[Source]http://www.cac.gov.cn/2019-08/08/c_1124853418.htm 【Period for Submitting Comments】2019年8月31 【意见联系人】王姣 010-64102730 wangjiao@cesi.cn
1. Scope
These standards specify the basic requirements to be satisfied when mobile internet applications collect personal information, and are used to regulate mobile internet application businesses collection of personal information.
These standards apply to the development and operation of mobile Internet applications, and can also be used for technology assessment, supervision and inspection of mobile Internet applications.
2. Normative Reference Documents
The following documents are indispensable for the application of these Standards. For dated reference documents, only the dated version is applied for this document. For undated reference documents, the newest version (including all revision lists) is applied for this document.
GB/T 25069—2010 Information Security Technology Terminology
3. Abbreviations
The following terms and definitions and those defined in GB/T 25069—2010 and GB/T 35273 apply to this document.
3.1 智能移动终端 intelligent mobile terminal
Terminal Products installed with an open operating system capable of using wireless mobile communications technology to achieve internet access, and provide services to users through the installation of application software and digital content.
3.2 移动互联网应用 mobile internet application
Application programs installed and run on intelligent mobile terminals, App for short.
3.3 服务类型 service type
Operation types provided by Apps to satisfy user demand.
3.4 最少信息 least(minimum) information
The personal information necessary to ensure the normal operation of a certain service type, including personal information directly related to the service type that once missing will lead to inability to carry out or normally operate that service type, as well as personal information that laws, regulations, and normative documents require be collected.
3.5 最小权限范围 least(minimum) permission range
The minimum system permissions required to ensure the normal operation of a certain service type.
3.6 移动互联网应用运营者 mobile internet application operator
Refers to the owners or managers of mobile internet applications.
4. Basic Requirements for Apps Collection of Personal Information
4.1 Management Requirements
Apps collection of personal information should satisfy the following management requirements:
a) App operators should perform obligations to protect personal information, employ necessary security measures, and ensure the security of users' personal information.
b) When users agree to Apps' collection of the minimum information for a certain service type, the App must not refuse to provide that type of service due to the users' refusal to provide information other than the minimum information.
NOTE: Appendix A list commonly seen App service types and the corresponding minimum information.
c) Apps must not collect personal information that is unrelated to the services provided.
d)Apps should first obtain users' explicit consent before sharing or transferring personal information externally. Where users do not consent, users' personal information must not be shared or transferred externally.
e) Apps must not collect immutable and unique equipment identifiers (such as IMEI numbers, MAC addresses, etc.) except for use in ensuring network or operational security.
f)After users explicitly refuse use of a certain service type, the App must not excessively (such as more than once every 48 hours) solicit users' consent to use the service, and are to ensure the normal use of other service types.
g) Apps should be responsible for collection of personal information by third-party code and plug-ins they use. Collection of personal information by third-party code or plugins is viewed as collection by the App, and Apps should prevent third-party code and plug-ins from collecting irrelevant personal information.
NOTE: If third-party code or plugins express the goals, methods, and scope of their collection and use of personal information to users on their own, and obtain users' consent, the third-party code or plug-ins independently bears responsibility for their collection of personal information.
4.2 Technical Requirements
Apps' collection of personal information should satisfy the following technical requirements:
a) When the personal information collected exceeds the minimum information for the service type, the APP should obtain users' explicit consent for each piece of information in the excessive part.
b)When the same APP has 2 or more service types, the APP should permit users to initiate or exit service types one by one, with easily operated methods for initiation and exit.
c) After users exit a certain service type, the App should terminate that service type's activities collecting personal data, and delete or anonymize personal information used only for that service type.
d) When requesting personal information and related permissions, or when requiring users to input personal information, Apps should specify the purpose at each step for the requested permissions or information collection.
e) Apps should provide users with real-time inquiry functions into the type of personal information that have been collected, with the results displayed in an independent interface, and the method for making inquiries should be easy to operate.
f) Where there is external sharing or transfer of personal information, Apps should provide users with functions for inquiring into the identity of data recipients, with the results displayed in an independent interface, and the method for making inquiries should be easy to operate.
g) So long as it is technically feasible and does not impact terminals and normal services, Apps should prioritize storage and use of personal information they collect on user terminals.
h) Apps should send personal information to backstage servers at the lowest reasonable rate needed to achieve services.
