Promulgation Authorities: Ministry of Industry and Information Technology
Release Date: 2023-02-06
Effective Date: 2023-02-06
Original Title: 工业和信息化部关于进一步提升移动互联网应用服务能力的通知 (工信部信管函〔2023〕26号)
Notice of the Ministry of Industry and Information Technology on Further Improving the Service Capability of Mobile Internet Apps (Gong Xin Bu Xin Guan Han  No. 26)
In recent years, the Ministry of Industry and Information Technology has been vigorously promoting the improvement to the service quality of mobile Internet applications (“Apps” in short), effectively safeguarding the legitimate rights and interests of users and achieving positive social results. However, problems such as irregular service practices of some enterprises and failure to implement responsibilities at relevant links still occur from time to time. In order to optimize service supply, improve user experience, maintain a good environment for information consumption and promote high-quality development of the industry, in accordance with the Personal Information Protection Law, the Telecommunications Regulations, the Several Provisions on Regulating the Order of Internet Information Service Market, the Provisions on the Protection of Personal Information of Telecommunications and Internet Users and other relevant laws, regulations and rules, the relevant matters are hereby notified as follows:
I. Enhancing the whole-process service awareness to protect the legitimate rights and interests of users
(I) Regulating installation and unloading activities
- Ensuring informed consent for installation. To recommend an App for downloading to users, the principles of openness and transparency shall be followed, the information of the developer, the operator, product functions, privacy policies, permission lists and other necessary information shall be indicated expressly in an authentic, accurate and complete manner, and obvious options for cancellation shall be provided at the same time. The App can be downloaded and installed after being confirmed and agreed by the users, so as to effectively protect the users’ right to know and right to choose. It is not allowed to cheat or mislead users for downloading and installation by such means as “replacing in a disguised way”, “forced binding” and “silent downloading”.
- Regulating recommended downloading activities on webpages. When users browse webpage contents, without the consent of or active selection by users, it is not allowed to download Apps automatically or compulsorily, or force users to download or open Apps by way of, among others, folded display, active pop-up window or frequent warning, affecting the normal browsing of information by users. Without justifiable reasons, it is not allowed to bind the downloading of Apps with the reading of webpage contents.
- Realizing convenient unloading. Except for the software with basic functions, Apps shall be able to be unloaded in a convenient manner, and it is not allowed to maliciously obstruct users from unloading by means of blank name, transparent icon or background concealment, etc.
(II) Optimizing service experience
- Selectable closing of a window by users. Full-screen and pop-up information windows shall provide clear and effective close buttons, so as to ensure that users can close them conveniently; it is not allowed to frequently pop up windows to interfere with the normal use of users, or to induce users to make operations by means of “full-screen thermal image”, “shake” with high-sensitivity or other methods that are likely to lead to false triggers.
- Informing service items in advance. The product functions, rights and interests, fees and other contents shall be clearly indicated. Additional conditions such as membership opening or collection of fees, if any, shall be indicated in a prominent manner. Without express indication, it is not allowed to add restrictive conditions without authorization in the process of providing product services and terminate normal use of product functions and services or reduce service experience of users based on such conditions.
- Reasonable launch and operation scenarios. It is not allowed to launch Apps automatically or in an associated manner, or wake up, call, update, etc. Apps in circumstances other than necessary for the service or without reasonable circumstances.
- Prompt reminder for service renewal. Where services are provided in the form of automatic renewal for subscription or fee, the consent of users shall be obtained, and it is not allowed to make default selection or compulsory binding in connection with the services. 5 days before the automatic renewal, users shall be remined by SMS, message push or any other prominent way and provided with a convenient way to cancel the subscription or automatic renewal for subscription or fee at any time.
(III) Strengthening personal information protection
- Adhering to the principle of legality, legitimacy and necessity. To engage in personal information handling activities, a handler shall have definite and reasonable purposes, and shall not compulsorily require users to agree to the personal information handling beyond the scope or irrelevant to service scenarios only for the reasons of service experience, product research and development, algorithm recommendation, risk control, etc. If a user refuses to provide personal information that is not necessary for the current service, it shall not affect the user’s use of the basic functions of the service.
- Express rules for handling personal information. Users shall be informed of the rules for handling their personal information in a concise, clear and understandable manner, and in the event of any changes thereto, users shall be promptly informed of the latest developments. The handler shall highlight the purpose, method and scope of handling sensitive personal information and establish a list of personal information that has been collected, and shall not induce users to agree to the rules for handling personal information by means of checking a box by default, reducing the size of the text or making the text redundant, etc.
