In recent months, the Ministry of Industry and Information Technology has announced the rectification of many apps.

Our company’s products also receive a risk notification from the APP Store, and we will inform you where there may be problems, including several successful apps listed.

Now summarize the following points:

  1. Communicate with the legal department of the company about the privacy agreement and user agreement, and try to improve it to meet the latest requirements and regulations. You can refer to some apps with successful cases that meet the requirements of the Ministry of Industry and Information Technology.

  2. In the privacy protocol popup box, try to write some permission description usage scenarios mainly used by the APP. If the user does not agree with the privacy agreement box, you need to play another confirmation box to guide the user to review the privacy agreement again, or the user exits the application. When presenting the privacy policy for the first time, it is advisable to explain the method and path for searching the privacy policy.

  3. The permission application popup box must be displayed on the home page, and the relevant permissions should be applied after the same privacy protocol popup box. In addition, the application of unnecessary permissions should be minimized on the home page. When the permission popup box is displayed, the specific application scenarios of applying for this permission in the APP should be informed through certain forms of expression. In addition, if the user does not agree with the permission applied on the home page, the user cannot be forced to apply for the permission again when opening the APP next time (no more than once within 48 hours). When applying for dynamic permission in other places, users should be informed of why they want to use this permission.

  4. If youmeng SDK and flash SDK are used in the APP, they need to be initialized in onCreate() of the Application of the project, and then initialized in the popbox after agreeing the privacy permission. The latest UmENG SDK provides to call preInit() method in Application onCreate() to meet the requirements of miIT.

  5. If the privacy protocol pop-up box is displayed on the home page of the APP, pay attention to whether the relevant code in the home page is to obtain system information. Do not use the system’s SimpleDateFormat, Date, DateFormat, Locale, etc. to obtain system system-related time information before the user agrees to the privacy protocol. If the privacy agreement pop-up box is placed on the splash screen, the relative impact of the code will be less.

  6. There are no rules for collecting and using personal information in the App privacy policy. If personal information is used for user portrait or personalized display, describe the application scenario and possible impact on user rights. Portrait, personalized in the privacy agreement to explain the impact, and add a switch in the Settings, refer to Taobao. Furthermore, a path is required to withdraw an agreed authorization. Users’ personal information and algorithms are used to push targeted information, and the option of non-targeted push information needs to be provided.

  1. After a user refuses to provide personal information, disagrees with the collection rules, or refuses to provide or disable the permission to collect personal information, the user does not collect the personal information in any form or enable the permission to collect the personal information. (No more than once within 48 hours) \
  2. If the function of correction, deletion of personal information and cancellation of user account is indicated in the privacy agreement, but the user does not respond to the corresponding operation in time and needs to be handled manually, the user shall not complete the verification and processing within the commitment time limit (the commitment time limit shall not exceed 15 working days, if there is no commitment time limit, it shall be limited to 15 working days); Fail to establish and publish personal information security complaints and reporting channels, or fail to accept and deal with them within the promised time limit (the promised time limit shall not exceed 15 working days; if there is no promised time limit, it shall be limited to 15 working days).

Self-inspection and rectification measures:

  1. Shall not collect has nothing to do with the APP usage scenarios permissions without reasonable scene or related services, apply to the user permissions, class 1 music APP, for example, users click on agree to privacy policy agreement button after entering the APP immediately apply to the user permissions, at this time there is no use to locate relevant function or scenarios, unreasonable application location permissions, Users can apply for location rights only when they use location-related functions. (Map apps can apply for location permission immediately after entering the APP, because the current functional scene of the APP requires location permission)

  2. The APP shall not automatically close or exit after the user refuses to apply for permission. For example, an information APP applies for microphone permission to the user, and after the user clicks “reject”, the APP will automatically exit and close. The microphone permission is not necessary for the normal use of the APP. If the user does not agree with the authorization, the APP may not provide functions related to the microphone permission, but it cannot directly exit the APP

  3. Repeated or frequent pop-ups of APP application permission after application permission is rejected shall not occur, or repeated or frequent pop-ups of APP application permission after application permission is rejected shall not occur, for example, repeated pop-ups of APP application permission after application permission is rejected will interfere with normal use of users. APP application permissions users resisted, the APP can not provide with the permissions corresponding function, if the user take the initiative to trigger the function, the APP can pop-up explains the relationship between the authority and function, tell the user to open the permissions, if the users to trigger the function, the APP shall not actively again within 48 hours to the user to apply for the permission

  4. Shall not be collected in advance the APP is not used to the permission of APP to the user in advance to apply for permission, this is similar to article 1, mainly to see if there are any more apply APP permissions, such as applying for a position permissions at the same time, and continue to apply to the user for the microphone permissions, although microphone authority has the corresponding function module, user but has not been used, can not apply.

