Yesterday, in response to the requirements of the “Personal Information Protection Law of the People’s Republic of China”, the China Cyberspace Security Association and the National Computer Network Emergency Technology Coordination Center drafted the group standard “App Store App Personal Information Collection, Use and Shelf Review and Management Specifications ( Consultation Draft)” and “Guidelines for the Protection of Personal Information on Mobile Smart Terminals (Consultation Draft)”.
Among them, in the application store App personal information collection and use, the draft for comments clearly stated that the collected personal information exceeds the minimum necessary scope for the realization of functions. After the user refuses to collect non-essential personal information, the user’s consent is frequently sought to bundle multiple functions. , Bundling necessary and non-essential personal information, etc., to induce and force users to authorize and agree to personal information processing rules at one time. Platform operators should refuse mobile applications to enter the platform.
When platform operators accept applications for mobile applications to enter the platform, they should require developers to submit and verify at least the following information:
a) Basic information such as the name, package name, version number, update date, and basic functional services of the mobile application;
b) The name or name of the mobile application developer, and the contact information of the person in charge of personal information protection or organization;
c) The full text of the user privacy agreement, if it involves providing services to children, it is also advisable to submit a separate agreement for the protection of children’s personal information;
d) If the developer fails to provide the above information or provides false information, the platform operator shall refuse the listing of its mobile application.
Privacy agreement review If the privacy agreement has one of the following circumstances, the platform operator shall refuse the mobile application to enter the platform:
a) The user is not prompted to read the privacy agreement;
b) Solicit user opinions by default choosing to agree to the privacy agreement;
c) Incomplete, detailed and itemized list of the categories of personal information collected, explaining the necessity of collection, the services achieved or the purpose of use;
d) Incomplete, detailed, item-by-item description of the service or purpose of use achieved by the application for permission, whether the user can refuse the authorization, and the reasons for non-rejection;
e) Incomplete, detailed, itemized list of embedded SDK name, package name, developer name, embedding purpose, type of personal information collected, and system permissions used;
f) There are unreasonable circumstances in the privacy agreement, such as exempting the main obligations related to the protection of personal information and excluding the rights and interests of users’ main personal information.
Application and invocation permission review mobile application application or invocation permission, in any of the following circumstances, the platform operator shall refuse the mobile application to enter the platform:
a) Apply for or call permission when the user is not using any function (such as: during App startup);
b) In the process of the user using the function, apply for or call the authority that has nothing to do with the realization of the current function; T/CSAC XXXXX—XXXX2
c) Refusal to provide services because the user does not agree to open non-essential permissions;
d) After the user refuses to open the non-essential permissions, frequently ask for the user’s consent, which interferes with the normal use of the user;
e) When applying for permission, the user was not notified of its purpose synchronously, or the purpose notified did not match the actual situation;
f) Only on the grounds of non-functional requirements such as improving service quality, enhancing user experience, directional push information, and developing new products, users are forced to open permissions.
Personal information processing behavior review mobile applications collect and use personal information, in any of the following circumstances, the platform operator shall refuse the mobile application to enter the platform:
a) By bundling multiple functions, bundling necessary and non-essential personal information, etc., induce and force users to authorize and agree to the personal information processing rules at one time, for example, when entering the App or registering and logging in, the user is forced to agree to all the terms of the privacy agreement;
b) The collected personal information exceeds the minimum necessary scope to realize the function, including the type, frequency, quantity, method, precision, scene, etc. of the collected personal information;
c) Refusal to provide services because the user does not agree to the collection of non-essential personal information;
d) Without the user’s independent choice, the non-basic function service is turned on by default to collect personal information;
e) After the user refuses to collect non-essential personal information, frequently ask for the user’s consent to interfere with the normal use of the user;
f) When collecting sensitive personal information, fail to notify the user of its purpose synchronously;
g) Only on the grounds of non-functional requirements such as improving service quality, enhancing user experience, directional push information, and researching and developing new products, users are forced to agree to the collection of personal information;
h) Collected personal information but failed to provide the claimed function;
i) Failing to provide users with effective channels for inquiries, corrections, deletions, and withdrawal of consent to the collection of personal information;
j) For those with the function of directional push information, the user is not provided with the option of turning off the directional push information;
k) Those with the function of registering an account do not provide an effective user account cancellation function, or setting unnecessary or unreasonable conditions for canceling a user account.