- Reasonably applying for use permission. At the time of the launch of corresponding business functions, the required authority shall be dynamically applied for, and it is not allowed to require users to grant a blanket consent for a number of necessary authorities that are not for corresponding business functions. When invoking such authority as the photo album, address book and location of the terminal, it is required to synchronously inform the users of the purpose of applying for the authority. Without the consent of a user, the status of unauthorized authority of the user shall not be changed.
(IV) Responding to users’ demands
- Setting up customer service hotlines. We encourage Internet enterprises to establish customer service hotlines, and major Internet enterprises shall publicize the customer service hotline number at a noticeable position of their websites and Apps and simplify manual service transfer procedures. We also encourage the improvement to the response capacity of customer service hotlines, with the maximum monthly average response time limit of 30 seconds, and the reply rate of manual service exceeding 85%.
- Properly dealing with user complaints. It is required to make public effective contact information and accept user complaints. Efforts should be made to reply to complaints made on the Internet information service complaint platform as required, to ensure that the complaints are handled within 15 days, and to improve the satisfaction rate of complaint handling. It is encouraged to set links for user satisfaction evaluations in the Apps to guide users to participate in evaluations.
II. Improving the whole-chain management capability to create a healthy service ecology
(I) Implementing the primary responsibilities of the developer and the operator of an APP
- Improving internal management mechanism. It is required to clarify the leading management department and person in charge of user services and the protection of rights and interests of users, establish a whole-lifecycle personal information protection mechanism, improve the assessment and accountability system, implement the requirements of relevant regulations and policies in all stages of product research and development, promotion and operation, and constantly improve the level of compliance. Compliance audit of the personal information protection measures and implementation thereof shall be made on a regular basis to effectively prevent potential risks.
- Strengthening technical support capability. Access control, technical encryption, de-identification and other security technical measures shall be made to strengthen front-end and back-end security protection. Risk threats such as disclosure, theft, tampering, damage, loss and illegal use of personal information shall be actively monitored and detected to timely respond to disposal requirements.
- Strengthening the use and management of software development kit (SDK). Prior to the use of a SDK, the ability thereof to protect personal information shall be assessed, and the rights and obligations of all parties shall be specified in a contract or any other form to ensure the compliance of handling of personal information. The name and functions of the embedded SDK as well as the rules for processing personal information should be centrally presented and timely updated. Those jointly handling the personal information of users who infringe upon the rights and interests of users causing damage shall bear the corresponding liability in accordance with the law.
(II) Strengthening the management of platform distribution
- Tightening the examination and approval of Apps to be put on the shelves. It is required to accurately register and verify basic information such as the real identity and contact information of the developer and operator as well as the main functions and purposes of an App, and to conduct technical testing of the App to be put on the shelves. The person in charge of the relevant examination shall be designated, and the examination log records shall be retained. Any App that does not meet the requirements is not allowed to be put on the shelves. The Apps on the shelves shall be fully publicized, and the name and functions, developers and operators, version number, list of user terminal permissions to be obtained and purposes, personal information processing rules and other information of the Apps shall be indicated in a prominent position. If no express interface for distribution has been established yet, the Apps shall be linked to the App Stores for downloading, and users shall be guided to download the distributed Apps through official channels.
- Strengthening inspection of Apps on the shelves. Efforts should be made to strengthen the dynamic inspection of Apps to ensure the authenticity and accuracy of the information publicized. For any App that is inconsistent with the information publicized, or the main functions, applied permissions, scenarios and scope of personal information collection and use have been changed without authorization by means of “hot update or hot switch”, etc., the provision of services for such App shall be ceased.
- Improving the distribution management mechanism. It is required to establish mechanisms for credit evaluation and risk warning for APP developers and operators, and electronic signature certification is encouraged for distributed Apps, so as to achieve the traceability of Apps on the shelves and distribution in the whole process. Efforts should also be made to strengthen the linkage between the public service platforms for testing and certification for mobile Internet Apps and effectively deal with information reporting, monitoring and traceability, information sharing and response and handling.