According to article 1 (1) of The third point in The Document No. 164 of the Ministry of Industry and Information Technology [2020], focus on the rectification of apps and SDKS that collect users’ personal information without informing users of the purpose, method and scope of personal information collection and without users’ consent.

Possible problem description:

  • APP makes clear collection rules to users in the form of privacy policy pop-ups. Without users’ consent, IMEI, DEVICE MAC address, software installation list, address book and SMS are collected.

  • APP makes clear collection rules to users in the form of privacy policy pop-ups, but the purpose and scope of collecting device MAC addresses and software installation list are not clearly stated. After users agree to the privacy policy, they collect device MAC addresses and software installation list.

  • The APP explicitly states the collection and use rules of the SDK to the user. Without the user’s consent, the SDK collects IMEI, DEVICE MAC address, software installation list, address book, and SMS.

  • APP makes clear the rules of SDK collection to users, but does not clearly indicate the purpose and scope of THE SDK to collect device MAC addresses and software installation list. After users agree to the privacy policy, SDK collects device MAC addresses and software installation list.

  • The App is set to default check in the process of soliciting user consent.

According to article 2 of Article 1, Point 3 of Document No. 164 of the Ministry of Industry and Information Technology [2020], APP and SDK are not required for service or have no reasonable application scenarios, especially in silent state or background running, exceeding the scope of mobile phone personal information.

Possible problem description:

  • Without the consent of users and without the notification of users, APP collects installation list, MAC and other information in its business functions, which is not necessary for services and has no reasonable application scenarios, and is beyond the scope that is directly or reasonably related to the purpose claimed when collecting personal information.

  • APP does not express the collection and use rules of SDK to users. Without the consent of users, SDK collects information such as installation list and MAC, which is not necessary for services and has no reasonable application scenarios, and is beyond the scope that is directly or reasonably related to the purpose claimed when collecting personal information.

  • Without the consent of users and without the notification of users, the APP collects information such as installation list and MAC before authorization, which is not necessary for services and has no reasonable application scenarios, and is beyond the scope that is directly or reasonably related to the purpose claimed when collecting personal information.

  • APP does not express the collection and use rules of SDK to users, and without the consent of users, SDK collects information such as installation list and MAC before authorization, which is not necessary for services and has no reasonable application scenarios, and is beyond the scope that is directly or reasonably related to the purpose claimed when collecting personal information.

* According to article 5 of Article 2 of Point 3 of Document No. 164 of Ministry of Industry and Information Technology [2020], it focuses on the behavior of automatic withdrawal or closure of APP after users reject relevant authorization applications when APP installation, operation and use related functions are not necessary for service or in unreasonable application scenarios. Focus on the short-term and frequent behavior of frequent pop-ups and repeated application of permissions irrelevant to current service scenarios after users explicitly reject permission applications. Focus on the behavior of not timely and clearly informing users of the purpose and purpose of requesting permissions, and applying for permissions beyond their business functions in advance.

Possible problem description:

  • After the APP user explicitly rejects permission applications such as address book, location, SMS, recording, camera, and XXX, it still pops up to the user to apply for permission that is irrelevant to the current service scenario when the APP runs again, affecting the normal use of users.

  • When the APP is opened for the first time (or at other times) and there is no relevant product or service corresponding to the user permission, apply for enabling address book/location/SMS/recording/camera /XXX in advance by popping up the window.

Link to Notice of the Ministry of Industry and Information Technology on Carrying out Special Rectification Action for APP Infringement on Users’ Rights and Interests (MiIT Letter of Information Management [2020] No. 164)

www.gov.cn/zhengce/zhe…

Circular of the Cyberspace Administration of China on Printing and Distributing The Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (GuosC Mizi no. 14, 2021)

www.cac.gov.cn/2021-03/22/…