Announcement by the Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, and the Ministry of Public Security on Launching Special Campaigns on Personal Information Protection in 2026

By Marcos SabioLast Updated on Apr 3, 2026
Announcement by the Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, and the Ministry of Public Security on Launching Special Campaigns on Personal Information Protection in 2026

Promulgation Authorities: Cyberspace Administration of China

Release Date: 2026-04-02

Effective Date: 2026-04-02

Source: https://www.cac.gov.cn/2026-04/02/c_1776867645836849.htm

Original Title: 中央网信办、工业和信息化部、公安部关于开展 2026 年个人信息保护系列专项行动的公告

Since the Personal Information Protection Law came into force, the Office of the Central Cyberspace Affairs Commission, in conjunction with the relevant departments, has continuously strengthened efforts in personal information protection, investigated and penalised various unlawful and irregular acts in handling personal information, and urged and guided personal information handlers to continuously enhance their compliance level, achieving positive results. In 2026, the Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, and the Ministry of Public Security shall, together with the relevant departments, further intensively rectify typical problems involving unlawful and irregular collection and use of personal information in App, SDK and other service products, and in key sectors such as Internet advertising, education, transportation, healthcare, and finance, with a view to enhancing the public’s satisfaction and sense of gain. The relevant departments shall carry out a series of special campaigns focusing on the following key issues:

1. Special rectification on unlawful and irregular collection and use of personal information by Apps and SDKs

Targets of rectification: personal information collection and use activities conducted by commonly used types of Apps and embedded SDKs.

Key issues of rectification: First, failure to disclose the rules for collection and use of personal information, failure to provide an effective function for de-registering user accounts, and failure to establish and publish channels for complaints and reports on personal information security; second, failure to fully and accurately inform individuals of the collection and use of their personal information, or inconsistency between the notified purposes, methods, and scope of collection and use of personal information and the actual collection and use; third, collecting and using personal information without users’ consent, and forcing users to consent to the collection of non-essential personal information; fourth, collecting and using personal information beyond what is necessary, collecting personal information such as location, contact list, and text messages in unrelated scenarios, and invoking permissions involving personal information at a frequency exceeding the minimum necessary level.

2. Special rectification on unlawful and irregular collection and use of personal information in the field of Internet advertising

Targets of rectification: personal information collection and use activities conducted by Internet advertising intermediary platforms, media endpoints, and the like.

Key issues of rectification: First, collection of personal information beyond what is necessary; second, in the course of collecting and using personal information, failure to specify in the personal information handling rules that the collected personal information will be used for functions such as advertising and user profiling, and failure to list the types, purposes and methods of personal information provided to third parties as well as the names and contact details of the recipients; third, failure to provide convenient channels for users to exercise rights such as rectification, deletion, and objection to the handling of personal information, and the relevant functions being incomplete or unsound; fourth, when pushing advertisements by way of automated decision-making and other means, failure to provide easy-to-understand, easily accessible and operable options for turning off personalized recommendations, failure to cease collecting personal information after individuals turn off personalized recommendations, and failure to provide functions for deleting users’ personal characteristic tags; fifth, unsound internal personal information security management, access control, and external provision systems, and inadequate technical security protection measures.

3. Special rectification on unlawful and irregular collection and use of personal information in the field of education

Targets of rectification: personal information collection and use activities conducted by schools (including institutions of higher education, senior secondary schools, compulsory education schools, kindergartens, etc.) and off-campus training institutions and other education institutions.

Key issues of rectification: First, when education institutions handle personal information of minors under the age of fourteen, failure to formulate special rules for personal information handling, and failure to obtain the consent of the minor’s parents or other guardians; second, excessive collection via education institutions’ websites, Apps, etc. of personal information such as location, school, student status, and parents’ ID numbers, contact details, professions, and so on; third, off-campus training institutions providing personal information to cooperating third-party institutions without informing the personal information subjects of the names of the cooperating third-party institutions and the purposes and methods of handling personal information, and without obtaining the consent of the personal information subjects; fourth, where parents’ and students’ identities can be verified by using non-facial recognition technologies at the offline premises of education institutions and through their websites, Apps, etc., nonetheless using facial recognition technology as the sole means of verification, and failing to implement the relevant security management requirements for the application of facial recognition technology; fifth, failure by education institutions to establish personal information protection management systems, failure to take effective security protection measures, and the existence of potential risks of personal information leakage.

