Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · APP PI COLLECTION AND USE PROVISIONS (DRAFT)

Provisions on the Collection and Use of Personal Information by Internet Applications (Draft for Public Consultation).

互联网应用程序个人信息收集使用规定(征求意见稿)

Promulgated by: Cyberspace Administration of China (CAC). Status: Draft for Public Consultation, released January 10, 2026.


Chapter 1. General Provisions

Article 1. These Provisions are formulated in accordance with the Cybersecurity Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Regulation on Network Data Security Management, and other laws and administrative regulations, in order to regulate the collection and use of personal information by Internet applications, protect personal information rights and interests, and promote the reasonable use of personal information.

Article 2. These Provisions shall be observed by anyone who, in the course of operating an Internet application within the territory of the People’s Republic of China, collects or uses personal information, and by software development kits, distribution platforms, smart terminals, and other parties that provide services supporting the collection and use of personal information for Internet applications.

Where an Internet application collects or uses the personal information of natural persons within the territory of the People’s Republic of China from outside the territory, and the circumstances fall within Article 3, paragraph 2 of the Personal Information Protection Law of the People’s Republic of China, these Provisions shall apply.

Article 3. The collection and use of personal information shall follow the principles of lawfulness, legitimacy, necessity, and good faith, and shall not be carried out by misleading, defrauding, or coercing individuals.

The collection and use of personal information shall be preceded by full notice of the collection and use rules to the personal information subject, and the personal information subject’s consent shall be obtained; where sensitive personal information is collected or used, the personal information subject’s separate consent shall be obtained. Where laws or administrative regulations provide otherwise, such provisions shall prevail.

The collection and use of personal information shall be carried out in the manner that has the least impact on the rights and interests of the personal information subject, shall be limited to what is necessary to provide the product or service, and shall not exceed the scope so required.

An operator shall not refuse to provide a product or service on the ground that the personal information subject has declined to consent to, or has withdrawn consent to, the collection and use of personal information, except where the personal information concerned is necessary to provide the product or service.

Article 4. Internet application operators and software development kit operators each bear primary responsibility for the collection, use, and security protection of personal information in connection with the Internet application or software development kit that they respectively operate.

An Internet application operator shall perform its statutory review obligations with respect to embedded software development kits, a distribution platform operator with respect to the Internet applications it distributes, and a smart-terminal manufacturer with respect to the Internet applications it preinstalls. Where such review is not effectively carried out and harm results to the rights and interests of a personal information subject, the party responsible shall bear liability accordingly.

Article 5. Internet application operators, software development kit operators, distribution platform operators, and smart-terminal manufacturers shall, with respect to personal information that becomes a state secret matter after aggregation or correlation, strengthen management in accordance with the State’s relevant provisions on security and secrecy.

Internet application operators, software development kit operators, distribution platform operators, and smart-terminal manufacturers shall not inspect the content of, or provide to any third party, personal information in their possession that constitutes a communication secret. Where laws or administrative regulations provide otherwise, such provisions shall prevail.

Article 6. Industry organizations are encouraged to establish and improve self-regulatory mechanisms, formulate personal information protection industry codes and self-regulatory conventions, guide their members to carry out personal information collection and use activities in accordance with law, and accept public oversight.

Chapter 2. Operational Security Management Requirements for Internet Applications

Article 7. An Internet application that collects or uses personal information shall follow the principles of openness and transparency, formulate a public personal information collection and use rule, and, in clear and easily understood language, truthfully, accurately, and completely set out the following matters item by item:

(1) the name of the operator, or the name of the natural person operator, and effective contact information;

(2) in the form of a structured list, the purpose, method, and category of personal information collected and used by each functional service, the names and frequency of the permissions invoked, the necessity of collecting and using sensitive personal information, and the impact on user rights and interests;

(3) where a software development kit is embedded, in the form of a structured list, the name (package name) and version of the embedded software development kit, its principal functions, the name of its operator or the name of the natural person operator, the categories of personal information it collects and uses, and a complete link to the software development kit’s own personal information collection and use rule;

(4) the retention period for personal information and how it will be handled upon expiry; where the retention period is difficult to determine, the method for determining it shall be specified;

(5) the methods and channels by which a user may access, copy, transfer, correct, supplement, delete, or restrict the processing of personal information, and cancel an account or withdraw consent; and

(6) other matters required to be disclosed by laws and administrative regulations.

