Measures for Determination of Violations of Laws and Regulations in APPs' Collection and Use of Personal Information (Draft for the Solicitation of Comments)

In implementing the "Announcement Launching a Special Project Addressing Violations of Laws and Regulations in APP's Collection and Use of Personal Information", the Special Working Group on APP Governance has carried out a security assessment on violations of laws and regulations in APPs' collection and use of personal information under the guidance of the State Internet Information Office, Ministry of Information and Industry, Ministry of Public Security, and State Administration for Market Regulation, and has discovered issues such as compelling authorization, seeking excessive authority, and collection of personal information beyond the scope.

The Special Working Group on APP Governance has drafted the "Measures for Determination of Violations of Laws and Regulations in APPs' Collection and Use of Personal Information (Draft for the Solicitation of Comments)" so as correctly designate conduct in violation of laws and regulations in APPs' collection and use of personal information, so as to provide guidance to APP operators for self-inspection and self-correction, and so as to provide a reference for APP assessments and dispositions; and hereby releases it to the public for solicitation of comments. The public may submit feedback and comments through the following channels:

1. E-mail:pip-02@tc260.org.cn，please indicate "Determination Measures Solicitation of Comments" in the E-mail's subject"

2. Mailing Address: Beijing, Dongcheng District, Chaoyang Nei Avenue, No. 225, office 636，ZIpcode：100010; Please indicate 'Determination Measures, Solicitation of Comments" on the Envelope.

The deadline for comments is May 26, 2019.

Special Working Group on APP Governance

2019/5/5

Measures for Determination of Violations of Laws and Regulations in APPs' Collection and Use of Personal Information (Draft for the Solicitation of Comments)

This documents is drafted to implement the "Announcement Launching a Special Project Addressing Violations of Laws and Regulations in APP's Collection and Use of Personal Information", is based on the "Cybersecurity Law" and other laws and regulations, and references the Nations Standard "Personal Information Security Specifications". [Please See: "Cybersecurity Law" ,"Personal Information Security Specifications"–CLT]

I. Situations of Not Disclosing Rules for Collection and Use

1. There is no privacy policy or user agreement, or the privacy policy or user agreement does not have relevant content on rules for collection and use.

2. During the installation or use of the APP, no methods such as pop-up windows or links were used to remind the users to read the privacy policy, or the links to the privacy policy did not work so that the text was unable to be displayed normally;

3. After entering the main interface of the APP, the privacy policy can only be accessed by clicking more than four times or scrolling;

4. Other situations violating the requirements for disclosing collection and use.

II. Situations of Not Indicating the Purpose, Method, or Scope of Collection and Use of Personal Information

1. The purpose of collecting or using information violated the principles of legality, propriety, and necessity; such as where the collection of personal information was only to improve program functions, improve user experience, or direct services;

2. Where the types and frequency of personal information collected were not individually listed, especially regarding sensitive personal information;

3. Where there were changes to the purpose, methods, or scope of personal information collected or used, and users were not notified in an appropriate manner; appropriate methods include updating privacy policies and reminding users to read it and give authorization again;

4. Not giving information on the purpose of collection and use when requesting authority to collect personal information; such as not explaining the reasons when requesting access to communications records;

5. Not simultaneously explaining the reasons in real-time every time when requesting users provide sensitive personal information such as identification numbers, bank card numbers, and so forth;

6.The relevant content of the rules for collection and use are cryptic or impenetrable;

7. Other situations of not indicating the purpose, method, or scope of collection and use of personal information.

III. Situations of Collection or Use of Personal Information without Consent

1. Beginning collection of personal information without consent; such as beginning to collect personal information on the APP's initial operation and before instructing users to read privacy policy;

2. Continuing to collect personal information after users clearly refuse, such as continuing to collect geographic positioning information when users do not consent to its collection;

3. Actually collecting and using personal information beyond the scope of users' authorization;

4. Using user information and algorithms to target delivery of news, advertisements, and so forth, without providing an option to stop targeted delivery;

5. Making adjustments to the authority to collect users' personal information without users' consent;

6. The APP makes background calls to users' personal information when they have not opened or used the APP;

7. Changing users' settings on authority without the users' consent, including restoring users' settings to the default settings when the APP is updated;

8. The APP continues to frequently solicit users' consent after the users have clearly rejected the APP's request to collect personal information, disrupting users' normal use;

9. Personal information is collected contrary to agreements with users and not following the rules for collection and use in the privacy policy'

Other situations of collection or use of personal information without consent.

IV. Situations of Violating the Principle of Necessity to Collect Personal Information Unrelated to the Services Provided

1. The types of personal information actually collected are unrelated to current operational functions, where 'unrelated' refers to that type of information not being necessary to implementing current operational functions;

2. When users use operational functions, the frequency and so forth of personal information collection exceeds the requirements of the operational functions;

3. Seeking a single consent from users for multiple bundled operational functions, and not provided any of the individual services without the consent;

4. When users refuse one operational functions' request to collect personal information, the APP stops providing other operational functions.

5. If providing operational functions that do not require logging in (such as browsing or guest modes), and users do not consent to the collection of personal information other than that required for this type of operational function, the APP refuses to provide all services;

6. When adding operational functions that require personal information beyond the original scope of consent, refusing to provide the original operational functions if the user does not consent to collection; except where the new operational functions replace the original operational functions;

7. Requests for authority to open unrelated collectible information;

8. Other situations of collecting personal information unrelated to the services provided;

V. Situations of Providing Personal Information to Others without Consent

1. Without consent and without anonymization processing, directly providing personal information from the client-side terminal be directly transferred to third parties, including provision to third parties by embedding or third party code or plugins (such as sdk) and other such methods;

2. After data is transmitted to APP servers, personal information that has been collected is transferred to third parties without consent and without anonymization processing.

3. Other situations of providing others with personal information without consent.

VI. Situations of not Following Law to Provide Functions for Deletion or Correcting Personal Information

1.Not providing functions fo correcting or deleting personal information, or for deregistering accounts;

2. Where there is no response to the carrying out the relevant procedures through the provided online interface, customer phone line, E-mail, and so forth;

3. Where manual processing is required, not completing the review and processing within promised time (and where there is no promised time, within 15 working days).

4. After corrections, deletions, or deregistration procedures are indicated as complete, there is still no way to correct or delete personal information or deregister accounts;

5.Other situations of not employing measures for deletion or correction.

VII. Situations of Violations the Lawful Rights and Interests of Minors in Cyberspace

1. Collecting or using the personal information of minors under the age of 14 without the guardians' consent;
2. Using personal information and algorithms for targeted service activities such as the individualized delivery of news, current events information, or advertisements, without the guardians' consent.