App Information Protection Compliance Review (Personal Information Protection Policy)-Translation

APP information protection compliance review

Principle: The principle of openness and transparency in the collection of personal information
Agreement – ​​Authority – Behavior – Guarantee

Collection of user information, dial-up of usage rules

• Publicity of "collection and use of personal information": (separately written, prominently marked, active authorization, legibility)
• Explanation of the purpose and content of "collection and use of personal information": (completeness, reasonableness, overlord clause, over-scope agreement)
• Whether the function is consistent with the content of "collection and use of personal information" in the statement: (explicit degree, collection action beyond the scope)
• "Personal information security protection measures and capabilities" (data encryption, access control, malicious code specification)

Excessive application of application sensitive permissions for dial testing

• The SDK target API level used by the APP (a package of mandatory authorization, circumvention of security mechanisms)
• Authorization methods and corresponding functions of sensitive permissions applied by APP (excessive application of sensitive permissions, illegal collection of personal information)
• User complaint channels and feedback mechanisms: (complaint channels, complaint results)
• User rights protection mechanism: (personalized recommendation unsubscribe, user information query deletion, account cancellation, authorization withdrawal)

APP infringement

Detailed reading of APP information protection compliance audit judgment rules

1. The following behaviors can be identified as "undisclosed collection and use rules"

1. There is no privacy policy in the App, or there are no rules for collecting and using personal information in the privacy policy;
2. When the App runs for the first time, the user is not prompted to read the privacy policy and other collection and use rules through obvious means such as pop-up windows;
3. The privacy policy and other collection and use rules are difficult to access. For example, after entering the main interface of the app, it takes more than 4 clicks to access the
   privacy policy provided by the app. It should be easy for users to find and read
   the following as violations:
   1. The privacy policy is not provided in the app, and the privacy policy can only be viewed through the official website and customer service consultation
   2. The privacy policy access path is set too deep, and it takes more than 4 clicks to access

      example:

      Via, "My - Settings - About Us - Terms of Agreement - Privacy Policy"

      Fail, "My - Settings - About Us - Help - Terms of Agreement - Privacy Policy"

   3. Only when running for the first time, the privacy policy is provided through a pop-up window, and cannot be viewed again after entering the application
   4. After registering and logging in, I can't find the privacy policy in the app
4. Privacy policies and other collection and use rules are difficult to read, such as text is too small and dense, the color is too light, blurred, or the Simplified Chinese version is not provided.

PS. What should be included in the privacy policy

1. Basic information controlled by personal information: subject information (full name), contact information.
2. The catalog, method, and scope of personal information collected by each business function.
3. Whether it involves the export of personal information data, the storage period of personal information, and the method of overdue handling.
4. The purpose, method, and scope of external sharing, transfer, and public disclosure of personal information.
5. Methods of querying, correcting, deleting personal information, withdrawing authorization information, and canceling accounts, etc.
6. The ability to safeguard the security of personal information. [Encryption processing of personal information during transmission]
7. The possible security risks after providing personal information, and the possible impact of not providing personal information.
8. Channels and mechanisms for handling inquiries and complaints from personal information subjects. Note that the commitment period should not exceed 15 working days.

2. The following behaviors can be identified as "failure to clearly state the purpose, method and scope of collecting and using personal information"

1. The purpose, method, scope, etc. of collecting and using personal information by the app (including entrusted third parties or embedded third-party codes and plug-ins) are not listed one by one; the
   following are considered violations:

   1. The types and purposes of collecting personal information are not fully listed
   2. Failure to explain the purpose of applying for phone, storage, address book, SMS, location, calendar, camera, microphone, etc. permissions one by one
   3. There is a third-party SDK that collects and uses personal information, but it is not clearly stated in the privacy policy

2. When the purpose, method, and scope of collecting and using personal information change, users are not notified in an appropriate way, including updating the privacy policy and other collection and use rules and reminding users to read them;

