Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps
By Todd KuhnsLast Updated on Mar 3, 2019
Release Date: 03-03-2019
Source: Cyberspace Administration of China site
Chinese Title: App违法违规收集使用个人信息自评估指南
The Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps (hereinafter referred to as this Guide) shall mainly be used by App operators to carry out self-check and self-correction concerning their collection and use of personal information. App operators shall continuously improve personal information protection level in accordance with the legal requirements set forth in the Cybersecurity Law and the Law on the Protection of Consumer Rights and Interests and with reference to the national standards for personal information protection.
I. Texts of Privacy Policies
Assessment item 1:
Independence and readability of privacy policies
| Assessment Contents | Assessment Criteria |
| 1. Whether there are privacy policies | Privacy policies can be found in the App interface in the forms such as pop-up prompts, text links, and Frequently Asked Questions (FAQs). |
| 2. Whether privacy policies are documented separately | Privacy policies are published in a separate document, not as part of user protocols or user instructions, etc. |
| 3. Whether privacy policies are easy to access | After the main function interface of the App is entered, privacy policies can be accessed by four or less clicks, and the privacy policy link is prominent and unobstructed. |
| 4. Whether privacy policies are reader-friendly | Text displays (font size, color and line spacing, etc.) for privacy policies do not cause reading difficulties. |
Assessment item 2:
Various business functions and types of personal information collected shall be clearly stated.
| Assessment Contents | Assessment Criteria | |
| 5. Whether the business functions for which personal information is collected are clearly stated | In privacy policies, the business functions for which the personal information is collected shall be listed item by item, and the expressions such as “etc., for example” shall not be used. Note: The term “business functions” refers to a complete set of services provided by an App for individual users, such as map navigation, online car hailing, online shopping, instant messaging and online payment, etc. | |
| 6. Whether the business functions correspond to the types of personal information collected | In the privacy policies, each business function shall describe the type of personal information it collects, and there shall be no cases where multiple business functions correspond to one type of personal information. | |
| 7. Whether the types of personal information collected by each business function is clearly expressed | Each business function shall be listed item by item in the privacy policies when the types of personal information collected are described and shall not be summarized by means of “etc. or for example”. | |
| 8. Whether the types of personal sensitive information are clearly marked | The types of personal sensitive information shall be clearly marked (such as in bold fonts, star asterisks, underlines, italics, colors, etc.) in privacy policies. Note: personal sensitive information includes ID numbers, personal biometric information, bank account numbers, communication records and contents, property information, credit information, whereabouts, accommodation information, health information, transaction information and personal information of minors at 14 years old or under (inclusive), etc. (For the definition, see Section 3.2 of GB/T 35273, Personal Information Security Specification) |
Assessment item 3:
The rules for the processing of personal information and the protection of users’ rights and interests shall be clearly stated.
| Assessment Contents | Assessment Criteria | |
| 9. Basic information of an App operator | In privacy policies, the basic information of an App operator shall be described, including at least the following: 1. Company name: 2. Registered address: 3. Contact information of the person in charge of personal information protection. | |
| 10. Storage and overdue handling methods for personal information | The storage territory (domestic or foreign) of personal information; storage period (the shortest period within the scope of the law or the specified period) and the overdue handling methods shall be clearly indicated in privacy policies. | |
| 11. Rules for the use of personal information | If an App operator uses personal information for user profiles or personalized presentations, etc., the application scenarios and the likely impact on users shall be provided in its privacy policies. | |
| 12. Provision of personal information overseas | If provision of personal information overseas is involved, the types of personal information provided overseas shall be listed item by item and clearly marked (such as in bold fonts, star asterisks, underlines, italics, colors, etc.) in private policies. | |
| 13. Personal information security protection measures and capabilities | The measures taken by an App operator in terms of personal information protection and its capabilities on this aspect shall be indicated in its privacy policies, including identity authentication, data encryption, access control, malicious code prevention and security auditing, etc. | |
| 14. Rules for external sharing, transfer and public disclosure of personal information | If there are situations such as external information sharing, transfer and public disclosure, etc., privacy policies shall clearly define the following contents: 1. Purposes of sharing, transferring and publicly disclosing personal information; 2. Types of personal information involved; and 3. Types or identities of acceptors. | |
| 15. Users’ rights protection mechanism | Privacy policies shall provide a clear explanation of the following users’ operation methods: 1. Enquiry about personal information; 2. Correction of personal information; 3. Deletion of personal information; 4. Deregistration of user accounts; and 5. Withdrawal of the agreed authorization. | |
| 16. Compliant channels and feedback mechanisms for users | At least one of the following channels for complaints shall be provided in the privacy policies: 1. Email; 2, Telephone; 3. Fax; 4. Online customer service; or 5. Online form. | |
| 17. Time limitation of privacy policies | The dates of promulgation, effectiveness or updates of privacy policies shall be clearly identified. | |
| 18. Updates of privacy policies | If there are changes in business functions, provision of personal information overseas, purposes of use or contact details of the persons-in-charge of personal information protection, etc., privacy policies shall be revised accordingly, which shall be notified the users by emails, letters, phones or push notifications in a timely manner. |
Assessment item 4:
It is not allowed to set unreasonable clauses in documents such as privacy policies.