For the key content described in the preceding paragraph, the Internet application shall alert users through prominent means such as bold type, enlarged font, or distinct coloring.

Article 8. Where the purpose, method, category, retention period (or the method for determining the retention period), permission names and frequency, or the personal information collection and use behavior of an embedded software development kit changes, the Internet application shall promptly revise and update its personal information collection and use rule.

Where an Internet application with more than 50 million registered users, or more than 10 million monthly active users, and a complex business model revises or updates its personal information collection and use rule under the preceding paragraph, it shall concurrently solicit public comment through channels such as the application’s home page, official website, or official account, for a comment period of not less than 7 working days.

Article 9. An Internet application shall, upon first launch, notify the user of its personal information collection and use rule through a prominent means such as a pop-up window, and, on the premise that the user is fully informed, obtain a clear expression of the user’s consent to the rule.

Where an Internet application provides personal information to a third party, it shall obtain the user’s separate consent. The Internet application shall provide a one-click access function for its personal information collection and use rule in a prominent location such as the settings page, for the user’s convenience in reviewing and saving it.

Where an Internet application updates its personal information collection and use rule under circumstances falling within Article 8, paragraph 1, it shall promptly notify users of the specific content of the update through prominent means such as a pop-up window or push notification, and re-obtain the user’s consent.

Article 10. An Internet application shall not, through the calendar, call-log, or SMS permission, collect or use the personal information of any personal information subject other than the user, except where genuinely necessary to fulfill purposes of maintaining communication, adding contacts, or data backup.

Where the personal information collected or used under the preceding paragraph constitutes a communication secret, it shall comply with Article 5, paragraph 2 of these Provisions.

Article 11. An Internet application shall provide configuration options for the collection and use of personal information based on functional scenarios, allowing the user, as needed, to consent to the collection and use of the relevant personal information for particular functional scenarios only.

Article 12. An Internet application may request the necessary personal information permission corresponding to a given function only when the user is actually using that function, and shall concurrently notify the user of the purpose of use; it shall not request the permission in advance. Where the user declines, the Internet application shall not repeatedly request the permission in a manner that interferes with the user’s normal use of other functions.

Article 13. An Internet application shall not collect or use personal information before the user has consented to the personal information collection and use rule, and shall not collect or use personal information beyond the purpose, method, category, or retention period to which the user has consented.

An Internet application’s invocation of a permission must be directly related to the current functional scenario; it shall collect personal information only when the user is using the specific function, at the lowest frequency and narrowest scope necessary, and shall cease invoking the permission once the current functional scenario no longer requires it. It shall not collect unnecessary personal information or invoke unnecessary permissions.

Article 14. An Internet application shall invoke the camera or microphone permission only when the user actively chooses to use a function such as taking photographs, sending voice messages, or recording audio or video, and shall not invoke the camera or microphone permission once the user has stopped using the relevant function or in scenarios unrelated to it.

In scenarios that require real-time positioning, such as map navigation, route tracking, food or package delivery, and location sharing, the frequency of continuous invocation of the location permission shall be limited to the lowest frequency necessary to realize the business function; in scenarios that require only a single location fix, such as adding a location, content search, content recommendation, or advertising and marketing, the location permission shall be invoked only once, when the user enters the function interface or actively refreshes. Except where laws or administrative regulations provide otherwise, or the business function genuinely requires continuous access to location in the background, an Internet application shall not request the permission to access the user’s location information in the background.

Where a user chooses to use a function such as uploading or sending pictures or files, and the Internet application is able to achieve this using a storage access framework provided by the smart terminal, it shall not request the photo album, contacts, SMS, storage, or other such permission. Where an Internet application obtains the storage permission in order to provide a function such as file editing or file backup, it shall not access files other than those the user has actively chosen.

Article 15. The collection of biometric information such as facial, fingerprint, or voiceprint information by an Internet application shall have a specific purpose and sufficient necessity, shall be carried out in the manner that has the least impact on the rights and interests of the individual, and shall be subject to strict protective measures.

