Page 1

Set as homepage

Saturday, June 5, 2021

Add to Favorites Mobile version
Traditional Chinese

Please enter search keywords

⾸⻚
⻚

The authority issued

Informatization
Network communication
International exchange
Local letter
office ⼯ Open networks
for security

Law enforcement
Policies
inspection
and regulations
Interactive Center
Education andIndustry
training NewsFor topic

Current position: ⾸⻚ >正
正⽂

Notice on the issuance of the "Approval Method for Collecting and Using Personal Information in Violations of Laws and Regulations by App"
December 30, 2019 08:00

Source: Chinese Letter

【print】
【Error correction】

Wechat QR code

Secretariat of the National Internet Information Office

General Office of the Ministry of Industry and Information Technology
Scan the code to enter the mobile version

General Office of the Ministry of Public Security

General Office of the State Administration for Market Regulation

Notice on the issuance of the "Approval Method for Collecting and Using Personal Information in Violations of Laws and Regulations by App"

Secret Word (2019) No. 191 of the State Information Office

All provinces, autonomous regions, municipalities directly under the Central Government, and the Information Office, Communications Administration, Public Security Department (bureau), and Market Supervision Bureau (departments, committees) of the Xinjiang Production and Construction Corps:

According to the "Announcement on Special Governance of Personal Information Collected and Used in Violations of App Laws and Regulations", it provides a reference for identifying App illegal and illegal collection and use of personal information, and implements the "Network Security"

Law” and other laws and regulations, the National Internet Information Office, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Supervision jointly formulated the “Approval Method for Collecting and Using Personal Information in Violations of App Laws and Regulations”
law". You are hereby issued, please combine supervision and law enforcement as practical reference for implementation.

Secretariat of the National Internet Information Office

General Office of the Ministry of Industry and Information Technology

General Office of the Ministry of Public Security

General Office of the State Administration for Market Regulation

2019 11⽉28⽇
The collection and use of personal information in violation of the laws and regulations of the App is the identification method

According to the "Announcement on the Special Governance of Personal Information Collected and Used by App in Violations of Laws and Regulations", it provides a reference for the supervision and management departments to determine that the App is illegal and illegal to collect and use personal information.
Operators provide guidelines for self-inspection and self-correction and civil society supervision, implement the "Network Security Law" and other laws and regulations, and formulate this law.

1. The following can be identified as "undisclosed collection and use rules"

1. There is no privacy policy in the App, or there are no rules for collecting and using personal information in the privacy policy;

2. Failed to prompt the user to read the privacy policy and other collection and use rules through the pop-up window or other obvious ways during the first operation of the App;

3. The privacy policy and other collection and use rules are difficult to access. For example, after entering the main interface of the App, it takes more than 4 clicks and other operations to access;

4. The privacy policy and other collection and use rules are difficult to read, such as the text is too small and dense, the color is too light, ambiguous, or the simplified Chinese version is not provided.

The following actions can be identified as “the method, method, and scope of the collection and use of personal information is not clear”

1. Not listing the methods, methods, scopes, etc. of the collection and use of personal information by App (including the third party commissioned or embedded third party code, plug-ins) one by one;

2. When the method, method, and scope of the collection and use of personal information change, the user is not notified in an appropriate manner, including updating the privacy policy and other collection and use rules and reminding the user to read it
Wait;

3. When applying to open the permission to collect personal information, or when applying to collect sensitive personal information such as user ID number, bank account number, track trajectory, etc., the user was not notified of the purpose or the purpose
Unclear and difficult to understand;

4. The content of the collection and use rules is obscure, long and cumbersome, and difficult for users to understand, such as the use of a large number of professional terms.

3. The following can be identified as "collecting and using personal information without the user's consent"

1. Start collecting personal information or open the permission to collect personal information before obtaining the user's consent;

2. After the user expressly disagrees, still collect personal information or open the permission to collect personal information, or frequently ask for the user's consent, disturb the normal use of the user;

3. The personal information actually collected or the opened authority to collect personal information exceeds the scope of user authorization;

4. Solicit user consent in a non-obvious way such as agreeing to the privacy policy by default;

5. Change the permission status of personal information that can be collected without the user's consent, such as automatically restoring the permissions set by the user to the default status when the App is updated;

6. Use the user's personal information and algorithms to push information directionally, without providing the option of non-directional push information;

7. Misleading users to agree to the collection of personal information or to open the authority to collect personal information by fraud, deception and other improper methods, such as deliberately deceiving or disguising the true purpose of collecting and using personal information;

8. Failing to provide users with ways and methods to withdraw consent to collect personal information;

9. Violate its stated collection and use rules, collect and use personal information.

4. The following actions can be determined as "violating the principle of necessity and collecting personal information that is not related to the service provided"

1. The type of personal information collected or the open permission to collect personal information is not related to existing business functions;

2. Because the user does not agree to collect unnecessary personal information or open unnecessary permissions, refuse to provide business functions;

3. The personal information collected by the application for new business functions of the App exceeds the scope of the user's original consent. If the user does not agree, the original business functions will be refused, and the new business functions will replace the original business functions
Except

4. The frequency of collecting personal information exceeds the actual needs of business functions;

5. Only on the grounds of improving service quality, enhancing user experience, directional pushing information, developing new products, etc., to force users to agree to the collection of personal information;

6. The user is required to agree to open multiple permissions that can collect personal information at one time. If the user does not agree, the user cannot use it.

5. The following actions can be determined as "providing personal information to others without consent"

1. Without the user's consent or anonymization, the App client directly provides personal information to the third party, including third party codes and plug-ins embedded in the client.
For personal information;

2. The personal information collected by the third party is provided to the third party after the data is transmitted to the App back-end server without the user's consent or anonymization;

3. The App connects to the third-party application and provides personal information to the third-party application without the user's consent.

6. The following actions can be determined as "failure to provide the function of deleting or correcting personal information as required by law" or "not publishing information such as complaints, reporting methods, etc."

1. Failure to provide effective corrections, deletion of personal information and cancellation of user account functions;

2. Set unnecessary or unreasonable conditions for correction, deletion of personal information or cancellation of user accounts;

3. Although the functions of correcting, deleting personal information and canceling user accounts are provided, but fail to respond to the user's corresponding operations in a timely manner, and need to be handled, it is not within the promised time limit (the promised time limit shall not exceed 15
Work day, if there is no promised time limit, the inspection and processing shall be completed within 15 work days;

4. User operations such as correction, deletion of personal information, or cancellation of user accounts have been performed, but the App background has not been completed;

5. Failed to establish and publish personal information security complaints and reporting channels, or not within the promised time limit (the promised time limit shall not exceed 15 work days, if there is no promise time limit, 15 work days are limited) to accept
And dealt with.

