Mobile apps pervade all aspects of life in Mainland China, and in turn remain a high enforcement priority for data privacy regulators in China. For the past couple of years, operators of mobile apps in China have had to comply with over thirty additional, specific privacy compliance obligations (ie over and above those applicable to general websites). The regulators have now refreshed and combined a selection of the requirements into one standard, yet more compliance steps must be followed. Operators of mobile apps in Mainland China – and WeChat mini programs – must update their apps compliance checklists – and their apps – to address these extra requirements by 1 November 2022.
Examples of the new requirements (under the TC260’s GB/T 41391-2022 Basic Requirements for Collecting Personal Information in Mobile Internet Applications (“Standard”)) include:
|
Categorization of App Functions
- An App operator must now categorize the functions of the App into basic functions and extended functions.
- The Standard provides a list of 39 commonly used App types (eg online payment and shopping, social media, instant messaging etc), and pre-determines the basic functions of these App types.
- Apps which do not fall within the list must determine the basic and extended functions themselves. This concerns whether the functions achieve the users’ main purpose for using the App.
|
|
Categorization of Data Processed
- App operators must also categorize the personal data processed for the basic and extended App functions into necessary data and relevant data. The App operator must not process any personal data other than necessary data and relevant data.
- Necessary data is data required to maintain the normal operation of the basic functions of an App. The Standard provides a list of necessary data for the 39 commonly used App types.
- Relevant data is data directly relevant to the services provided by the App, but not essential to the normal operation of the basic functions of the App.
|
|
Notice and Consent Requirements
- App operators must now differentiate clearly between, and obtain separate consent for, the processing of necessary and relevant data collected to achieve either basic or extended functions. Users must be allowed to freely opt-in to provide their relevant data, and should not be denied from using the App’s basic functions for refusal to do so.
- Where users do not provide consent, the App operator should not: (i) have a pop-up window asking a user for consent to a processing activity that the user has rejected more than once within a 48-hour window, or (ii) seek consent or remind the user whenever the App is reopened.
|
|
Minor’s Date
- If the personal data of children aged under 14 is collected, the App’s privacy notice should display the App operator’s name and contact information, purpose and processing method of minor’s data, types of minor data collected, retention period, data subject rights, and the effect on rights of minors.
- The separate consent of parents or guardians is required.
|
|
System Permissions
Only the minimum scope of system permissions required to achieve an App’s business purposes should be declared and applied for. The App must not apply for system permissions prior to users using the relevant business function. The App must obtain unbundled, separate consent for each system permission.
The Standard provides helpful guidance as regards:
- Special requirements on how an App must request certain system permissions (eg calendar, location, camera, device storage, etc.);
- Common system permissions that an App may apply for in both Android and iOS systems; and
- The system permissions that different types of Apps are not recommended to apply for, due to low relevance to business purposes.
|
|
Third Party SDKs
From an external perspective, Apps should fully disclose and obtain the consent of users for the third party SDK’s name, data collected, purpose and use of system permission requests.
Internally, the App operator should:
- Undergo due diligence of the third party SDK to ensure the purpose of use of personal data is clear, reasonable and does not exceed the agreed scope or amount; and
- Ensure appropriate measures are in place to clarify the third party SDK’s responsibilities as regards:
-
- Purpose, method and scope of personal data collection;
- Purpose of system permission requests;
- The data category, retention period, processing method of the personal data provided by apps;
- Personal data safety and protection mechanisms; and
- Personal data requests and the third party SDK’s supporting mechanisms for the app.
If the third party SDK has an update mechanism, they must notify the App operator about the update content and potential effects prior to pushing the updates. If the update concerns a change in processing purpose, method or scope, the app operator should be notified separately through each contact method (eg email, phone call, facsimile etc.).
|
.