Except where laws or administrative regulations provide otherwise, or the user’s separate consent has been obtained, an Internet application’s collection and use of facial, fingerprint, voiceprint, or other such information shall be stored on the biometric device and shall not be transmitted externally over the Internet. Except where laws or administrative regulations provide otherwise, the retention period of biometric information shall not exceed the minimum time necessary to achieve the purpose of processing.

Article 16. An Internet application operator shall adopt adequate management measures and necessary technical measures, strictly implement the requirements for protecting the personal information of minors, and take effective precautions against the leakage, tampering, or loss of minors’ personal information.

Where an Internet application collects or uses the personal information of a minor under the age of 14, it shall formulate a dedicated personal information collection and use rule and obtain the consent of the minor’s parent or other guardian.

Article 17. Where an Internet application pushes information or conducts commercial marketing to a user by means of automated decision-making, it shall provide an easy-to-understand option, convenient to access and operate, for turning off personalized recommendations.

Where a user turns off the personalized recommendation function, the Internet application shall cease using the user’s personal information for personalized recommendation purposes.

Article 18. An Internet application shall provide users with a convenient function for canceling their account. Where a user cancels an account, the Internet application shall not require the user to newly provide personal information beyond what it has already collected — such as facial images or a photograph of the user holding an identity card — except where genuinely necessary for purposes such as guarding against fraud rings or security risk control.

Where a user cancels an account, the Internet application shall complete the account cancellation within 15 working days and delete the personal information it has collected, or anonymize it, except where laws or administrative regulations provide otherwise.

Where a single enterprise, or multiple Internet applications under the same corporate group, use a unified account for integrated management, the applications shall allow the user to choose to cancel the account for a single Internet application, or to choose to close that account’s ability to use that particular Internet application and delete the personal information used solely for that Internet application.

Article 19. An Internet application shall agree with each embedded software development kit on the purpose, method, and category of personal information collection and use, and on security-protection liability and liability for breach, and shall adopt effective technical measures to review the personal information collection and use behavior of the embedded software development kit, so as to ensure that the software development kit’s actual collection of personal information and invocation of permissions is consistent with what is declared about that software development kit in the Internet application’s personal information collection and use rule.

Where a user’s request to the Internet application to access, copy, correct, supplement, delete, or restrict the processing of personal information, or to cancel an account or withdraw consent, involves the personal information collection and use activity of a software development kit, the Internet application shall promptly notify the software development kit of the user’s request and urge the software development kit to respond to it in a timely manner.

Article 20. Where an Internet application optimizes or improves its personal information collection and use behavior and releases or updates a version accordingly, it shall take effective measures to remind users to upgrade, and shall update and replace the outdated version of the Internet application across all authorized release channels.

Article 21. Internet applications are encouraged to connect to the national network identity authentication public service, so as to support users in registering and verifying their real identity information using a cyber ID (网号) or cyber credential (网证).

Where a user chooses to register and verify identity information using a cyber ID or cyber credential and passes verification, the Internet application shall not compel the user to separately provide identity information in plaintext, except where laws or administrative regulations provide otherwise or the user consents to provide it.

Chapter 3. Operational Security Management Requirements for Software Development Kits

Article 22. A software development kit that collects or uses personal information shall formulate a personal information collection and use rule and make it public on the product’s official website.

Where multiple historical versions of the software development kit are operated concurrently, the software development kit shall set out the personal information collection and use behavior of each different version in its collection and use rule.

Where the purpose, method, scope, or other aspect of a software development kit’s collection and use of personal information changes, it shall update the corresponding personal information collection and use rule accordingly.

Article 23. A software development kit shall not collect or use personal information beyond the scope declared in its collection and use rule, shall not collect or use personal information beyond the minimum scope necessary to realize its business functions, and shall not invoke permissions at a frequency exceeding the lowest frequency necessary to realize its business functions.

Article 24. A software development kit shall provide function-based personal information configuration options, allowing the Internet application to manage and configure the software development kit’s personal information collection behavior according to different functional needs.

