Determination Rules on Acts of Collecting and Using Personal Information in Violation of Rules and Regulations in Apps

Posted on Updated on

Notice concerning Issuance of the “Determination Rules on Acts of Collecting and Using Personal Information in Violation of Rules and Regulations in Apps”

All provincial, autonomous region, municipal and the Xinjiang Production-Construction Corps cybersecurity and informatization offices, telecommunications management bureaus, public security offices (bureaus), market supervision and management bureaus (offices, committees):

On the basis of the “Announcement concerning a Special Campaign on Collection and Use of Personal Information in Violation of Rules and Regulations in Apps”, in order to provide reference for the determination of acts of collecting and using personal information in violations of rules and regulations in apps, implement laws and regulations such as the “Cybersecurity Law”, etc., the Cyberspace Administration of China, Ministry of Industry and Information Technology, Ministry of Public Security, and State Administration of Market Regulation have jointly formulated the “Determination Rules on Acts of Collecting and Using Personal Information in Violation of Rules and Regulations in Apps”. These are hereby issued to you, please refer to and implement them in integration with supervision, management and law enforcement work realities.

Cyberspace Administration of China Secretariat

Ministry of Industry and Information Technology General Office

Ministry of Public Security General Office

State Administration for Market Regulation General Office

28 November 2019

Determination Rules on Acts of Collecting and Using Personal Information in Violation of Rules and Regulations in Apps

On the basis of the “Announcement concerning a Special Campaign on Collection and Use of Personal Information in Violation of Rules and Regulations in Apps”, in order to provide reference for the determination of acts of collecting and using personal information in violations of rules and regulations in apps, provide guidance for app operators’ self-inspection and self-rectification as well as netizens’ social supervision, and implement laws and regulations such as the “Cybersecurity Law”, these Rules are formulated.

I, The following acts may be determined as “not publishing collection and use norms”

1. There is no privacy policy in the app, or the privacy policy does not contain norms on the collection and use of personal information;

2. When using the app for the first time, users are not prompted to read privacy policies and other such norms on collection and use through a pop-up window and other such clear methods

3. The privacy policy and other such collection and use norms are difficult to access, for instance when after entering the app’s main interface, 4 clicks or other such manipulations are required before it can be accessed;

4. The privacy policy and other such collection and use norms are difficult to read, for instance because characters are too small and closely spaced, colours are too light, they are blurred and unclear, or no simplified Mandarin version is provided.

II, The following acts may be determined as “not indicating the objective, method and scope of collecting and using personal information”

1. Not listing the objective, method and scope of personal information collection and use in the app (including entrusted third parties or embedded third-party code and plug-ins) one by one;

2. When a change occurs in the objective, method and scope of personal information collection and use, not notifying the user in an appropriate manner, appropriate manners include revising the privacy policy and other such collection and use norms and alerting the user to read it;

3. When requesting to activate authorization of collectable personal information, or requesting to collect users’ identity card number, bank account number, geographical tracking and other such sensitive personal information, not simultaneously notifying the user about its objective, or having an unclear or difficult to understand objective.

4. Content related to collection and use norms is obscure and difficult to understand, verbose and overly detailed, which is difficult for users to understand, for instance using large amounts of specialist jargon, etc.

III, The following acts may be determined as “collecting and using personal information without users’ consent”

1. Beginning to collect personal information or activating authorizations for collectable information before obtaining users’ consent;

2. After users clearly indicate they do not consent, still collecting personal information or activating up collectable personal information authorizations, or frequently obtaining users’ consent, interfering with users’ regular use;

3. Actually collecting personal information or activating collectable personal information authorizations in excess of the scope of user authorization;

4. Obtaining users’ consent by way of implicit agreement to privacy policies and other non-explicit methods;

5. Altering the status of collectable personal information authorizations they have set up without users’ consent, for instance automatically restoring user-set up authorization to implicit approval status when updating an app;

6. Using users’ personal information and algorithms to direct push delivery information, without providing an option for non-targeted push delivery information;

7. Misleading users through fraudulent, swindling and other such improper methods into consenting to personal information collection or the activation of collectable personal information authorizations, for instance wilfully hoodwinking or covering up the true objective for the collection of users’ personal information;

8. Not providing users with a way and method to revoke consent for personal information collection;

9. Collecting users’ personal information in violation of the announced collection and use norms. 

IV, The following acts may be determined as “collecting personal information in violation of the principle of necessity, that is not related to the provided service”

1.  Collected categories of personal information or activated collectable personal information authorizations are not related to the existing business functions;

2. Refusing to provide business functions because users do not consent to the collection of unnecessary personal information or the activation of unnecessary authorizations;

3.  Requesting the collection of personal information in excess of the scope the user originally consented to when adding new business functions to the app, refusing to provide the original business functions if the user does not agree, except where the newly added business function supersedes the original business function;

4. The frequency of personal information collection exceeds the actual needs of business functions;

5. Obliging he user to consent to personal information collection for only the purpose of improving of service quality, enhancing user experience, targeting push delivery information, researching and developing new products, etc., 

6. Requiring users to consent once to activating multiple collectable personal information authorizations, where use is impossible if users do not consent.

V, The following acts may be determined as “providing personal information to others without consent”

1. Providing personal information directly from the app customer end to third parties both without user content, and without anonymized processing, including providing personal information to third parties through methods such as embedding third-party code or plug-in components at the customer end, etc.;

2. Providing collected personal information to third parties after data is transmitted to the app’s back-end servers both without user content, and without anonymized processing;

3. Even if functions are provided to correct and delete personal information and cancel user accounts, not timely responding to user’s corresponding operations, requiring manual processing, not completing examination and processing within the committed time limits (the committed time limit may not exceed 15 working days, where there is not committed time limit, 15 working days are taken as limit);

4. Where the executing of correction or deletion of personal information, the cancellation of user accounts and other such user operations has been completed, but it is not completed at the app back-end;

5. Not establishing and publishing personal information security complaints and reporting channels, or not accepting and processing matters within the committed time limits (the committed time limit may not exceed 15 working days, where there is not committed time limit, 15 working days are taken as limit).