3. When applying to open the permission to collect personal information, or to collect personal sensitive information such as user ID number, bank account number, whereabouts, etc., the user is not informed of the purpose, or the purpose is unclear and difficult to understand
   ; Failure to simultaneously notify the purpose of personal sensitive information: APP actively applies for permissions, and should simultaneously notify the purpose, collection and use rules when collecting personal sensitive information]
   The following are considered violations:

   1. The APP does not clearly inform the purpose before applying for sensitive permissions such as phone calls, storage, cameras, microphones, contacts, text messages, calendars, and locations or after rejecting them
   2. Although the purpose is notified simultaneously when applying for sensitive permissions, the purpose of the notification is not clear
   3. The purpose of collecting such personal information, rules of use, etc.

   Example:
   
   

4. The content of collection and use rules is obscure, lengthy and cumbersome, and difficult for users to understand, such as using a large number of professional terms.

3. The following behaviors can be identified as "collecting and using personal information without the user's consent"

1. Start collecting personal information or turn on the permission to collect personal information before obtaining the user's consent

   [Reverse example: the configuration of the third-party SDK is not standardized, read/authorize the request for personal information as soon as the third-party SDK is opened-rectification-"Put the initialization of the third-party SDK after agreeing to the privacy policy]

   [When the APP is launched for the first time, the user should be reminded to read the privacy policy in an obvious way, and there should be no act of collecting personal information or applying for permission before authorization and consent] The following are considered violations
   :

   1. Apply for permission before the user authorizes and agrees to the privacy policy
   2. Before the user authorizes and agrees to the privacy policy, collect the user's personal information
   3. The user has already begun to collect personal information in the process of reading the privacy policy

   Counter example:
   

   

2. After the user expressly disagrees, still collecting personal information or opening the permission to collect personal information, or frequently asking for user consent, interfering with the normal use of the user, the
   following are considered violations:

   1. When starting, do not give permission to the APP pop-up window cycle
   2. APP pop-up window cycle at runtime
   3. Frequently apply for permissions when re-running
      . Counter-example:
      1. After denying the permission, when you switch back to this page again, the permission pop-up window will pop up (deny again, and it will pop up again when you switch back to this page)
      2. Or: kill the process and enter again, and the window will pop up

3. The actual collection of personal information or the open permission to collect personal information exceeds the scope of user authorization

4. Soliciting user consent in a non-express way such as choosing to agree to the privacy policy by default [can be changed to quit the app if you do not agree with the privacy policy]
   The following are considered violations:

   1. The startup pop-up window only provides options such as "OK" and "I know", but does not provide the option to disagree
   2. There is default consent behavior in the link of soliciting consent, such as registration interface and login interface
      . Counter-example:
      

5. Change the permission status of personal information that can be collected without the user's consent, such as automatically restoring the user's permission to the default status when the app is updated

6. Utilizing user personal information and algorithms to push targeted information without providing options for non-targeted push information
   The following are considered violations:

   1. The privacy policy clearly states that there is a personalized push function, but the personalization function is not provided in the app (separate shutdown is not counted, it must be a one-time shutdown)
      example:
      

7. Misleading users to agree to collect personal information or to open the authority to collect personal information by fraud, deception and other improper means, such as deliberately deceiving and concealing the real purpose of collecting and using personal information

8. Failure to provide users with ways and means to withdraw their consent to the collection of personal information

9. Collect and use personal information in violation of the stated collection and use rules.

4. The following behaviors can be identified as "violating the principle of necessity and collecting personal information irrelevant to the services it provides"

1. The types of personal information collected or the permissions opened to collect personal information are not related to existing business functions;
   the following are considered violations:
   1. The function corresponding to the business is not provided, and sensitive permissions are still applied
   2. When the function corresponding to the permission is not used, enable the permission in advance
      Counter-example:
      
