Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications

Promulgation Date: 2021-3-12
Title: 关于印发《常见类型移动互联网应用程序必要个人信息范围规定》的通知
Document Number:国信办秘字〔2021〕14号
Expiration date: 
Promulgating Entities: 国家互联网信息办公室 工业和信息化部办公厅 公安部办公厅等
Source of text: http://www.cac.gov.cn/2021-03/22/c_1617990997054277.htm

To the internet information departments, telecommunications administration bureaus, public security departments (bureaus), and market oversight and management bureaus (offices or commissions) of each province, autonomous region, or directly governed municipality, as well as of the Xinjiang Production and Construction Corps:

In order to implement the PRC Cybersecurity Law's provisions that 'network operators collection and use of personal information shall comply with the principles of legality, propriety, and necessity' and the 'network operators must not collect personal information unrelated to the services they provide", The State Internet Information Office, Ministry of Industry and Information Technology, Ministry of Public Security, and State Administration of Market Regulation have jointly drafted these Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications to clarify that mobile internet application (App) operators must not refuse to provide users with Apps' basic functions or services due to users not consenting to the collection of their unnecessary private information.

The Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications are hereby released to you; please guide App operators in your region to understand and implement them, and strengthen oversight and inspections, promptly investigating and addressing the collection and use of personal information in violation of laws and regulations to truly preserve the lawful rights and interests of citizens' in cyberspace.

Notice is hereby given.

Secretariat of the State Internet Information Office

General Office of the Ministry of Industry and Information Technology

General Office of the Ministry of Public Security

General Office of the State Administration for Market Regulation

March 12, 2021

Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications

Article 1: These Provisions are formulated on the basis of the "PRC Cybersecurity Law" in order to regulate the collection of personal information by mobile internet applications (Apps) and to to safeguard the security of citizens' personal information.

Article 2: Where Apps running on mobile smart terminals collect users' personal information, they shall comply with these Provisions. Where laws, administrative regulations, department rules, or normative documents have distinct provisions, follow those provisions.

Apps include application software preloaded or downloaded and installed on mobile smart terminals, and mini applications developed on the basis of open platforms on application software that can be used without requiring installation by users.

Article 3: Necessary personal information as provided in these Provisions refers to the personal information necessary to ensure the normal operation of Apps' basic functions and services without which the Apps cannot provide basic functions and services. It specifically refers to the personal information of consumer-side users, and does not include the personal information of service provider users.

Article 4: Apps must not reject users' use of basic functions and services because the users did not agree to provide unnecessary personal information.

Article 5: The range of necessary personal information for common types of apps:

(1) maps and navigation, with basic functions of 'positioning and navigation, necessary personal information is: positioning information, starting points, destination points.

(2) Online car-hailing, with basic functions and services of booking car trips and electronic cab hailing, and necessary personal information of: (1) the registered user's mobile phone number or other real identity information (the App provider is to provide a variety of options, for the user to choose one). (2) The departure place, arrival place, location information, and tracking of passengers.

1. Registered users' mobile phone numbers;

2. Car passengers' origins and destinations, positioning information, tracking;

3. Payment information such as the times, amounts, and methods of payment (for online car-hailing services).

(3） Instant messaging, with basic functions and services of 'providing text, image, speech, video, or other instant communication services, and the necessary personal information includes:

1. Registered users' mobile phone numbers;

2. Account information: accounts，list of the instant messaging contacts' accounts.

(4) Online Communities with basic functions and services of "topical discussion, information sharing, following and interaction on blogs, forums, communities, and so forth; with necessary personal information of: registered users' mobile phone numbers.

(5) Online Payment, with basic functions of "online payment, cash withdrawals, transfers, and other such functions"; and necessary personal information including:

1. Registered users' mobile phone numbers;

2. Registered users' names, identification document type, number, and expiration dates, and bank card numbers.

(6) Online shopping; with basic functions or services of "product purchases"; and necessary personal information including:

1. Registered users' mobile phone numbers;

2. Recipient's name (business name), address, contact telephone;

3. Payment information such as the time, amount, and method of payments.

(7) Food and Beverage ;with basic functions or services of 'food and beverage purchases and delivery", and with necessary personal information including:

1. Registered users' mobile phone numbers;

2. Recipient's name (business name), address, contact telephone;

3. Payment information such as the time, amount, and method of payments.

(8) Mail and Courrier; with basic functions and service of "delivery services for letters, parcels, printed material, and other items", and with necessary personal information including:

1. Identification information such as the sender's name, identification type and number;

2. The sender's address and contact phone number;

3. The recipient's name (business name), address, and contact telephone;

4. The name, nature, and number of items being shipped.

(9) Transportation ticketing with basic functions or services service being " Transportation-related ticketing services and trip management (like ticket sales, changes, returns, trip management, etc.)" and with necessary personal information including:

1. Registered users' mobile phone numbers;

2. The traveller's name, identification type and number, and type of traveller. Traveller types generally include children, adults, students, and so forth;

3. Passengers' place of departure, destination, departure time, car/boat/flight number, seat/cabin class, seat number (if any), license plate number and color (ETC service);

4. Payment information such as the time, amount, and method of payment;

(10) Marriage and Dating; with basic functions of "Marriage and Dating", and with necessary personal information including:

1. Registered users' mobile phone numbers;

2. The sex, age, and marital status of the person for marriage and dating.

(11) Job search and recruitment, with basic functions or services of "Job information queries and job-seeker resume delivery" and with necessary personal information including:

1. Registered users' mobile phone numbers;

2. Resumes provided by the job applicants.

(12) Online lending; with basic functions or services of "individual loan application services realized through Internet platforms for consumer, daily production, or business turnover purposes; Necessary personal information:

1. Registered users' mobile phone numbers;

2. The borrower's name, identification type and number, ID expiration date, bank card number.

(13) Housing Rentals and Sales; with the basic functions or services of "personal housing resource information publication, housing rental or sales", and with necessary personal information including:

1. Registered users' mobile phone numbers;

(2) Basic information for housing: The house address, area/house type, asking sale price or rent.