4. Special rectification on unlawful and irregular collection and use of personal information in the field of transportation

Targets of rectification: personal information collection and use activities conducted by operators engaging in highway, waterway, railway and civil aviation transportation and the related ticketing agents, online travel ticketing platforms, postal and express delivery enterprises, and public parking management platforms.

Key issues of rectification: First, websites and Apps operated by the relevant institutions collecting personal information such as location and contact list in unrelated scenarios, and invoking permissions involving personal information such as microphone and storage; second, functions such as code-scanning payment in public parking lots forcing users to register and log in, and mandatorily collecting personal information such as mobile phone numbers; third, online travel ticketing platforms providing personal information to cooperating third-party institutions such as ticketing agents without informing the personal information subjects of the names of the cooperating third-party institutions and the purposes, methods, and scope of personal information handling, and without obtaining the consent of the personal information subjects; fourth, institutions such as postal and express delivery enterprises and online travel ticketing platforms leaking users’ personal information such as contact details, home addresses, and travel itineraries; fifth, failure by the relevant institutions to establish personal information protection management systems or to take effective security protection measures, thereby harming personal information rights and interests.

5. Special rectification on unlawful and irregular collection and use of personal information in the field of healthcare

Targets of rectification: personal information collection and use activities conducted by healthcare institutions such as hospitals, health service centres, health stations, clinics, and disease control centres.

Key issues of rectification: First, websites and Apps operated by healthcare institutions collecting personal information such as location beyond the necessary scope, and failure to adopt effective means of verification to authenticate users’ identities, resulting in unauthorized unrelated persons being able to query others’ medical records; second, healthcare institutions disclosing imaging data, textual descriptions, and other information containing patients’ personal information without the patients’ consent; third, in circumstances where websites, Apps, etc. operated by healthcare institutions can verify patients’ identities by using non-facial recognition technologies, nonetheless using facial recognition technology as the sole means of verification, and failing to implement the relevant security management requirements for the application of facial recognition technology; fourth, healthcare institutions failing to establish special personal information protection management systems, failing to effectively set personal information access management permissions, and failing to clearly define personal information protection responsibilities; fifth, internal information management systems of healthcare institutions failing to adopt effective technical protection measures and failing to adopt security technical measures such as encryption and de-identification for personal information; sixth, inadequate management of third-party personnel engaged in technical operation and maintenance by healthcare institutions, resulting in potential risks of personal information leakage.

6. Special rectification on unlawful and irregular collection and use of personal information in the field of finance

Targets of rectification: personal information collection and use activities conducted by relevant institutions in banking, insurance, securities, credit reporting, payment, and other sectors, as well as Internet loan-assistance platforms.

Key issues of rectification: First, websites and Apps operated by the relevant institutions collecting non-essential personal information such as contact lists, text messages, call histories, location, device information, and application lists, and invoking permissions involving personal information such as microphone and storage, in the name of security risk control, loan services, and the like; second, Internet loan-assistance platforms providing personal information to cooperating third-party institutions without informing the personal information subjects of the names of the cooperating third-party institutions and the purposes and methods of handling personal information, and without obtaining the consent of the personal information subjects; third, where users’ identities can be verified by using non-facial recognition technologies in offline business review by the relevant institutions and via their websites, Apps, etc., nonetheless using facial recognition technology as the sole means of verification, and failing to implement the relevant security management requirements for the application of facial recognition technology; fourth, failure by the relevant institutions to establish personal information protection management systems, failure to take effective security protection measures, and the existence of potential risks of personal information leakage.

7. Special crackdown and rectification on unlawful and criminal cases involving personal information

Targets of rectification: unlawful and criminal activities infringing on personal information.

Key issues of rectification: Focusing on unlawful and criminal acts infringing upon citizens’ personal information in key areas such as public services, financial lending, healthcare and education, and daily travel, and centering on the stages of information leakage, information reselling, and information use, strictly punishing “insiders” in industries and cracking down hard on unlawful and criminal acts infringing upon citizens’ personal information.

The Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, and the Ministry of Public Security shall, together with the relevant departments, orderly advance all tasks of the series of special campaigns, concentrate efforts on rectifying various typical unlawful and irregular problems, and impose strict penalties in accordance with the law on those with serious circumstances who refuse to make rectification; meanwhile, the relevant departments shall dynamically adjust the key issues of rectification according to actual work needs to ensure that the special campaigns achieve practical results and effectively protect the security of citizens’ personal information.

Hereby announced.

Office of the Central Cyberspace Affairs Commission

Ministry of Industry and Information Technology

Ministry of Public Security

April 2, 2026