(III) Standardizing SDK application services
- Establishing an information publicity mechanism. It is required to publicly stating the basic information such as the name, developer, version number, main functions and instructions, etc. of the SDK, as well as the rules for handling personal information. If the SDK independently collects, transmits and stores personal information, a separate explanation shall be made. It is encouraged to give play to the role of the SDK management service platform and guide the APP developer and operator to use the compliant SDK.
- Optimizing functional configurations. It is required to follow the principle of least necessity, clarify the functions of the SDK and the corresponding scope of personal information collection in light of different application scenarios or purposes, and provide the APP developers and operators with configuration options for functional modules and personal information collection. It is not allowed to carry out the excessive collection of a package of personal information.
- Strengthening service collaboration. During the whole life cycle of products, compliance use guide should be proactively provided in a clear and easy-to-understand manner to APP developers and operators to guide them to correctly and reasonably use the same and jointly improve the compliance level. When the personal information processing rules change or risks are found, APP developers and operators should be updated and informed in a timely manner.
(IV) Building a strong terminal security defense line
- Strengthening the management of Apps. Efforts should be made to provide users with the shutdown function of self-start and associated start of Apps, as well as convenient options to reset relevant device identification codes, and to strengthen the monitoring of silent downloading and hot updating of Apps, so as to prevent unauthorized startup, downloading, installation and other activities without the consent of users.
- Strengthening the reminder of records of Apps’ behaviors. Efforts should be made to strengthen the ability to record the behavior of authority invocation and provide convenience for users to query the status of authority invocation. A mechanism should be established for obvious reminding of the status of authority in use such as address book, microphone, camera, position and cut board to ensure that users can understand the collection status of their personal information in a timely and accurate manner.
- Improving Apps’ capability to give early warning of risks. It is imperative to promote the development of electronic signature certification of Apps, give early warnings to users, and improve the ability to identify counterfeiting, bad, irregular and other risky Apps.
(V) Consolidating the responsibilities of access enterprises
- Accurately registering information. When providing network access services for Apps and SDKs, the real identity, contact information and other information of Apps and SDK developers and operators should be registered and verified to improve traceability.
- Ensuring effective disposal. As required by the telecommunications regulatory authorities, necessary measures such as ceasing the access to illegal Apps and SDKs shall be taken in accordance with the law to effectively prevent their violations that infringe upon users’ rights and interests.
III. Work requirements
(I) Properly dealing with organization and implementation. All entities shall adhere to the people-centered development thinking, improve their political positions, strengthen their assumption of responsibilities, refine and break down tasks, and conscientiously deal with the implementation of this Notice to ensure the achievement of practical results. Relevant enterprises shall fulfill their principal responsibilities, carry out self-examination and self-correction in accordance with the requirements of this Notice, and effectively safeguard the legitimate rights and interests of users. Meanwhile, efforts should be made to improve the long-term mechanism, innovate modes and methods, constantly improve the level of mobile Internet application services, and constantly enhance users’ sense of gain, happiness and security.
(II) Strengthening guidance and supervision. The Ministry of Industry and Information Technology will improve the evaluation, notification, ranking and publicity mechanisms, promote the solid and orderly implementation of the work, and timely summarize and promote excellent cases and experience and practices. Local communications administrations shall strengthen supervision and inspection, and guide and urge enterprises within their jurisdictions to implement various requirements of this Notice. If implementation is not in place or there are violations, such measures should be made as ordering rectification within a time limit, making an announcement to the public and organizing the removal from shelves in accordance with the law, with serious accountability, investigation and punishment.
(III) Strengthening the application of technologies. The China Institute of Information and Communication Technology shall organize industrial forces, comprehensively use new technologies and means such as artificial intelligence and big data to upgrade and build a national testing and certification public service platform for mobile Internet Apps, constantly improve platform functions and effectively deal with technical testing, monitoring services and regulatory support. The application of electronic signature certification and other traceable technical means should be actively popularized to promote the improvement of service management capabilities.
(IV) Promoting industry self-regulation. It is encouraged for industry associations and relevant institutions to formulate industry self-regulatory conventions, technical standards and service specifications and to strengthen evaluation and certification and talent training. More efforts should be made to unblock channels to listen to the opinions of people, promote the exchange and interaction among all parties, guide enterprises to operate in accordance with the laws and regulations, constantly optimize and improve services, create a good environment for striving to be outstanding and achieving mutual promotion, and accelerate the high-quality development with high-quality services.
Ministry of Industry and Information Technology
February 6, 2023