(14) Second-Hand Cars; with basic functions or services of "second-hand car salse and information exchange", and with necessary personal information including:

1. Registered users' mobile phone numbers;

2. The purchaser's name, identification type, and ID number;

3. The seller's name, identification type and number, driver's license number, and vehicle identification number.

(15) Medical Consultation and Booking; with basic functions or services of "online consultation and booking" and necessary personal information including: Necessary personal information:

1. Registered users' mobile phone numbers;

2. When registering, the patient's name, identification type and number, and the hospital and department for the appointment must be provided;

3. A description of the symptoms must be provided when consulting.

(16) Travel Services; with basic functions and services of "publication and booking of travel service products, with necessary personal information including:

1. Registered users' mobile phone numbers;

2. The travellers' destination and time of travel.

3. The travellers' names, ID type and numbers, and contact methods.

(17) Hotel Services; with basic functions or services of "hotel reservations", and necessary personal information including:

1. Registered users' mobile phone numbers;

2. The lodgers' names, contact information, check-in and check-out times, and the name of the hotel.

18. Online Games; with basic functions or services of "providing online game products and services", and with necessary personal information of: registered users' mobile telephone numbers.

(19) Study and education; with basic functions and services of "online tutoring or internet classes, and necessary personal information of registered users' mobile phone numbers.

(20) Local Living; with basic functions or services of "services such as domestic cleaning and repairs, furniture and decor, trading in used goods, and other routine life services, and necessary personal information of： registered users' mobile phone numbers.

(21) Women's Health; with basic functions and services of "Health management services for women such as menstrual management, pregnancy and childcare, and beauty and fitness, with no personal information necessary for use of basic functions or services.

(22) Vehicle services; with basic functions or services of bike-sharing, car-sharing, car rentals, and other such services, and with necessary personal information including:

1. Registered users' mobile phone numbers;

2. the ID type and number, and drivers license information for users that will use the car-share or rental services.

3. Payment information such as the time, amount, and method of payment;

4. Positioning information for users of bike-share bikes or timeshare care rental services.

(23) Investment and financial management; with basic functions or services "investment and financial management services related to stocks, futures, funds, securities, etc.", and with necessary personal information including:

1. Registered users' mobile phone numbers;

(2) The investment and financial management user's name, ID type and number, ID expiration date, and photocopies of the ID.

3. The investment and finance user's capital account, bank card number, or payment account number.

(24) Mobile banking with basic functions and services of " Provision of services such as bank account management, information inquiries, and transfers provided through mobile smart-terminal devices such as mobile phones", and with necessary personal information: including:

1. Registered users' mobile phone numbers;

2. The user's name, ID type and number, ID expiration date, copy of ID, bank card number, and mobile phone number associated with the account at the bank.

3.The recipient's name, bank card number, and bank information when making transfers.

(25) Email and Cloud Drives with basic functions or services of "Email boxes, cloud drives, etc." and necessary personal information of registered users' mobile phone numbers.

(26) Remote Conferencing; with basic functions or services of "providing audio or video conferencing online" and necessary personal information of：registered users' mobile telephone numbers.

(27) Webcast/Livestream; with basic functions or services being "Providing sustained information browsing services such as videos, audio, images, and other forms", with no personal information necessary for the use of basic functions or services.

(28) Online Audio and Video; with basic functions and services of "video and music searching and broadcasting"; with no personal information necessary for the use of basic functions or services.

(29) Short Video; with basic functions of services of "Search and broadcast of videos that do not exceed a set length" and no personal information necessary to use basic functions or services.

(30) News and Information; with basic functions or services of "browsing and searching news information" and no personal information necessary for unis basic functions or services.

(31) Exercise and Fitness; with basic functions and services of "exercise and health training" and no personal information necessary for using basic functions and services.

(32) Browsers; with basic functions or services of "browsing internet information resources" and no personal information necessary for using basic functions or services.

(33) Input Methods; with basic functions or services of "input of text, punctuation, and so forth" and no personal information necessary for using basic functions or services.

(34) Security Management; with basic functions or services of "killing viruses, cleaning malicious plug-ins, fixing vulnerabilities, etc." and no personal information necessary for using basic functions or services.

(35) Electronic Books; with basic functions or services of "E-book searches and reading" and no personal information necessary for using basic functions or services.

(36) Photo Enhancement; with basic functions or services of "photography, aesthetic enhancement, filters, etc" and no personal information necessary for using basic functions or services.

(37) Application Stores; with basic functions or services of "App searches and downloads" and no personal information necessary for using basic functions or services.

(37) Practical Tools with basic functions or services of "Calendars, weather, dictionary translation, calculator, remote control, flashlight, compass, clock/alarm clock, file transfer, file management, wallpaper or ringtones, screenshot, audio recording, archiving, smart device assistants, horoscopes and personality tests, etc." and no personal information necessary for using basic functions or services.

(39) Performance Ticketing Services; with basic functions or services of "performance ticket sales", and necessary personal information including:

1. Registered users' mobile phone numbers;

2. The number of performances and seat numbers (if any);

3. Payment information such as the time, amount, and method of payments.

Article 6: Where any organization or individual discovers conduct violating these Provisions, they may report it to the relevant departments.

After the relevant departments receive reports, they shall address them in accordance with law.

Article 7: These Provisions are to take effect on May 1, 2021.