Release Date: 11-28-2019
Source: Cyberspace Administration of China site
Chinese Title: 关于印发《App违法违规收集使用个人信息行为认定方法》的通知
Guo Xin Ban Mi Zi  No. 191
The cyberspace administrations, communications administrations, public security departments (bureaus) and market regulation bureaus (departments and commissions) of all provinces, autonomous regions, municipalities directly under the Central Government and the Xinjiang Production and Construction Corps,
According to the Announcement on Special Governance of the Illegal Collection and Use of Personal Information by Apps, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation have jointly formulated the Method for Identifying the Illegal Collection and Use of Personal Information by Apps to provide reference for the identification of illegal collection and use of personal information by Apps and implementing the Cybersecurity Law and other laws and regulations. The present Method is hereby promulgated for your implementation in light of actual regulatory and law enforcement practices.
Secretariat of Cyberspace Administration of China
Ministry of Industry and Information Technology
General Office of the Ministry of Public Security
General Office of the State Administration of Market Regulation
28 November 2019
The present Method is formulated in accordance with the Announcement on Special Governance of the Illegal Collection and Use of Personal Information by Apps, with a view to providing reference for supervision and administration departments to identify the illegal collection and use of personal information by Apps, offering guidance for App operators’ self-examination and self-correction and social supervision of netizens, and implementing the Cybersecurity Law and other laws and regulations.
I. The following practices may be identified as “non-disclosure of collection and use rules”:
2. failing to prompt users to read privacy policies and other collection and use rules, through pop-up windows or other noticeable ways, when an App is put into operation for the first time;
3. it is difficult for users to access the privacy policies and other collection and use rules. For instance, users cannot access the privacy policies and other collection and use rules of an APP before entering the main interface of the App for more than four clicks; and
4. it is difficult for users to read the privacy policies and other collection and use rules, For instance, the text is too small or too dense, and unclear, with too light color, or there is no simplified Chinese version, etc.
II. The following practices can be identified as “failing to expressly state the purpose, method and scope of collecting and using personal information”:
1. does not specify one by one the purpose, method or scope of personal information collection or use by Apps (including third parties entrusted or embedded third parties’ codes or plug-ins);
3. failing to synchronously inform users of their purposes, or the purposes are unclear and difficult for users to understand, when applying for the permission to collect personal information, or applying for the collection of user identity card number, bank account number, whereabouts and tracks and other personal sensitive information; and
4. the content of collection and use rules is obscure, lengthy and tedious, and difficult for users to understand, for example, the use of a large number of terminologies.
III. The following practices may be identified as “collecting or using personal information without the consent of users”:
1. commencing the collection of personal information or opening the authority to collect personal information before obtaining the consent of users;
2. after a user clearly expresses disagreement, still collecting personal information or opening the authority to collect personal information, frequently asking for the user’s consent and interfering with the normal use of a user;
3. the personal information collected or the authority opened for collectable personal information is beyond the scope of users’ authorization;
5. change the status of collectable personal information authority set by a user without the user’s consent, such as automatically restoring user settings to the default status when the App is updated;
6. utilizing users’ personal information and algorithms to push information from targeted sources, but failing to provide options for non-targeted push information;
7. misleading users into agreeing to collect personal information or opening the authority to collect personal information by fraud, deception or other improper means, such as deliberately deceiving or concealing the true purpose of collecting or using personal information;
8. failing to provide users with channels and methods for withdrawing consent to collect personal information; and
9. collect and use personal information in violation of its stated collection and use rules.
IV. The following practices may be identified as “collecting personal information unrelated to the services they provide in violation of the principle of necessity”
1. the type of personal information collected or the authority for collectible personal information opened is irrelevant to existing business functions;
2. refusing to provide business functions because users do not agree to collect unnecessary personal information or open unnecessary authority;
3. The personal information collected by an App under the application for new business functions exceeds the scope originally approved by a user. If the user disagrees, the App will refuse to provide the user with the original business functions, except that the new business functions replace the original ones;
4. the frequency of collecting personal information is beyond the actual needs of business functions;
5. forcing users to agree to collect personal information for the sole reason of improving service quality, boosting user experience, pushing targeted information, researching and developing new products, etc.; and
6. Requiring a user to consent to open multiple authority to collect personal information at one time, and the user cannot use the App without consent.
V. The following practices may be identified as “providing others with personal information without the consent”:
1. without the consent of a user and without anonymization, an App client directly provides personal information for a third party, including the provision of personal information to a third party through a third party’s code embedded in the client, plug-ins or otherwise;
2. without the consent of a user and without anonymization, an App provides a third party with the personal information it has collected after the data is transmitted to the background server of the App; and
3. without the consent of users, an App that is linked with a third-party application provides personal information to the third-party application.
VI. The following practices may be identified as “failure to provide the function of deleting or correcting personal information in accordance with the law” or “failure to disclose the information on complaints and whistleblowing reports”
1. failing to provide functions for effective correction and deletion of personal information and deregistration of users’ accounts;
2. setting unnecessary or unreasonable conditions for correcting or deleting personal information or deregistration of users’ accounts; and
3. having provided functions of correcting or deleting personal information or deregistration of users’ accounts but failing to timely respond to the corresponding operations of users or to complete the examination and handling the operations subject to manual handling within the committed time limit (such committed time limit shall not exceed 15 working days, and if there is no committed time limit, the time limit shall be 15 working days); and
4. where users have finished operations such as correction and deletion of personal information or deregistration of users’ accounts, but App background has not completed the said operations; and
5. failing to establish and publicize channels for complaints and whistleblowing reports about personal information security, or failing to accept and handle complaints and whistleblowing reports within the committed time limit (which shall not exceed 15 working days; in the absence of committed time limit, 15 working days shall apply).