Where a software development kit pushes information or conducts commercial marketing to a user by means of automated decision-making, it shall provide the Internet application with an option to turn off personalized recommendations, and shall cease using the user’s personal information for personalized recommendation purposes once turned off.

A software development kit shall respond in a timely manner to user requests to access, copy, correct, supplement, delete, or restrict the processing of personal information that are notified to it by the Internet application.

Article 25. A software development kit shall establish effective means and channels for directly responding to a user’s request to access, copy, transfer, correct, supplement, delete, or restrict the processing of personal information, and such means and channels shall be set out in its personal information collection and use rule.

Chapter 4. Security Management Requirements for Application Distribution Platforms

Article 26. A distribution platform shall strengthen its review of Internet applications prior to listing, establish a compliance file on each Internet application’s personal information collection and use, and, when accepting an application for release or a version-update listing, register and verify the true identity, contact information, and other information of the Internet application operator, and record any problems concerning the Internet application’s personal information collection and use, including whether it has been publicly named or subjected to an administrative penalty by an authority performing personal information protection duties at or above the provincial level for unlawful or non-compliant collection or use of personal information. The distribution platform shall not list an Internet application whose operator has failed to provide the required information or has provided false information, or that lacks a personal information collection and use rule, an account-cancellation function, or a channel for deleting personal information.

In its pre-listing review, a distribution platform shall give priority display and recommendation to Internet applications whose operators have obtained personal information protection certification and Internet application security certification.

A distribution platform shall, within 6 months of the effective date of these Provisions, complete its review of Internet applications already listed on the platform, and shall remove from listing any application that fails the review.

Article 27. A distribution platform shall clearly and accurately display the following information on the distribution and download page for an Internet application:

(1) the name of the Internet application operator, or the name of the natural person operator, and contact information;

(2) an introduction to the Internet application’s principal functions;

(3) a list of the specific permissions the Internet application requires to run;

(4) the text of, or a link to, the personal information collection and use rule; and

(5) for an Internet application that has been publicly named or subjected to an administrative penalty by an authority performing personal information protection duties at or above the provincial level for unlawful or non-compliant collection or use of personal information, a personal information security risk alert shall be published on the distribution and download page within 6 months from the date of the notification or penalty.

Article 28. With respect to an Internet application that an authority performing personal information protection duties has determined to have engaged in unlawful or non-compliant collection or use of personal information, a distribution platform shall actively cooperate by taking disposal measures such as issuing a warning, declining to distribute it, suspending its distribution, or terminating its distribution.

Chapter 5. Security Management Requirements for Smart Terminals

Article 29. When accepting an application to preinstall an Internet application, a smart-terminal manufacturer shall register and verify the true identity, contact information, and other information of the Internet application operator. It shall not preinstall an Internet application whose operator has failed to provide the above information or has provided false information, or that lacks a personal information collection and use rule, an account-cancellation function, or a channel for deleting personal information.

Article 30. Where an Internet application requests a permission such as calendar, call log, camera, contacts, location, microphone, phone, SMS, storage, or physical activity, the smart-terminal operating system shall obtain the user’s consent through a pop-up window, and, based on the characteristics of the permission, provide fine-grained authorization options based on factors such as time, frequency, and precision.

Article 31. A smart terminal shall, through an easy-to-understand icon or other prominent indicator in a conspicuous location such as the top of the screen, truthfully alert the user to the microphone, camera, location, or other permission currently being invoked.

Article 32. A smart terminal shall truthfully record and centrally display: an Internet application’s invocation of permissions such as calendar, call log, camera, contacts, location, microphone, phone, SMS, storage, and physical activity; instances of an Internet application self-launching or launching in association with another application while running silently in the background; and an Internet application’s collection, through the smart terminal, of personal information such as clipboard content, the device’s unique identifier, or the list of installed applications. The rules governing such records shall be made public.

A smart terminal shall accurately alert the user to the security risks that may arise from an Internet application’s invocation of a permission.

Chapter 6. Oversight and Administration

Article 33. The national cyberspace administration department is responsible for the overall coordination and oversight of personal information protection work concerning Internet applications, software development kits, distribution platforms, and smart terminals. The telecommunications regulatory department, public security department, and other relevant authorities under the State Council shall, in accordance with relevant laws and regulations and the requirements of these Provisions, be responsible within their respective areas of responsibility for personal information protection and oversight work concerning Internet applications, software development kits, distribution platforms, and smart terminals.

