1. Publish the list of third-party authorizations
In terms of what should be communicated to users, the publication of third-party authorization lists is the hardest hit. The "Specifications" point out that after a third party obtains the user's personal information through an application, the user can find the identity or type of the relevant third party on the application.
In addition, many regulations express vagueness about the storage period of personal information. The policies of most apps mention that information is stored during the service period and deleted after the user logs out, but no specific time is given.
2. Authorization when the application is registered by default does not mean authorization all the time
It is worth noting that the policies of some products show that once you choose to agree during registration, you will agree to all subsequent authorization requests by default. The "Specification" states that, except in a few cases, the privacy policy of the product should comply with the principle of opt-in consent, that is, the explicit consent of the user is required, including when registering, when sharing or transferring, when the company structure changes, when public disclosure of information, etc. In short, once a company uses personal information beyond its stated purpose, it requires the user to re-authorize.
3. The right to obtain a copy of the information
The "Specifications" mention that users can obtain copies of personal information through the product, including basic personal information, identity information, health and physiological information, educational work information, etc. At the same time, according to the "Specifications", the withdrawal of consent includes two aspects, changing the scope of authorization and refusing to receive personalized advertisements.
4. Complaints about privacy issues
Appeal methods are an easily overlooked aspect of each app's privacy policy. The "Specifications" point out that companies should provide users with privacy-related appeal methods, including time periods, contact information, and fees.
Although the "Specification" is a recommended national standard, since July 2017, the special work on privacy clauses jointly carried out by the Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security is mainly based on the "Specification (Draft for Comment)". The law enforcement trends of individual enterprises also show that the "Specification" is actually used as a review basis for administrative law enforcement, etc., enterprises should take the "Specification" seriously, and refer to the relevant requirements of the "Specification" to carry out the relevant information security technology of the enterprise. Personal information protection work.