2. Refusal to provide business functions because the user does not agree to collect unnecessary personal information or open unnecessary permissions;
   the following are considered violations:
   1. When starting, do not give permission and do not allow non-essential permissions to be used. For example, the one-click login function requires imei and MAC address as the unique identifier, and the imei number needs to apply for phone permission. How to avoid violations after rejection: do not take imei number, only take MAC】
   2. When running, do not give permission and do not allow use
3. The personal information collected by the app for new business functions exceeds the scope of the user's original consent. If the user does not agree, the original business functions will be refused, except for the new business functions that replace the original business functions;
4. The frequency of collecting personal information exceeds the actual needs of business functions;
   the following shall be deemed as violations:
   1. The privacy policy has not been notified, nor has the user's authorization and consent
   2. The privacy policy does not specify the purpose of the third-party SDK to collect contacts, text messages, and call records, nor is it authorized by the user
   3. During operation, frequently upload device information, location information, etc. when switching function interfaces or clicking a function
   4. During the running process, when switching the function interface or clicking a function every time, the third-party SDK frequently uploads device information, location information, etc.
   5. Standing on a certain functional interface, there is a behavior of frequently collecting personal information according to certain rules
   6. Out-of-scope collection when running silently or in the background
   7. SDK silent background overfrequency collection
5. Compulsoryly require users to agree to collect personal information only for the purpose of improving service quality, enhancing user experience, directional push information, developing new products, etc.;
6. The user is required to agree to open multiple permissions that can collect personal information at one time. If the user does not agree, it cannot be used.

5. The following behaviors can be identified as "providing personal information to others without consent"

1. Without the user's consent or anonymization, the app client directly provides personal information to third parties, including providing personal information to third parties through third-party codes and plug-ins embedded in the client;
2. Without the user's consent and without anonymization, after the data is transmitted to the App backend server, the collected personal information is provided to a third party; [This is generally not detectable, but you must do it yourself]
3. The app accesses third-party applications and provides personal information to third-party applications without the user's consent.
   [Sharing personal information to third-party SDKs, applets, etc. without user authorization]
   The following are considered violations:
   1. The privacy policy does not inform the user of the purpose, type, and identity of the recipient of the personal information provided or transferred externally, and the data is provided to a third party through the client or embedded SDK and other codes and plug-ins without processing the data
   2. The privacy policy clearly informs the third-party SDK of the purpose and scope of collecting personal information, but the personal information is provided to a third party before the user authorizes and agrees to the privacy policy
   3. The privacy policy does not inform the user of personal information transfer abroad, and there is data transmission abroad
   4. Directly provide personal information to third-party entities such as mini programs, official accounts, service applications, etc. without notification or consent of users

6. The following behaviors can be identified as "failing to provide the function of deleting or correcting personal information in accordance with the law" or "failing to publish information such as complaints and reporting methods"

1. Failure to provide effective correction, deletion of personal information and cancellation of user account functions
   The following shall be deemed as violations:
   1. The APP does not provide the function of canceling the account
   2. The logout function provided by the APP is not available
2. Set unnecessary or unreasonable conditions for correcting, deleting personal information or canceling user accounts.
   Principle: Cannot provide redundant information provided during registration, and it is convenient and convenient to cancel.
   The following are considered violations:
   1. Cancellation requires verification of identity information, and the re-provided personal information should not exceed the personal information collected during registration, use and other service links.
      When canceling, the user is required to provide a photo of the front and back of the ID card in hand, and when correcting personal information, it is required to provide personal information such as face authentication information. Sensitive information
   2. Users should not be required to fill in accurate historical operation records as a necessary logout condition
   3. It should not only prompt the existence of points, participation in activities, authorized login and unbinding, etc. that affect the exercise of rights, but do not provide channels to solve specific problems
   4. Setting the cancellation of a single account as multiple products or services should be explained in detail to the user before cancellation
3. Although the functions of correcting, deleting personal information, and canceling user accounts are provided, but the corresponding operations of the user are not responded to in a timely manner, and manual processing is required, it is not within the promised time limit (the promised time limit shall not exceed 15 working days, and if there is no promised time limit, 15 working days shall be charged. working days) to complete the verification and processing
   [account cancellation requires manual review and processing]
   the following are deemed to be violations:
   1. Although the functions of correcting, deleting personal information, and canceling user accounts are provided, but the user's response operation is not responded to in a timely manner, and manual processing is required, it is not within the promised time limit (the promised time limit does not exceed 15 working days, and if there is no promised time limit, 15 working days working days) to complete the inspection and processing
4. User operations such as correction, deletion of personal information, or cancellation of user accounts have been completed, but the background of the App has not been completed
5. Failure to establish and publish channels for personal information security complaints and reports, or failure to accept and handle within the promised time limit (the promised time limit shall not exceed 15 working days, or within 15 working days if there is no promised time limit).
   The following are considered violations:
   1. No channels for complaints and feedback
   2. Although the relevant channel is provided, the channel is unavailable, no one responds, no reply, etc.
   3. The relevant channels provided did not respond to user requests within the prescribed time limit, completed the processing, and the promised time limit exceeded 15 working days