Attachment A (Normative Attachment) Minimum Information for Commonly Used Service Categories
This Appendix designates the minimum information that may be collected for 21 common service types such as Mapping and Navigation, Online Ride Hailing, Instant Messaging, Blogs and Forums, Online Payments, News, Online Purchasing.
A.1 Map Navigation
Provide Users with Internet Mapping and Navigation Functions. The minimum information for this service type is displayed in Table 1:
Table 1 - Minimum Information for Map Navigation Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Personal information required to carry out services | Precise Positioning Information | Precision positioning information is to be used only to determine user's location and carry out map search displays and navigation services. |
A.2 Online Ride Hailing
Provide Users with Online Ride Hailing (not including car rentals) services. The minimum information for this service type is displayed in Table 2:
Table 2 - Minimum Information for Online Ride Hailing Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Mobile Numbers | "Provisions on the Management of Mobile Internet Applications' Information Services" | |
Information Content Published by Users Identity Verification Information Order Logs, and Logs of Going Online Logs of Routes Travelled | "Temporary Provisions on the Management of Online Car Hailing Operations Services" | |
Transaction Information | "E-commerce Law" "Temporary Measures on the Management of Online Transactions" "Temporary Provisions on the Management of Online Car Hailing Operations Services" | |
Personal information required to carry out services | Account Information • Account Numbers • Passwords | Use only to identify online ride hail users and to ensure accounts' information security |
Location information • Precision positioning information • Users' starting locations • Users' desitinations | Precision positioning information is to be used only to determine users' current position, to recommend nearby places to board, and to search for and display nearby car information. | |
Third-party payment methods | Used only for users paying for ride hailing orders through third-party payment methods. |
A.3 Instant Messaging
Providing communications services to users using formats such as text, voice, or video; or social interaction services based on instant messaging. The minimum information for this service type is displayed in Table 3:
Table 3 - Minimum Information for Instant Messaging Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Mobile Numbers | "Cybersecurity Law" "Provisions on the Management of Mobile Internet Applications' Information Services" "Internet Group Information Service Management Provisions" | |
Information collected only from public account information public service users: • Identification Document Numbers | "Internet User Public Account Information Services Management Provisions" | |
Personal information required to carry out services | Account Information • Account Numbers | Used only to identify instant messenger users, and to ensure account information security and user's conversations and exchanges |
Friend lists | Includes friend lists and friend information, to be used only to establish and manage user contact relationships for user of instant messaging. Users should be permitted to manually add friends in the instant messaging App, and users' communications records are not be required to be read. | |
Group lists | Used only to carry out group chat functions. |
A.4 Blogs and Forums
Providing users with services such as blogs, forums, or communities, including functions such as topic discussions, information sharing, and interactive following. The minimum information for this service type is displayed in Table 4:
Table 4 - Minimum Information for Blog and Forum Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Mobile Numbers | "Cybersecurity Law" "Provisions on the Management of Mobile Internet Applications' Information Services" "Internet Group Information Service Management Provisions" | |
Information collected only from public account information public service users: • Identification Document Numbers | "Internet User Public Account Information Services Management Provisions" | |
Personal information required to carry out services | Account Information • Account Numbers • Passwords | Used only in identifying blog/forum users, ensuring account information security, and interactive exchanges. |
User follow lists (including followed content and lists of followed users) | Followed content is only used to establish and manage follower relationships between users and community content (such as followed columns or followed topics) and to show and push followed content to users. Lists of followed users are used only to establish and manage follower relationships between community users, as well as displaying or pushing to users any graphics and information, audiovisuals, links, and so forth, that are published by followed users they follow. Users should be permitted to manually set up followed users in the use of blogs and forums, and should not be compelled to compelled to give access to their address book. |
A.5 Online Payments
Providing users with services transferring funds between recipients (such as non-bank payments or online bank payment) including functions such as payments, withdrawals, transfers, billing. The minimum information for this service type is displayed in Table 5:
Table 5 - Minimum Information for Online Payment Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Mobile Numbers | "Provisions on the Management of Mobile Internet Applications' Information Services" | |
Identification Information • Full Names | "Measures on the Administration of Payment Services by Non-Financial Institution" | |
Customer Operation Activity | "Measures on the Administration of Online Payment Operations by Non-Banking Establishments" | |
Transaction Information | "E-commerce Law" "Temporary Measures on the Management of Online Transactions" | |
Personal information required to carry out services | Account Information • Account Numbers | Used only to identify online payment users and ensure account information security. |
Bank Account Information • The name on the Bank Account | Used only to link bank and payment cards. authenticate bank card identity, top-off recharging, withdrawal, and transfer functions. | |
Transaction authentication information (users may choose one at payment) • Static Passwords | Only used to verify users' true identity and to ensure the security of users' accounts and funds. |
A.6 News
Providing users with news information services such as graphics, audio, and video, including functions for browsing, searching, and publishing news information. The minimum information for this service type is displayed in Table 6:
Table 6 - Minimum Information for News Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Collected only from users using information publishing functions: • Mobile Numbers | "Cybersecurity Law" "Provisions on the Management of Mobile Internet Applications' Information Services" "Internet Group Information Service Management Provisions" | |
Collected only from users using information publishing functions: Account Number Operations times and types Network source and destination addresses and network source ports Client Terminal Hardware Characteristics Records of User Published Information | "Provisions on the Security Assessment of Internet Information Services that have Public Opinion Properties or the Capacity for Social Mobilization" | |
Information collected only from public account information public service users: • Identification Document Numbers | "Internet User Public Account Information Services Management Provisions" | |
Personal information required to carry out services | None | N/A |
A.7 Online Purchasing
Providing users with service types for online purchase of goods or services, including functions for displaying, searching, placing orders, and paying for goods. The minimum information for this service type is displayed in Table 7:
Table 7 - Minimum Information For Online Purchasing
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Mobile Numbers | "Cybersecurity Law" "Provisions on the Management of Mobile Internet Applications' Information Services" | |
Purchase and Transaction Information | "E-commerce Law" "Temporary Measures on the Management of Online Transactions" | |
Personal information required to carry out services | Account Information • Account Numbers | Used only to identify online purchasing users and to ensure account information security. |
Recipient Information • Full Names | Used only when goods are received to identify recipients and delivered goods, and to contact recipients. | |
Third-party payment methods | Used only for users' utilization of third-party payment methods to pay for online purchasing orders. |
A.8 Short video
Providing users with short video services, including functions such as for browsing, searching, creating, and publishing short videos, and for social interaction. The minimum information for this service type is displayed in Table 8:
Table 8 - Minimum Information for Short Video Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Collected only from users using information publishing functions: • Mobile Numbers | "Cybersecurity Law" "Provisions on the Management of Mobile Internet Applications' Information Services" "Internet Group Information Service Management Provisions" | |
Collected only from users using information publishing functions: Account Number Operations times and types Network source and destination addresses and network source ports Client Terminal Hardware Characteristics Records of User Published Information | "Provisions on the Security Assessment of Internet Information Services that have Public Opinion Properties or the Capacity for Social Mobilization" | |
Information collected only from public account information public service users: • Identification Document Numbers | "Internet User Public Account Information Services Management Provisions" | |
Personal information required to carry out services | None | N/A |
A.9 Express Delivery
Providing users with express delivery services for letters, packages, printed materials, and other items; including functions for sending, checking, and receiving items. The minimum information for this service type is displayed in Table 10:
Table 10 - Minimum Information for Express Delivery Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Personal information required to carry out services | Basic Sender Information • Full Names | Used on to carry out delivery sending and receipt functions |
Basic Recipient Information • Full Names | ||
Courier Shipping Number | Used only to carry out delivery check functions and identify packages |
The information listed in Table 10 is primarily aimed at the domestic courier situation, and it does not include recipient information and customs clearance information required for the international situation, as well as payment information required for added services such as collection on delivery. In addition, on the basis of the requirements of the "Provisional Regulations on Courier Services", enterprises operating as couriers that receive items for shipping should conduct an inspection of and register the senders' identification information, but mobile internet applications that have express delivery type services are not usually to collect related identification information.