| Assessment Contents | Assessment Criteria |
| 19. Whether there are unreasonable clauses such as liability exemption in privacy policies and other documents | App operators shall not establish such clauses as exemption themselves from liability, aggravating users’ liability or excluding users’ primary rights in documents including user protocols, service agreements, or privacy policies, etc. Note: Exemption themselves from liability means that App operators are exempt from the mandatory legal obligations that they shall assume in accordance with the law; Aggravating users’ liability means that App operators require users to bear liability or losses beyond the scopes of the obligations stipulated by the law; and Excluding users’ primary rights means that App operators exclude the primary rights that users may normally enjoy in accordance with the law or as per the nature of contracts. |
II. Collection and Use of Personal Information by Apps
Assessment item 5:
Collection of personal information shall clearly indicate the purposes, manners and scopes of the collection.
| Assessment Contents | Assessment Criteria |
| 20. Whether the purposes, methods and scopes of collection and use of personal information are expressly indicated to the users | 1. When users install, register or open an App for the first time, they shall be reminded to read the privacy policies. 2. When an App opens the system permission (excluding the situations where users open permission in the system settings), it shall indicate the purposes of personal information collection for the permission. 3. For the collection of sensitive personal information, an App shall clearly indicate the purposes, manners and scopes of collection and use of personal information to the users through obvious methods such as pop-up prompts. |
| 21. Whether relevant information on collection of personal information by using Cookie and similar technologies is expressly indicated to users | For the collection of personal information by using Cookies and similar technologies (including scripts, Clickstreams, Web beacon, Flash Cookie, embedded Web links, sdk, etc.), the purposes and types of personal information collected shall be clearly presented to the users. |
| 22. Whether functions of collection of personal information by embedding third-party codes or plugins is clearly indicated to users | If personal information is transmitted to third-party servers by manners such as embedding third-party codes, plugins, etc., users shall be clearly informed by methods such as pop-up prompts. |
Assessment item 6:
Collection and use of personal information shall be upon users’ option for consents, with no mandatory binding authorization.
| Assessment Contents | Assessment Criteria |
| 23. Whether users’ option for consents are obtained before collection of personal information | Apps shall provide the option for users to choose to agree or disagree before collection of personal information. The option of disagreement shall only affect the business functions related to the refusal to provide personal information. |
| 24. Whether there are situations where multiple business functions and permissions are packaged for acceptance by users | 1. It shall not be allowed to request users to accept and authorize multiple business functions to collect personal information at one time by bundling multiple business functions of the App; 2. Users’ option for voluntary filling in, clicking and ticking information shall be deemed as the condition for opening business functions of products or services or conditions for the start of collection of personal information. |
Assessment item 7:
The necessity requirement shall be satisfied for the collection of personal information.
| Assessment Contents | Assessment Criteria |
| 25. Whether the types of personal information actually collected exceed the scope of privacy policies | The types of personal information actually collected by each business function shall be consistent with the contents described in privacy policies and shall not exceed the scope of privacy policies. |
| 26. Whether users’ option for consents is obtained for the collection of non-essential information related to business functions | When the personal information collected by App operators exceeds the scope of necessary information, users shall be clearly indicated the purposes of the collected personal information upon users’ option for consents. Note 1: The term “necessary information” refers to information that is directly related to basic business functions, without which the basic business functions cannot be realized. Note 2: The term “option for consents” refers to the act of making a clear authorization by the subjects of personal information through written declarations or by voluntarily making affirmative actions on the planned handling of their personal information. Affirmative actions include voluntarily making declarations (electronic or paper form), voluntarily ticking or voluntarily clicking on relevant buttons of “agree”, “register”, “send”, “dial”, voluntarily filling in or provide information by subjects of personal information. |
| 27. Whether personal information unrelated to business functions is collected | Apps shall not collect personal information not related to business functions. |
| 28. Whether there are constant requests for permissions or disturbance of users after users’ explicit refusal | For the specific business functions that users explicitly refuse to use, close or withdraw, Apps shall not repetitively ask users whether to open the business functions or related system permissions. |
| 2 29. Whether system permission settings are changed after App updates | After Apps are upgraded, the original system permission settings shall not be changed. |
III. Protection of Users’ Rights by App Operators
Assessment item 8:
Users’ de-registration of accounts, correction or deletion of personal information shall be supported
| Assessment Contents | Assessment Criteria |
| 30. Whether users’ deregistration of accounts is supported | App shall provide ways available to deregister accounts (such as online function interface, customer service numbers, etc.), and shall, after users cancel their accounts, delete their personal information or anonymize such information. |
| 31. Whether users’ inquiry, correction or deletion of personal information are supported | App shall provide channels available to inquire, correct and delete personal information. |
Assessment item 9:
Feedback to users’ complaints shall be provided in a timely manner.
| Assessment Contents | Assessment Criteria |
| 32. Whether feedback to users’ complaints are provided in a timely manner | App operators shall properly handle and promptly respond to users’ complaints, and shall, in principle respond to them with handling opinions results within fifteen days. |