7. Failure to protect the security and rights of users' personal information

1. Failure to take security measures such as encryption when transmitting and storing sensitive personal information
   The following are identified as violations:
   1. Clear text transmission of sensitive personal information such as user ID cards, account passwords, etc.
2. Deceiving and misleading users to download the APP
   is as follows:
   1. There is no APP download prompt on the advertising page, opening screen advertisement, main screen and other functional pages
   2. Advertising pages, opening screen advertisements, home screens and other functional pages are deceptive and misleading by means of "whether to start the game immediately" and "receive red envelopes"
   3. Users automatically download apps that are not voluntarily downloaded by users
   4. The application promoted on the advertising page, opening screen advertisement, main screen and other functional pages does not match the promotion

question and answer

1. Judgment of frequent pop-ups: more than 3 times (including 3 times) will count as frequent pop-ups
2. There are no functions that cannot be written in the privacy policy
3. Personalized display of products on the homepage, counted as personalized push
4. SMS push and push content of interest based on user browsing habits are considered personalized push
5. The number of user information modifications can be limited, but this function cannot be absent
6. Accessed advertisements are classified as promotional advertisements, because they are not based on user preferences and are not personalized push
7. A certain function requires a certain permission. Every time this function is used, an authorization pop-up window will pop up, which is not a frequent pop-up window.

Related Links:

• Notice on Printing and Distributing the "Methods for Identifying the Illegal Collection and Use of Personal Information by Apps" (2019.12.30) http://www.cac.gov.cn/2019-12/27/c_1578986455686625.htm
• Notice on Issuing the Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (2021.03.22) http://www.cac.gov.cn/2021-03/22/c_1617990997054277.htm
• Notice of the Ministry of Industry and Information Technology on Carrying Out the Special Rectification Action of APP Infringement on User Rights and Interests (2020.07.22) http://www.gov.cn/zhengce/zhengceku/2020-08/02/content_5531975.htm
• Xiamen Unified Internet Filing and Supervision Platform http://ga.xm.gov.cn/wa/login
• Detection website:
  • App treasure
  • National APP technology testing platform (APP public service system) https://app.caict.ac.cn/#/login?redirect=%2Fsystem%2Fdetection

developer self-test

original

Check whether sensitive information has been reported before the privacy policy pops up

1. Install two apps

   1. Use to VirtualXposedinstall a virtual system on your phone
   2. reinstallHookLoginDemo

2. Install your own app

3. Open VirtualXposedfor operation and log

   1. "Add Application"" select HookLoginDemo and your own app

      

   2. Open the "Settings" page of Xposed, select "Module Management", check HookLogin, exit to the "Settings" page and click "Restart"

      

   3. Exit the "Settings" page, swipe up (app page) and click HookLogin to start it, and exit to the background after startup. Still on this Xposed application page, click on your own app to start it

