Promulgation Date: 2023-2-6 Title: 工业和信息化部关于进一步提升移动互联网应用服务能力的通知 Document Number:工信部信管函〔2023〕26号 Expiration date: Promulgating Entities: Ministry of Industry and Information Technology Source of text: https://www.miit.gov.cn/zwgk/zcwj/wjfb/tz/art/2023/art_261ee9a52be545c09dc4323a45e8631f.html
To the communications administration of each province, autonomous region, and directly governed municipality, the China Academy of Information and Communications Technology, the Internet Society of China, and all related enterprises:
In recent years, the Ministry of Industry and Information Technology has vigorously promoted increases in the quality of mobile internet application functions, truly preserving users’ lawful rights and interests, and obtaining positive social effects, but problems have continued to occur such as some enterprises’ service activities not being regular and responsibility not being adequately put in place. In order to optimize the provision of services, improve user experiences, maintain a positive environment for information consumption, and promote the high-quality development of the industry. Notice on the following matters is hereby given on the basis of the Personal Information Protection Law, The Telecommunications Regulations, the Several Provisions on Regulating Order in the Mobile Internet Information Services Market, the Provisions on the Protection of Telecommunication and Internet Users’ Personal Information, and related laws, regulations, and rules.
I. Improving whole-process service perception, and protecting users’ lawful rights and interests
(1) Regulate installation and uninstallation
1. Ensure knowledge and consent in installations. Recommendations that users download apps should comply with the principle of openness and transparency, to truthfully, accurately, and completely indicate necessary information such as the developers and operators, product functions, privacy policies, and permissions lists; and simultaneously provide clear options for cancellation and allow downloads and installations only after users confirm their consent, to truly safeguard user’s right to know and right to choose. Users must not be tricked or misled into downloading or installing through means such as ‘bait and switch’, ‘forced bundling’, or ‘silent downloads’.
2. Regulate webpage download reccomendations. The download of apps must not be automatic or compulsory without the users’ consent or active selection when users browse webpages; and methods such as accordion displays, automatic pop-up windows, and frequent reminders must not be used to compel users to download or open APPs, impacting users’ normal browsing of information. The download of apps must not be tied to the reading of website content without a legitimate reason.
3. Make uninstallation convenient. Apps other than those for basic functions shall be easy to uninstall, and users’ uninstallation must not be maliciously impeded through means such as having blank names, transparent icons, or being hidden in the background.
(2) Optimize the service experience
4. User choice in closing windows. Clear and effective buttons are to be provided for closing windows and pop-ups, ensuring that users may conveniently close them; frequent pop-up windows must not disrupt users’ normal usage, and methods such as ‘full scree heat maps’, high sensitivity, or shaking, that can cause accidental user activation must not be used.
5. Pre-service notifications. Clearly indicate content such as product functions, rights and interests, and fees, and have conspicuous alerts on additional conditions such as membership and fee collection. Without indications, restrictive conditions must not be added without authorization in the course of providing products and services, and these must not be used as a reason for stopping users’ normal use of product functions and services, or for downgrading the service experience.
6. Reasonable activation of operation scenarios. Other apps must not be activated or have linked activation where not necessary for services or in unreasonable scenarios, and waking, adjustments, and updates, must not be conducted.
7. Prompt reminders for service renewals. Where automatic renewals or fee collection is used in providing services, the users’ consent shall be obtained, and it must not be started through default options or compulsory bundling. Users are to be reminded by conspicuous methods such as text messages or information push 5 days before automatic renewals or fee collection, and convenient channels for ending automatic renewal and fee collection are to be provided at all times during the service period.
(3) Strengthen the protection of personal information
8. Adhere to the principles of legality, propriety, and necessity. Engagement in activities handling personal information should have clear and reasonable purposes and must not be only for user experience, product development, algorithmic recommendations, risk control, requiring users to consent to the handling of personal information beyond the scope or that is unrelated to service scenarios. When users refuse to provide personal information that is not necessary for the current services, it must not impact the users' use of the basic functions of the service.