Local cyberspace administration departments are responsible for the overall coordination and oversight of personal information protection work concerning Internet applications, software development kits, distribution platforms, and smart terminals within their administrative regions; local telecommunications regulatory departments, public security departments, and other relevant authorities shall, according to their respective duties, carry out personal information protection and oversight work concerning Internet applications, software development kits, distribution platforms, and smart terminals within their administrative regions.

Article 34. Internet application and software development kit operators shall provide an effective and easily accessible complaint and reporting channel on their official website and in their personal information collection and use rule, establish and improve mechanisms for accepting, handling, and responding to complaints and reports, and accept and dispose of personal-information-related complaints within their committed time limit (which shall not exceed 15 working days; where no time limit has been committed, 15 working days shall apply).

An Internet application operator shall also accept, handle, and respond to reports concerning the personal information practices of an embedded software development kit, and, where verified, shall urge the software development kit operator to make rectifications. A distribution platform operator and a smart-terminal manufacturer shall likewise accept, handle, and respond to reports concerning the personal information practices of a distributed or preinstalled Internet application, and, where verified, shall urge the Internet application operator to make rectifications.

Article 35. Internet application operators, software development kit operators, distribution platform operators, and smart-terminal manufacturers shall formulate internal management systems and operating procedures, establish and improve an internal compliance management system and accountability mechanism, prevent personal information from being used for telecommunications and online fraud and other unlawful and criminal activities, and adequately protect users’ personal information.

Internet application operators, software development kit operators, distribution platform operators, and smart-terminal manufacturers shall cooperate with personal information protection oversight and inspection lawfully carried out by an authority performing personal information protection duties, and shall provide necessary technical support and assistance.

Article 36. Internet application and software development kit operators shall strengthen permission management over operations such as accessing, copying, modifying, and deleting personal information, and adopt security-technology measures such as encryption and de-identification, to prevent the leakage, loss, or unauthorized access of personal information.

Where a leakage or loss of personal information occurs, the Internet application or software development kit operator shall promptly notify users of the categories of personal information leaked, the cause, the possible harm, and the remedial measures taken, and shall report the incident to the authority performing personal information protection duties.

Article 37. Where an Internet application operator, software development kit operator, distribution platform operator, or smart-terminal manufacturer violates these Provisions, the authority performing personal information protection duties shall handle the matter in accordance with the Cybersecurity Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Regulation on Network Data Security Management, and other relevant laws and regulations; where a crime is constituted, criminal liability shall be pursued in accordance with law.

Chapter 7. Supplementary Provisions

Article 38. For the purposes of these Provisions, the following terms shall have the meanings set out below:

“Internet application” (App) means application software that is preinstalled on, or downloaded and installed onto, a smart terminal, as well as mini-programs, quick apps, and similar programs developed based on an open-platform interface of application software that can be used without installation.

“Internet application operator” means the developer, owner, manager, or provider of an Internet application.

“Software development kit” (SDK) means a software library that assists in software development.

“Software development kit operator” means the developer, owner, manager, or provider of a software development kit.

“Personal information subject” means the natural person identified or associated with the personal information.

“User” means a natural person who uses the functional services of an Internet application.

“Distribution platform” means a service provider that, over the Internet, provides for the release, download, or dynamic loading of Internet applications, including app stores, app marketplaces, quick-app centers, and mini-program platforms.

“Smart terminal” means a mobile communication terminal product that is capable of connecting to a public network, has an operating system, and allows the user to independently install and uninstall application software.

“Necessary personal information” means personal information that is necessary to ensure the normal operation of a basic functional service, or of a functional service that the user has chosen to use, such that the corresponding functional service cannot be provided to the user without it.

“Collectible personal information permission,” referred to for short as a “permission,” means a system permission opened by a smart terminal’s operating system to an Internet application that has the capability to collect personal information, including calendar, call log, camera, contacts, location, microphone, phone, SMS, storage, physical activity, and the like.

Article 39. These Provisions shall take effect as of [date to be specified].

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →