IT Home News May 13, according to the official news of the Internet Trust Office, recently, the Internet Trust Office issued the Notice on App illegal collection and use of personal information behavior identification method (draft) (hereinafter referred to as Notice), which gives a clearer definition of the relevant behavior.
According to the Notice, there are seven situations in which App collects and uses personal information illegally and illegally, including: 1. there are no rules for public collection and use; 2. there is no explicit purpose, method and scope of collecting and using personal information; 3. collecting and using personal information without consent; 4. collecting personal information unrelated to the service provided by App in violation of the principle of necessity; 5. collecting personal information unrelated to the service provided by App without consent to others; Providing personal information; 6. Failing to provide the function of deleting or correcting personal information according to the law; 7. Infringing on the legal rights and interests of minors in cyberspace.
The following is the full text of Notice on Soliciting Opinions on
Implement the Notice on the Special Governance of Apps Illegal Collection and Use of Personal Information and formulate this document in accordance with the Network Security Law and other laws and regulations, as well as the national standard Personal Information Security Standards.
1. Failure to publicly collect rules of use
1. There are no privacy policies, user agreements, or privacy policies or user agreements that contain no relevant collection and use rules.
4. Other violations of the requirements of the rules on the use of public collection.
2. Cases where the purpose, manner and scope of the collection and use of personal information are not explicitly stated
1. The purpose of collecting and using information violates the principles of legality, legitimacy and necessity, such as collecting personal information for the purpose of improving program function, enhancing user experience and directional push.
2. The types and frequencies of collecting personal information are not listed one by one, especially for sensitive personal information.
3. The purpose, method and scope of collecting and using personal information have changed, and users have not been notified in an appropriate way, including updating privacy policies and reminding users to re-read authorization, etc.
4. When applying for permission to collect personal information, the purpose of collection and use is not informed, such as when applying for access to address books, the reasons are not explained.
5. Every time the user is asked to provide personal sensitive information, such as ID card number, bank card number, etc., the reasons are not explained in real time synchronously.
6. The content of the rules of collection and use is obscure and tedious.
7. Other situations where the purpose, manner and scope of collecting and using personal information are not explicitly stated.
III. Collection and use of personal information without consent
1. Start collecting personal information without consent, such as before App first runs and prompts users to read privacy policies;
2. Users still collect personal information after they explicitly refuse, such as when users do not agree to be collected geographic location information;
3. Personal information actually collected and used is beyond the scope of user authorization;
4. User information and algorithm are used to push news and advertisements, but the option of terminating directional push is not provided.
5. Privately invoking the privilege of collecting users personal information without users consent;
6. When App is not opened or used, App background calls users personal information;
7. Privately change user-set permissions without users consent, including restoring user-set permissions to the default state when App updates;
8. App users explicitly refuse to collect personal information requests. App still frequently solicits usersconsent and interferes with users normal use.
10. Other cases of collecting and using personal information without consent.
4. The situation of collecting personal information unrelated to the services provided by them in violation of the principle of necessity
1. The type of personal information actually collected has nothing to do with the existing business functions. It means that such information is not necessary to realize the existing business functions.
2. When users use business functions, the frequency of collecting personal information exceeds the needs of business functions.
3. Bundle a package of business functions for users consent, but do not provide any single service if they disagree.
4. App stops providing other business functions when users refuse a request to collect personal information from a business function.
5. App refuses to provide all services if users do not agree to collect personal information other than those required by such business functions.
6. When new business functions are added, the personal information that needs to be collected exceeds the original agreed scope. If users do not agree to collect, they refuse to provide the original business functions, except that the new business functions will replace the original business functions.
7. Apply for opening the right to collect irrelevant information;
8. Other cases of collecting personal information unrelated to the services it provides.
V. Providing Personal Information to Others Without Consent
1. Without consent and anonymity, provide personal information directly from the client to the third party, including embedded third-party code in the App client, plug-ins (such as sdk), etc.
2. After data transmission to App server, without consent and anonymity processing, provide personal information collected by third parties;
3. Other situations where personal information is provided to others without consent.
6. Failure to provide the function of deleting or correcting personal information as required by law
1. Failure to provide the function of correcting, deleting personal information and canceling user account;
2. For those who provide online operation mode, customer service telephone, e-mail, etc., the relevant operation is not responded;
3. If it needs manual treatment, it fails to complete the verification and processing within the commitment time limit (15 working days if there is no commitment time limit) after acceptance;
4. After correcting, deleting or canceling the operation prompt, it still fails to correct or delete personal information and cancel the users account.
5. Other cases where no measures have been taken to delete or correct them.
7. Infringement of the legal rights and interests of minors in Cyberspace
1. Collecting and using personal information of minors under 14 years of age without the consent of their guardians;
2. Without the consent of the guardian, the information and algorithm of minors under 14 years old are used to carry out personalized push activities such as news, current affairs information and advertisement.
Source: IT Home Responsible Editor: Yao Liwei_NT6056