9. Indicate rules for the handling of personal information. Use simple, clear, and understandable methods to notify users of the rules for handling personal information, and if changes occur, they users should be promptly notified of the most recent situation. Highlight the display of the purpose, means, and scope of handling sensitive personal information, and establish a list of personal information collected; methods such as default options, reducing font size, or having excessively long texts must not be used to make users consent to the rules for handling personal information.
10. Reasonable requests for the use of permissions. Dynamically request required permissions when corresponding service functions are started; users must not be required to give sweeping consent to multiple functions that are not required for the corresponding operation functions. When adjusting permissions such as for terminal photo albums, address books, and positioning, simultaneously notify users of the purpose for requesting that permission. The status of permissions that have not been authorized by users must not be changed without the users consent.
(4) Respond to user demands
11. Set up customer hotlines. Encourage internet enterprises to establish customer hotlines, displaying customer hotline numbers in a conspicuous location on the main enterprise website and apps, simplifying procedures for transfer to human service. Encourage increases in customer hotlines’ ability to respond, with average monthly response times under 30 seconds, and a human response rate above 85%.
12. Improve the handling of user complaints. Publish valid contact information to receive user complaints. Respond to complaints on the internet information services complaint platform in accordance as specified, and ensure that they are addressed within 15 days, to increase the rate of satisfaction with the handling of complaints. Encourage the setting up of use satisfaction evaluation links to guide users to participate in evaluations.
II. Improve full-chain management capacity, creating a healthy service ecology
(1) Implement the primary responsibility of app developers and operators
1. Improve internal management mechanisms. Clarify the management departments and responsible persons leading user services and the protection of rights and interests, establish full life-cycle mechanisms for the protection of personal information, complete evaluation and accountability systems, Periodically conduct compliance audits of measures for the protection of personal information and their enforcement, to effectively prevent risks.
2. Enhance the ability of technical safeguards. Employ technical security measures such as access controls, technical encryption, and de-identification to strengthen front-end and back-end protections. Proactively monitor and discover risks and threats such as the leaking, theft, alteration, destruction, loss, and illegal use of personal information, promptly responding to requests for disposition.
Strengthen the management of the use of software development kits (SDK). Before using SDKs, conduct an assessment on their ability to protect personal information, and use contracts and other such methods to clearly provide for the rights and obligations of all parties to ensure that personal information is handled in accordance with laws and regulations. Centrally display and promptly update embedded SDKs’ names, functions, and rules for their handling of personal information. Where jointly handling users’ personal information, and violation of users’ rights and interests cause harm, corresponding responsibility is to be borne in accordance with law.
(2) Strengthen platform distribution management
4. Conduct strict reviews for putting apps on the market. Correctly register and verify basic information such as app developers’ and operators’ real identities and contact information, and the main functions and uses of apps, and conduct technical examinations of apps that are seeking to be put on the market. These reviews should clarify the person responsible and have review logs stored, with those not meeting requirements not being put on the market. Display all available apps and indicate information such as the names, functions, developers, operators, version number, and a list of all user terminal permissions required for apps and their usage, as well as the rules for the handling of personal information. Where an explicit interface for distribution has not been established, the apps’ download links should go to the application store, guiding users to download the app distributed from formal channels.
5. Strengthen inspections of available apps. Strengthen dynamic inspections of apps, ensuring the truth and accuracy of the displayed information. Apps shall stop the provision of services where they are inconsistent with the displayed information or violate rules through the use of measures such as “hot module replacement or hot swapping” to change the app’s main functions, requested permissions, or the scenarios and scope of using personal information.
6. Improve distribution management mechanisms. Establish mechanisms such as assessing app developers’ and operators’ credit, and for risk alerts, encourage the use of digital signatures in the dissemination of apps, making it so that the entire process of apps entering the market and distribution is trackable. Strengthen links between mobile internet application testing and the public service verification platform to do a good job in efforts such as information reporting, monitoring and tracking, information sharing, and responses and dispositions.
(3) Regulate services using SDK.
7. Establish mechanisms for the display of information. Publicly indicate basic information such as the SDK’s name, developer, version number, main functions, and an explanation of its use, as well as rules for the handling of personal information. Where SDKs independently collect, transmit, or store personal information, an independent explanation shall be made. Encourage giving play to the role of the SDK management service platform, leading app developers and operators to use compliant SDKs.
8. Optimize function configuration. Follow the minimum necessary principle in clarifying SDK functions and the corresponding scope of personal information collected based on different application scenarios and uses, and provide app developers and operators with options for function modules and personal information collection; excessive personal information must not be collected in a sweeping fashion.
9. Strengthen coordination of services. During the full product lifecycle, use clear and easily understood methods to proactively provide app developers and operators with guides on compliant usage, leading their correct and reasonable usage, and increasing the level of compliance together. When there is a change in the rules for handling personal information or when risks are discovered, make prompt updates and notify the app developers and operators.
(4) Construct terminal security walls
10. Strengthen the management of app usage. Provide functions for closing automatic or linked app initiation, as well as options for resetting related device identification codes, strengthen monitoring of silent app downloads and hot updates, and prevent unauthorized activation, downloads, and installation without the users’ consent.
11. Strengthen recording and alerts of app activity, Enhance the capacity for recording changes of permissions and facilitate user inquiries into adjustments of permissions. Establish conspicuous prompt mechanisms for the status of permission use such as for address books, microphones, cameras, positioning, and clipboards to ensure that users can promptly and accurately learn about the status of personal information collection.
12. Improve apps' risk alert capacity. Promote the development of apps' digital signature authentification and give warning prompts to users, increasing the ability to recognize counterfeit, adverse, illegal, and otherwise risky apps.
(5) Solidify enterprise responsibility for access
13. Correctly register information. When providing network access services for apps and SDKs, register and verify the true identity, contact methods, and other information on the app or SDK developers and operators to increase trackability.
14. Ensure effective dispositions. In accordance with the requirements of the departments for telecommunications regulation, lawfully employ necessary measures against apps and SDKs such as stopping connections to effectively prevent their illegal conduct that harms users’ rights and interests.
III. Work Requirements
(1) Take hold of organization and implementation. Each unit should adhere to the people-centric concept of development, raising political positions, strengthening responsibility, refining resolution taks, and earnestly taking hold of the implementation of this notice to ensure its success. Related enterprises should implement primary responsibility, and develop self-inspections and corrections with reference to this notice, to protect users’ lawful rights and interest At the same time, establish long-term mechanisms and innovate models and methods, to continuously increase the level of mobile application services and continuously increase users’ feelings of benefit, happiness, and security.
(2) Strengthen guidance and oversight. The Ministry of Industry and Information Technology is to complete and improve mechanisms for evaluation, reporting, ranking, and displays, promoting the firm and orderly development of work, and promptly summarizing and spreading exceptional cases, experiences, and methods. Each local bureau for telecommunications administration should strengthen oversight and inspections, guiding and spurring local enterprises to implement all requirements of this notice. Where implementation is unsatisfactory or illegal conduct occurs, lawfully employ measures such as ordering corrections in a set period of time, making public announcements, and organizing removals from the market, for stern investigation and handling of accountability.
(3) Strengthen technical operations. The China Academy of Internet and Communications Technology should organize industry forces to comprehensively use new technical means such as AI and big data to increase the creation of a national public service platform for testing and authentification of mobile internet applications, and complete efforts such as on technical testing, monitoring services, and regulatory support. Actively spread trackable technical measures such as digital signature authentification to promot increased capacity for managing services.
(4) Promote industry self-discipline. Encourage industry associations and related bodies to draft industry self-regulation conventions, technical standards, and service specifications, and strengthen assessment authentication and the cultivation of talent. Further clear channels for hearing public comments, promote exchanges and interactions between all sides, lead enterprise to operate compliantly and in accordance with law, continuously optimize and improve services, create a positive environment of striving for excellence and mutual progress, and promote high-quality development through high-quality services.
Ministry of Industry and Information Technology
2023/2/6
Be First to Comment