A.10 Food and Beverage Take Out
Providing users with food and beverage take out information and services, including delivery and in-store pickup functions for food and beverages. The minimum information for this service type is displayed in Table 11:
Table 11 - Minimum Information for Food and Beverage Take Out Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Mobile Numbers | "Cybersecurity Law" "Provisions on the Management of Mobile Internet Applications' Information Services" | |
Transaction Information | "Measures on Safety Oversight and Management of Online Food and Beverage Services" "E-commerce Law" "Temporary Measures on the Management of Online Transactions" | |
Personal information required to carry out services | Account Information • Account Numbers | Used only to identify food and beverage take out users and to ensure the safety of their account information. |
Location information | Used only to display information on nearby take out stores to users, and facilitate users' selection of delivery addresses. | |
Contact Person Information • Name of Contact Person | Used only for sellers and delivery personnel to contact the users and for delivery personnel to make deliveries, the full name need not be real. | |
Third-party payment methods | Used only for users utilization of third-party payment methods to pay for food and beverage take out orders. |
A.11 Transportation Ticketing Services
Providing users with ticketing services related to transportation, including functions such as ticket inquiries, sales, changes, and returns. The minimum information for this service type is displayed in Table 12:
Table 12 - Minimum Information for Transportation Ticketing Services Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Mobile Numbers | "Provisions on the Management of Mobile Internet Applications' Information Services" | |
Traveler Identification Document Information | "The Public Air Transport Enterprise Aviation Safety and Security Rules" "Measures on the Administration of the Real Name System for Railway Passengers" "Provisions on the Administration of the Real Name System for Waterway Passengers" "Provisions on the Administration of Road Passenger Transport and Passenger Stations" | |
Collected only from passengers on air travel: • Full Names | "Civil Aviation Law" | |
Transaction Information | "E-commerce Law" "Temporary Measures on the Management of Online Transactions" | |
Personal information required to carry out services | Account Information · Account Numbers | Used only to identify transportation ticketing users and to ensure the security of account information. |
Basic Information on Travelers and Contact Persons • Full Name (Contact Person, Traveler) | Used only to carry out ticketing and transportation services for users, including functions such as ticket purchasing, changes, returns, and boarding. | |
Travel information • Origin |
A.12 Matchmaking and Dating
Providing users with marriage matchmaking services, including recommending people of the opposite sex and dating. The minimum information for this service type is displayed in Table 13:
Table 13 - Minimum Information for Matchmaking and Dating Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Mobile Numbers | "Cybersecurity Law" "Provisions on the Management of Mobile Internet Applications' Information Services" | |
Personal information required to carry out services | Account Information • Account Numbers | Used only to identify matchmaking users, and to ensure the security of account information. |
Basic personal materials • Personal photos | Used only in representing people of the opposite sex, dating, and other matchmaking services. |
A.13 Jobs Seeking and Recruitment
Providing users with online job seeking and recruitment services, including functions for publishing, displaying, and searching positions, and submitting resumes. The minimum information for this service type is displayed in Table 14:
Table 14 - Minimum Information for Job Seeking and Recruitment Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Mobile Numbers | "Provisions on the Management of Mobile Internet Applications' Information Services" | |
Identification Information • Full Names | "Measures on the Storage and Management of Financial Institutions' Client Identity Identification and Client Identification Materials and Transaction Records" "Measures counter-money laundering and counter-terrorism Management for Institutions Engaged in Internet Finance (Provisional)" | |
Personal information required to carry out services | Account Information • Account Numbers | Used only to identify financial lending users and ensure the security of account information. |
Bank Account Information • The name on the Bank Account | Used only to carry out linking of credit and debit cards, bank card authentication, borrowing, and repayment functions. | |
Personal Credit Report Information • People's Bank of China personal credit report | Used only to conduct assessments of user borrowers personal credit, and determine the amount of credit to authorize. Personal Credit Reporting Information Inquiries Require User Authorization | |
Emergency Contact Information The contact methods for two regular contacts • The contact methods for two regular contacts | Used only for financial institutions to press for payment when loans have not been repaid in the time allowed. Users should be permitted to manually input emergency contact information for financial lending applications, and access to user communication records should not be compelled. | |
Lending transaction records | Used only to carry out inquiries into users borrowing history and handle user disputes. |
A.14 Finance and Lending
Providing users with personal consumer lending services from financial institutions, including functions such as credit authorization, loans, repayment, and transaction records; 'financial institutions' here refers to banks, consumer finance companies, small loan companies qualified to make loans, and institutions providing online lending services. The minimum information for this service type is displayed in Table 15:
Table 15 - Minimum Information for Finance and Lending Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Mobile Numbers | "Provisions on the Management of Mobile Internet Applications' Information Services" | |
Identification Information • Full Names | "Measures on the Storage and Management of Financial Institutions' Client Identity Identification and Client Identification Materials and Transaction Records" "Measures counter-money laundering and counter-terrorism Management for Institutions Engaged in Internet Finance (Provisional)" | |
Personal information required to carry out services | Account Information • Account Numbers | Used only to identify financial lending users and ensure the security of account information. |
Bank Account Information • The name on the Bank Account • Bank Card Number • Bank Card Expiration Date • Bank Reserved Phone Number | Used only to carry out linking of credit and debit cards, bank card authentication, borrowing, and repayment functions. | |
Personal Credit Report Information • People's Bank of China personal credit report | Used only to conduct assessments of user borrowers personal credit, and determine the amount of credit to authorize. Personal Credit Reporting Information Inquiries Require User Authorization | |
Emergency Contact Information The contact methods for two regular contacts • The contact methods for two regular contacts | Used only for financial institutions to press for payment when loans have not been repaid in the time allowed. Users should be permitted to manually input emergency contact information for financial lending applications, and access to user communication records should not be compelled. | |
Lending transaction records | Used only to carry out inquiries into users borrowing history and handle user disputes. |
A.15 Housing Rentals and Sales
Providing users with housing resource information and housing rental services, including functions for the display, searching, and rental of housing. The minimum information for this service type is displayed in Table 16:
Table 16 - Minimum Information for Housing Rentals and Sales Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Mobile Numbers | "Provisions on the Management of Mobile Internet Applications' Information Services" | |
Transaction Information | "E-commerce Law" "Temporary Measures on the Management of Online Transactions" | |
Personal information required to carry out services | Account Information • Account Numbers | Used only to identify housing sale and rental users, and to ensure the security of account information. |
Reproductions or photocopies of renters' and owner's identification documents | Used only for identity verification when users rent housing online, as well as identity verification when owners publish housing resource information or lease housing online. | |
Information on Real Estate Owners | Used only in the publication and searching of housing source information, and housing leases. | |
Third-party payment methods | Used only during online lease transactions paying closing fees through third-party payment methods. |
If users only browse housing resource information, the personal information listed in Table 16 need not be collected. Table 16 only lists the personal information collected online through home sales and rental type mobile internet applications. Currently housing sales and rental services usually employ a combination of online and offline methods, with the majority of housing resource information and rentals appearing online, while home sales transaction are still primarily conducted offline; specific collection of information may be based on the requirements of relevant policy documents.
A.16 Second-hand Car trades
Providing second-hand car trade users with motor vehicle information and second-hand vehicle trade services, including functions such as searching and displaying car resource information, vehicle review, and second-hand car sales. The minimum information for this service type is displayed in Table 17:
Table 17 - Minimum Information for Second-Hand Car Trading Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Mobile Numbers | "Provisions on the Management of Mobile Internet Applications' Information Services" | |
Transaction Information | "E-commerce Law" "Temporary Measures on the Management of Online Transactions" | |
Personal information required to carry out services | Account Information • Account Numbers | Used only to identify second-hand car trading users and to ensure the security of account information. |
Vehicle Examination Address | Used only for use in conducting onsite review of car resources before online publication, to facilitate reviewers going to the cars' locations to conduct reviews. | |
Identity document information for home buyers and sellers • Full Names | Used only for the real name registration and identity verification of second hand car buyers and sellers and completion of vehicle registration, electronic signing of contracts, and other vehicle purchase processes. | |
Third-party payment methods | Used only in paying service fees to intermediaries in second hand car transactions. |
Table 17 only lists personal information collected online through second-hand car trading type mobile internet applications. Currently second-hand car trading services employ a combination of online and offline methods, the large majority of second-hand car trading is already using contracts electronically signed online, while vehicle inspections, vehicle registration, transfer of title, payment of sale fees, and other phases are still generally carried out offline.
A.17 Exercise and Health
Providing users with exercise recording and health recommendation services, including functions such as fitness management and health recommendations. The minimum information for this service type is displayed in Table 18:
Table 18 - Minimum Information for Exercise and Health Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Personal information required to carry out services | Account Information • Account Numbers | Used only to identify exercise and health users, and to ensure the security of account information. |
Precise Positioning Information | Precision positioning information is used only to determine users position in real-time and display users' exercise trajectory. | |
Personal Exercise Information | Used only to display information on overall status in the course of exercise. |
A.18 Consultation and Appointment Making
Providing users with online consultation and appointment making medical services. The minimum information for this service type is displayed in Table 19:
Table 19 - Minimum Information for Consultation and Appointment Making Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Mobile Numbers | "Provisions on the Management of Mobile Internet Applications' Information Services" | |
Transaction Information | "E-commerce Law" "Temporary Measures on the Management of Online Transactions" | |
Personal information required to carry out services | Account Information • Account Numbers | Used only to identify users for consultations and appoint making, and to ensure the security of account information. |
Patient Identity Information | Used only to verify user identities when making appointments. | |
Information from patient communications • Description of Symptoms | Used only for doctors to assess patient symptoms during online consultations. | |
Appointment Making Information • Hospitals | Used only for assisting patients complete the appointment making process. | |
Third-party payment methods | Used only for users paying for consultation and appointment making orders through third-party payment methods. |
Table 19 Browsers
Providing users with services having functions for browsing online information resources, including functions such as reading web pages, downloading documents, and saving resources. The minimum information for this service type is displayed in Table 20:
Table 20 - Minimum Information for Browser Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Personal information required to carry out services | None | N/A |
A.20 Input Methods
Services providing users with functions of entering characters through means such as keyboards, handwriting, or voice. The minimum information for this service type is displayed in Table 21:
Table 21 - Minimum Information for Input Method Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Personal information required to carry out services | None | N/A |
A.21 Security Management
Providing users with functions for killing Trojan Horses, cleaning-up malicious plug-ins, fixing bugs, speeding up the system, blocking harassment, permissions management and so forth. The minimum information for this service type is displayed in Table 22:
Table 22 - Minimum Information for Security Management Category
Type | Personal Information | Usage Requirements |
Personal Information required by laws and regulations | Network Logs | "Cybersecurity Law" |
Personal information required to carry out services | None | N/A |
Appendix B (Normative Appendix) Table of Minimum Scope of Permissions for Service Types
This Appendix targeting dangerous permissions on Android 6.0 and higher, gives the minimum scope of permissions for service types, as follows:
- Mapping and Navigation: Positioning Permissions, Storage Permissions.
- Online Ride Hailing: Positioning Permissions, Phone Call Permissions.
- Instant Messaging: Storage Permissions.
- Blogs and Forums: Storage Permissions.
- Online Payment: Storage Permissions.
- News: None.
- Online Purchasing: None.
- Short Video: Storage Permissions.
- Express Delivery: None.
- Food and Beverage Take Out: Positioning Permissions, Phone Call Permissions.
- Transportation Ticketing Services: None.
- Matchmaking: Storage Permissions.
- Job Seeking and Recruitment: Storage Permissions.
- Financial Lending: Storage Permissions.
- Home Sales and Rentals: Storage Permissions.
- Second-hand Car Trading: Storage Permissions.
- Exercise and Health: Positioning Permissions, Sensor Permissions.
- Consultation and Appointment Setting: Storage Permissions.
- Browsers: None.
- Input Methods: None.
- Security Management: Storage Permissions, Obtaining Application Accounts
Be First to Comment