Means for Determination of Violations of Laws and Regulations in Apps' Collection and Use of Personal Information

The following Means are drafted based on the "Announcement of the Launch of the Special Governance Action on Violations of Laws and Regulations in Apps' Collection and Use of Personal Information" so as to provide a reference for oversight and management departments in determining violations of laws and regulations in the collection and use of personal information; so as to provide guidance to App operators conducting self-inspections and corrections, and to public oversight by internet user; and to implement the “Cybersecurity Law" and other such laws and regulations.

I. The following conduct may be found to be "not disclosing rules for collection and use"

1. Having no privacy policy in an App, or having no rules on the collection and use of personal information in the privacy policy;

2. Failure to use a pop-up window or other conspicuous method on first use of the App, reminding users to read the privacy policy and other such collection and usage rules.

3. The privacy policy or other such collection and usage rules being difficult to access, such as requiring 4 or more clicks or other operations after entering the App's main interface before they can be accessed.

4. The privacy policy or other such collection and usage rules being difficult to read, such as the text being too small or dense, the color too light, blurriness, or failure to provide a Chinese language version.

II. The following conduct may be found to be 'not indicating the purpose, method, or scope of collection and use of personal information

1. Not listing the goals, methods, and scope of the collection and use of personal information by an App (including third party code or plugins that are commissioned or embedded);

2. Failing to notify users in an appropriate fashion when there were changes to the purpose, methods, or scope of personal information collected or used; appropriate methods include updating privacy policies or other rules on the collection and use of personal information and reminding users to read them;

3. When requesting authority to collect personal information, or requesting to collect user ID numbers, bank account numbers, location tracking, or other sensitive information, failing to simultaneously inform users of the purpose, or where the purpose is unclear or difficult to understand;

4. The relevant content of the rules for collection and use are cryptic or impenetrable, and difficult for users to understand, such as where the use large amounts of specialized language.

III. The following conduct may be found to be "collection or use of personal information without user consent."

1. Beginning collection of personal information or turning on permissions that can collect personal information before getting users' consent;

2. Still collecting personal information or turning on permissions that can collect personal information after user clearly express that they do not consent, or disrupting users' normal use by frequently requesting that they give consent.

3. Actually collecting personal information or turning on permissions that can collect personal information beyond the scope of users' authorization;

4. Having the default selection be consent to the privacy policy, or seeking user consent through other unclear methods;

5. Changing the status of users set-up permissions that can collect personal information without the users' consent, such as automatically restoring user set-up permissions to the default state when updating the App.

6. Using users' personal information and push algorithms to deliver information, and not providing an option to not have pushed information delivered;

7. Using fraud, trickery, or other improper methods to mislead users into consenting to the collection of personal information or turning on permissions that can collect personal information, such as intentionally disguising or hiding the true purpose for collecting personal information;

8. Not providing users with channels or methods for revoking their consent to the collection of personal information;

9. Violating their stated collection and usage rules in the collection and use of personal information.

IV. The following conduct may be found to be "violating the principle of necessity to collect personal information unrelated to the services provided".

1. The types of personal information collected or that can be collected by permissions that were turned on are unrelated to current operational functions;

2. Refusing to provide operational functions to users who do not consent to the collection of unnecessary personal information or the turning on of unnecessary permissions.

3. When Apps request to add operational functions that require personal information beyond the original scope of consent, refusing to provide the original operational functions if the user does not consent; except where the new operational functions replace the original operational functions;

4. Where the frequency of personal information collection and so forth exceeds the requirements of the actual operational functions;

5. Coercively requiring users to consent to the collection of their personal information solely on the grounds of improving service quality, improving user experience, targeting information delivery, or researching new products.

6. Requiring users to give a single consent to turning on multiple permissions that can collect personal information, where users who don't consent are unable to continue use.

V. The following conduct may be found to be "providing personal information to others without consent."

1. Where without either user consent or anonymization processing, Apps directly provide personal information from the client-side terminal to third parties, including the provision of personal information to third parties by embedded third party code or plugins and other such methods;

2. Where without either user consent or anonymization processing, after data is transferred to the App backend servers, personal information is provided to third parties;

3. Without user consent, Apps provide personal information to third-party applications that they access.

VI. The following conduct may be found to be "not following law to provide functions for deletion or correction of personal Information" or "failure to announce information such as the methods making complaints or reports"

1.Not providing effective functions fo correcting or deleting personal information, as well as for deregistering accounts;

2. Setting up unnecessary or unreasonable requirements for correcting or deleting personal information or for deregistering accounts.

3. Where functions fo correcting or deleting personal information, as well as for deregistering accounts are provided, but application users' uses pf them are not promptly responded to; where manual processing is required, not completing review and handling within the promised time limits (the promised time limits must not exceed 15 working days, and where there are no limits promised, the limit is 15 working days).

4. Where users' operations for correcting or deleting personal information or for deregistering accounts have been implemented and finalized, but are not completed by the app's back-end.

5. Failure to establish and announce channels for making complaints and reports about personal information security, or failing to accept and address them within the promised time limits (the promised time limits must not exceed 15 working days, and where there are no limits promised, the limit is 15 working days).