As an important window to inform users of personal information processing rules, the privacy policy has almost become the "standard configuration" of all apps. Since the implementation of the Personal Information Protection Law in November last year, laws and regulations have continuously put forward higher requirements for the formulation of privacy policies.
On May 26, the National Information Security Standardization Technical Committee issued the "Information Security Technology Internet Platform and Product Service Privacy Agreement Requirements" (Draft for Comments). The "Requirements" pointed out that the privacy agreement should clearly, accurately and completely describe personal information processor Personal information processing behaviors, and from a perspective that is easy for users to read and understand, present the key content that may affect personal rights and interests to personal information subjects.
In view of the above situation, the relevant detection of app privacy compliance is as follows:
- detection content
Whether there is a privacy policy in the app, or whether there is relevant content in the privacy policy to collect and use personal information rules.
- Test basis
1. Article 41 of the "Network Security Law of the People's Republic of China": Network operators shall follow the principles of legality, legitimacy, and necessity when collecting and using personal information, disclose the collection and use rules, and clearly state the purpose and method of collecting and using information and scope, with the consent of the person being collected.
2. The following behaviors in Article 1 of "App Illegal and Illegal Collection and Use of Personal Information" can be identified as the first paragraph of "Undisclosed Collection and Use Rules": There is no privacy policy in the app, or the privacy policy does not collect and use personal information rule;
3. "GB/T 35273-2020 Information Security Technology Personal Information Security Specification" - 5.5 Personal Information Protection Policy
4. "Information Security Technology Basic Specifications for Collection of Personal Information by Mobile Internet Applications (Apps)" - Basic Requirements for Collection of Personal Information by Apps
5. "Network Security Law of the People's Republic of China"
- Detection points
(1) App should provide "the rules about the collection and use of users' personal information formulated by the App operator, that is, the privacy policy";
(2) The privacy policy should be available for users to read through "pop-up windows, text links, function menus" and other forms;
(3) Whether the link in the privacy policy is invalid, the text cannot be displayed normally, or the privacy policy does not include the rules for the collection and use of personal information by the app;
- detection case
After the sample app is installed on the test mobile phone, when it is started for the first time, there is no privacy policy prompted by a pop-up window, and no privacy policy is found when operating multiple pages of the app at the same time, as shown in the following figure:
When the app was opened for the first time and the privacy policy declared by the app was not found in other pages and settings in the app, it was determined that there was no privacy policy in the app, which was suspected of privacy violations.
-Suggestions for rectification
The app should formulate a privacy policy, and the privacy policy should clearly, accurately, and completely describe the personal information processing behavior of the personal information processor, and remind users to read the "Privacy Policy" when it is first launched.
As an important window to inform users of personal information processing rules, the privacy policy has almost become the "standard configuration" of all apps. Since the implementation of the Personal Information Protection Law in November last year, laws and regulations have continuously put forward higher requirements for the formulation of privacy policies.
On May 26, the National Information Security Standardization Technical Committee issued the "Information Security Technology Internet Platform and Product Service Privacy Agreement Requirements" (Draft for Comments). The "Requirements" pointed out that the privacy agreement should clearly, accurately and completely describe personal information processor Personal information processing behaviors, and from a perspective that is easy for users to read and understand, present the key content that may affect personal rights and interests to personal information subjects.
In view of the above situation, the relevant detection of app privacy compliance is as follows:
- detection content
Whether there is a privacy policy in the app, or whether there is relevant content in the privacy policy to collect and use personal information rules.
- Test basis
1. Article 41 of the "Network Security Law of the People's Republic of China": Network operators shall follow the principles of legality, legitimacy, and necessity when collecting and using personal information, disclose the collection and use rules, and clearly state the purpose and method of collecting and using information and scope, with the consent of the person being collected.
2. The following behaviors in Article 1 of "App Illegal and Illegal Collection and Use of Personal Information" can be identified as the first paragraph of "Undisclosed Collection and Use Rules": There is no privacy policy in the app, or the privacy policy does not collect and use personal information rule;
3. "GB/T 35273-2020 Information Security Technology Personal Information Security Specification" - 5.5 Personal Information Protection Policy
4. "Information Security Technology Basic Specifications for Collection of Personal Information by Mobile Internet Applications (Apps)" - Basic Requirements for Collection of Personal Information by Apps
5. "Network Security Law of the People's Republic of China"
- Detection points
(1) App should provide "the rules about the collection and use of users' personal information formulated by the App operator, that is, the privacy policy";
(2) The privacy policy should be available for users to read through "pop-up windows, text links, function menus" and other forms;
(3) Whether the link in the privacy policy is invalid, the text cannot be displayed normally, or the privacy policy does not include the rules for the collection and use of personal information by the app;
- detection case
After the sample app is installed on the test mobile phone, when it is started for the first time, there is no privacy policy prompted by a pop-up window, and no privacy policy is found when operating multiple pages of the app at the same time, as shown in the following figure:
When the app was opened for the first time and the privacy policy declared by the app was not found in other pages and settings in the app, it was determined that there was no privacy policy in the app, which was suspected of privacy violations.
-Suggestions for rectification
The app should formulate a privacy policy, and the privacy policy should clearly, accurately, and completely describe the personal information processing behavior of the personal information processor, and remind users to read the "Privacy Policy" when it is first launched.