Contents

• Method for Determining Illegal and Improper Collection and Use of Personal Information by Apps
• 1. The following behaviors can be identified as “failure to disclose collection and usage rules”:
• 2. The following behaviors can be identified as “failure to clearly indicate the purpose, method, and scope of collecting and using personal information”:
• 3. The following behaviors can be identified as “collecting and using personal information without the user’s consent”:
• 4. The following behaviors can be identified as “violating the principle of necessity by collecting personal information unrelated to the services provided”:
• 5. The following behaviors can be identified as “providing personal information to others without consent”:
• 6. The following behaviors can be identified as “failing to provide the option to delete or correct personal information as required by law” or “failing to disclose complaint and reporting methods”:
• The 21YunBox Advantage

Notice on the Issuance of the “Method for Determining Illegal and Improper Collection and Use of Personal Information by Apps”

MIIT Secret [2019] No. 191

To the internet information offices, telecommunications management bureaus, public security departments (bureaus), and market regulation bureaus (departments, commissions) of all provinces, autonomous regions, municipalities directly under the central government, and Xinjiang Production and Construction Corps:

In accordance with the “Announcement on Carrying Out Special Governance on Illegal and Improper Collection and Use of Personal Information by Apps” and to provide a reference for the determination of illegal and improper collection and use of personal information by Apps, and to implement laws and regulations such as the “Cybersecurity Law,” the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security (MPS), and the State Administration for Market Regulation (SAMR) have jointly formulated the “Method for Determining Illegal and Improper Collection and Use of Personal Information by Apps.” We are now issuing it to you for your reference in conjunction with regulatory and enforcement work.

Office of the Cyberspace Administration of China General Office of the Ministry of Industry and Information Technology General Office of the Ministry of Public Security General Office of the State Administration for Market Regulation November 28, 2019

---

Method for Determining Illegal and Improper Collection and Use of Personal Information by Apps

In accordance with the “Announcement on Carrying Out Special Governance on Illegal and Improper Collection and Use of Personal Information by Apps,” to provide a reference for supervisory and administrative departments to determine illegal and improper collection and use of personal information by Apps, and to provide guidance for App operators for self-examination, self-correction, and public supervision, and to implement laws and regulations such as the “Cybersecurity Law,” this method is formulated.

1. The following behaviors can be identified as “failure to disclose collection and usage rules”:

1. The App does not have a privacy policy, or the privacy policy does not include rules for collecting and using personal information.
2. The App does not prompt the user to read the privacy policy or other collection and usage rules through obvious means, such as a popup window, when the App is first launched.
3. The privacy policy or other collection and usage rules are difficult to access, requiring more than four clicks or similar operations to access after entering the main interface of the App.
4. The privacy policy or other collection and usage rules are difficult to read, such as small or dense text, faint colors, blurriness, or the absence of a simplified Chinese version.

2. The following behaviors can be identified as “failure to clearly indicate the purpose, method, and scope of collecting and using personal information”:

1. Fails to list out the purposes, methods, and scope of collecting and using personal information for the App (including third parties entrusted or embedded third-party code or plugins).
2. When the purpose, method, or scope of collecting and using personal information changes, the user is not notified in an appropriate manner. Appropriate methods include updating the privacy policy or other collection and usage rules and reminding users to read them.
3. When applying for permission to collect personal information or sensitive personal information such as the user’s ID, bank account, or travel history, the purpose is not clearly stated, or it is difficult to understand.
4. The content of the collection and usage rules is obscure, lengthy, and overly complicated, making it difficult for users to understand, for example, by using a large amount of professional terminology.

3. The following behaviors can be identified as “collecting and using personal information without the user’s consent”:

1. Initiating the collection of personal information or granting permission to collect personal information before obtaining the user’s consent.
2. Continuing to collect personal information or maintain permission to collect personal information after the user explicitly expresses disagreement, or frequently seeking the user’s consent, or interfering with the user’s normal usage.
3. Collecting or allowing the collection of personal information beyond the scope authorized by the user.
4. Using default selections or non-explicit methods to seek the user’s consent for the privacy policy or other collection and usage rules.
5. Changing the user’s personal information collection permission status without the user’s consent, such as automatically restoring the user’s permission settings to default during App updates.
6. Utilizing user’s personal information and algorithms for targeted push notifications without providing an option for non-targeted notifications.
7. Misleading users to consent to the collection of personal information or granting permission to collect personal information through fraudulent or deceptive means, such as deliberately misleading or concealing the true purpose of collecting and using personal information.
8. Failing to provide users with a way to withdraw consent for the collection of personal information.
9. Violating the declared collection and usage rules for personal information.

4. The following behaviors can be identified as “violating the principle of necessity by collecting personal information unrelated to the services provided”:

1. Collecting types of personal information or granting permission to collect personal information that are unrelated to the existing business functions.
2. Refusing to provide business functions because users refuse to consent to the collection of non-essential personal information or the granting of non-essential permissions.
3. For new business functions in the App, collecting personal information beyond the user’s original agreed scope. This does not apply if new business functions replace the original ones and the user refuses to consent.
4. Collecting personal information excessively for business functions.
5. For reasons such as improving service quality, enhancing user experience, targeted push notifications, or developing new products, forcing users to consent to the collection of personal information.
6. Requiring users to consent to opening multiple permissions to collect personal information at once, and users cannot use the App without consent.

5. The following behaviors can be identified as “providing personal information to others without consent”:

1. Directly providing personal information to third parties by the App client without the user’s consent and without anonymization, including through embedded third-party code or plugins in the client.
2. After data is transmitted to the App’s backend server, providing the collected personal information to third parties without the user’s consent and without anonymization.
3. Integrating third-party applications into the App and providing personal information to third-party applications without the user’s consent.

6. The following behaviors can be identified as “failing to provide the option to delete or correct personal information as required by law” or “failing to disclose complaint and reporting methods”:

1. Failing to provide effective functions for correcting, deleting personal information, or canceling user accounts.
2. Setting unnecessary or unreasonable conditions for correcting, deleting personal information, or canceling user accounts.
3. Although functions for correcting, deleting personal information, or canceling user accounts are provided, failing to respond promptly to user operations that require manual processing, and not completing verification and processing within the promised time frame (the promised time frame shall not exceed 15 working days, and if there is no promised time frame, it shall be limited to 15 working days).
4. Personal information corrections, deletions, or account cancellations have been completed, but the App’s backend has not completed them.
5. Failing to establish and publish channels for personal information security complaints and reports or not accepting and processing complaints and reports within the promised time frame (the promised time frame shall not exceed 15 working days, and if there is no promised time frame, it shall be limited to 15 working days).

The 21YunBox Advantage

The original document is written in Chinese. We have provided this English translation for your convenience. However, please note that this translation is intended for a quick understanding of the law and should be used at your own discretion and risk.

If you require further assistance from our team, feel free to reach out. Our experts are here to guide you through the intricacies of facilitating the distribution of your apps in China!

Ready to make your app work in China?

Get Started Questions? Talk to an expert.

Ready to try 21YunBox?

Get Started