登 SDK) drew four separate findings including the headline SDK-disclosure failure.
- § 02 · ENFORCEMENT
From Naming to Takedown: Shanghai Pulls 46 Apps That Missed the Rectification Window
On June 24, 2026 the Shanghai Communications Administration (上海市通信管理局, the MIIT's directly-administered local communications authority) issued a notification ordering the takedown of 46 apps and SDKs that, after public naming and a rectification window, still had not fixed user-rights and personal-information violations. DCC reads it as the next rung on the enforcement ladder above the CAC's 30-app naming notification: same 2026 CAC + MIIT + MPS special campaign, but the local communications-administration tier converting an unrectified naming into an operative sanction — removal from distribution, with further measures flagged (suspension of access, administrative penalty, inclusion in the telecom-business bad-record list). The legal basis is PIPL, the Cybersecurity Law, the Telecom Regulations, and the Telecom and Internet User PI Protection Provisions. The 46-app list — transcribed here from the notice's attached image — is almost entirely Shanghai-registered long-tail O2O lifestyle apps (moving, housekeeping and cleaning, pet services, local travel agencies, community group-buy food, fitness and restaurants), and several operators appear with multiple apps taken down at once. DCC's read for overseas counsel: the provincial communications administrations are where a missed rectification window becomes a removed app, and the takedown tier sweeps the small-operator long tail, not just big nationals.
- § 03 · ENFORCEMENT
CAC Names 30 Apps and Mini-Programs for PI Violations — Nearly Half for Ineffective Account Cancellation
On June 11, 2026 the Office of the Central Cyberspace Affairs Commission published a notification naming 30 apps and mini-programs for personal-information collection and use violations, found in testing organized under the 2026 CAC + MIIT + MPS joint special campaign. The violations fall into four categories — undisclosed PI collection rules (7 apps), frequent demands for non-essential permissions (4), incomplete SDK disclosure (5), and, the dominant category at 14 of 30, failure to provide an effective account-cancellation function. DCC reads the notification as the CAC tier of the same campaign whose MIIT testing tier we covered in the Batch 56 brief: a broader perimeter that expressly includes mini-programs, a 15-working-day rectify-and-report deadline, and a clear signal that exit rights — account cancellation and deletion — are a 2026 testing priority.
- § 04 · ENFORCEMENT
MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse
MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel.
- § 05 · PERSONAL-INFORMATION
Is There Such a Thing as 'Game Data Compliance' in China? — Li Wenlong's Field Notes
Li Wenlong (科技利维坦) reports field observations on personal-data collection inside Chinese games, framed around three questions: is there an industry-specific 'game data compliance' mode; where is enforcement actually concentrated; and does the Chinese picture differ from abroad. His read: domestic game-data compliance is still at a 'wild-west stage' — the violations being caught are the blunt, clearly-unlawful kind (a game demanding photo-album permission), and the enforcement frontier is no different from any other app ecosystem. A principle-level framework was in place before 2023, but the yardstick stays crude, with no breakthrough on concrete evaluation standards — which caps how deep either enforcement or compliance can go. Overseas (GDPR and consumer law), games were under-scrutinised until the last year or two. The forward warning: games will be the main carrier of VR and will embed many models, so the compliance picture is about to get far more complex. For overseas counsel advising game studios on the China market: a reality check on what is — and isn't — being enforced.