关于印发《App违法违规收集使用个人信息行为认定方法》的通知
各省、自治区、直辖市及新疆生产建设兵团网信办、通信管理局、公安厅(局)、市场监管局(厅、委):
  根据《关于开展App违法违规收集使用个人信息专项治理的公告》,为认定App违法违规收集使用个人信息行为提供参考,落实《网络安全法》等法律法规,国家互联网信息办公室、工业和信息化部、公安部、市场监管总局联合制定了《App违法违规收集使用个人信息行为认定方法》。现印发你们,请结合监管和执法工作实际参考执行。
国家互联网信息办公室秘书局
工业和信息化部办公厅
公安部办公厅
市场监管总局办公厅
  2019年11月28日
App违法违规收集使用个人信息行为认定方法
  根据《关于开展App违法违规收集使用个人信息专项治理的公告》,为监督管理部门认定App违法违规收集使用个人信息行为提供参考,为App运营者自查自纠和网民社会监督提供指引,落实《网络安全法》等法律法规,制定本方法。
  一、以下行为可被认定为“未公开收集使用规则”
  1.在App中没有隐私政策,或者隐私政策中没有收集使用个人信息规则;
  2.在App首次运行时未通过弹窗等明显方式提示用户阅读隐私政策等收集使用规则;
  3.隐私政策等收集使用规则难以访问,如进入App主界面后,需多于4次点击等操作才能访问到;
  4.隐私政策等收集使用规则难以阅读,如文字过小过密、颜色过淡、模糊不清,或未提供简体中文版等。
  二、以下行为可被认定为“未明示收集使用个人信息的目的、方式和范围”
  1.未逐一列出App(包括委托的第三方或嵌入的第三方代码、插件)收集使用个人信息的目的、方式、范围等;
  2.收集使用个人信息的目的、方式、范围发生变化时,未以适当方式通知用户,适当方式包括更新隐私政策等收集使用规则并提醒用户阅读等;
  3.在申请打开可收集个人信息的权限,或申请收集用户身份证号、银行账号、行踪轨迹等个人敏感信息时,未同步告知用户其目的,或者目的不明确、难以理解;
  4.有关收集使用规则的内容晦涩难懂、冗长繁琐,用户难以理解,如使用大量专业术语等。
  三、以下行为可被认定为“未经用户同意收集使用个人信息”
  1.征得用户同意前就开始收集个人信息或打开可收集个人信息的权限;
  2.用户明确表示不同意后,仍收集个人信息或打开可收集个人信息的权限,或频繁征求用户同意、干扰用户正常使用;
  3.实际收集的个人信息或打开的可收集个人信息权限超出用户授权范围;
  4.以默认选择同意隐私政策等非明示方式征求用户同意;
  5.未经用户同意更改其设置的可收集个人信息权限状态,如App更新时自动将用户设置的权限恢复到默认状态;
  6.利用用户个人信息和算法定向推送信息,未提供非定向推送信息的选项;
  7.以欺诈、诱骗等不正当方式误导用户同意收集个人信息或打开可收集个人信息的权限,如故意欺瞒、掩饰收集使用个人信息的真实目的;
  8.未向用户提供撤回同意收集个人信息的途径、方式;
  9.违反其所声明的收集使用规则,收集使用个人信息。
  四、以下行为可被认定为“违反必要原则,收集与其提供的服务无关的个人信息”
  1.收集的个人信息类型或打开的可收集个人信息权限与现有业务功能无关;
  2.因用户不同意收集非必要个人信息或打开非必要权限,拒绝提供业务功能;
  3.App新增业务功能申请收集的个人信息超出用户原有同意范围,若用户不同意,则拒绝提供原有业务功能,新增业务功能取代原有业务功能的除外;
  4.收集个人信息的频度等超出业务功能实际需要;
  5.仅以改善服务质量、提升用户体验、定向推送信息、研发新产品等为由,强制要求用户同意收集个人信息;
  6.要求用户一次性同意打开多个可收集个人信息的权限,用户不同意则无法使用。
  五、以下行为可被认定为“未经同意向他人提供个人信息”
  1.既未经用户同意,也未做匿名化处理,App客户端直接向第三方提供个人信息,包括通过客户端嵌入的第三方代码、插件等方式向第三方提供个人信息;
  2.既未经用户同意,也未做匿名化处理,数据传输至App后台服务器后,向第三方提供其收集的个人信息;
  3.App接入第三方应用,未经用户同意,向第三方应用提供个人信息。
  六、以下行为可被认定为“未按法律规定提供删除或更正个人信息功能”或“未公布投诉、举报方式等信息”
  1.未提供有效的更正、删除个人信息及注销用户账号功能;
  2.为更正、删除个人信息或注销用户账号设置不必要或不合理条件;
  3.虽提供了更正、删除个人信息及注销用户账号功能,但未及时响应用户相应操作,需人工处理的,未在承诺时限内(承诺时限不得超过15个工作日,无承诺时限的,以15个工作日为限)完成核查和处理;
  4.更正、删除个人信息或注销用户账号等用户操作已执行完毕,但App后台并未完成的;
  5.未建立并公布个人信息安全投诉、举报渠道,或未在承诺时限内(承诺时限不得超过15个工作日,无承诺时限的,以15个工作日为限)受理并处理的。

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s