      

   4. Check the log: "Settings" > "Module Management" > button in the upper left corner, log

      If saving to a file, the local log path/storage/emulated/0/Android/data/de.robv.android.xposed.installer/files/xposed_error_xxx.log

      

APP information protection compliance review

Principle: The principle of openness and transparency in the collection of personal information
Agreement – ​​Authority – Behavior – Guarantee

Collection of user information, dial-up of usage rules

• Publicity of "collection and use of personal information": (separately written, prominently marked, active authorization, legibility)
• Explanation of the purpose and content of "collection and use of personal information": (completeness, reasonableness, overlord clause, over-scope agreement)
• Whether the function is consistent with the content of "collection and use of personal information" in the statement: (explicit degree, collection action beyond the scope)
• "Personal information security protection measures and capabilities" (data encryption, access control, malicious code specification)

Excessive application of application sensitive permissions for dial testing

• The SDK target API level used by the APP (a package of mandatory authorization, circumvention of security mechanisms)
• Authorization methods and corresponding functions of sensitive permissions applied by APP (excessive application of sensitive permissions, illegal collection of personal information)
• User complaint channels and feedback mechanisms: (complaint channels, complaint results)
• User rights protection mechanism: (personalized recommendation unsubscribe, user information query deletion, account cancellation, authorization withdrawal)

APP infringement

Detailed reading of APP information protection compliance audit judgment rules

1. The following behaviors can be identified as "undisclosed collection and use rules"

1. There is no privacy policy in the App, or there are no rules for collecting and using personal information in the privacy policy;
2. When the App runs for the first time, the user is not prompted to read the privacy policy and other collection and use rules through obvious means such as pop-up windows;
3. The privacy policy and other collection and use rules are difficult to access. For example, after entering the main interface of the app, it takes more than 4 clicks to access the
   privacy policy provided by the app. It should be easy for users to find and read
   the following as violations:
   1. The privacy policy is not provided in the app, and the privacy policy can only be viewed through the official website and customer service consultation
   2. The privacy policy access path is set too deep, and it takes more than 4 clicks to access

      example:

      Via, "My - Settings - About Us - Terms of Agreement - Privacy Policy"

      Fail, "My - Settings - About Us - Help - Terms of Agreement - Privacy Policy"

   3. Only when running for the first time, the privacy policy is provided through a pop-up window, and cannot be viewed again after entering the application
   4. After registering and logging in, I can't find the privacy policy in the app
4. Privacy policies and other collection and use rules are difficult to read, such as text is too small and dense, the color is too light, blurred, or the Simplified Chinese version is not provided.

PS. What should be included in the privacy policy

1. Basic information controlled by personal information: subject information (full name), contact information.
2. The catalog, method, and scope of personal information collected by each business function.
3. Whether it involves the export of personal information data, the storage period of personal information, and the method of overdue handling.
4. The purpose, method, and scope of external sharing, transfer, and public disclosure of personal information.
5. Methods of querying, correcting, deleting personal information, withdrawing authorization information, and canceling accounts, etc.
6. The ability to safeguard the security of personal information. [Encryption processing of personal information during transmission]
7. The possible security risks after providing personal information, and the possible impact of not providing personal information.
8. Channels and mechanisms for handling inquiries and complaints from personal information subjects. Note that the commitment period should not exceed 15 working days.

2. The following behaviors can be identified as "failure to clearly state the purpose, method and scope of collecting and using personal information"

1. The purpose, method, scope, etc. of collecting and using personal information by the app (including entrusted third parties or embedded third-party codes and plug-ins) are not listed one by one; the
   following are considered violations:

   1. The types and purposes of collecting personal information are not fully listed
   2. Failure to explain the purpose of applying for phone, storage, address book, SMS, location, calendar, camera, microphone, etc. permissions one by one
   3. There is a third-party SDK that collects and uses personal information, but it is not clearly stated in the privacy policy

2. When the purpose, method, and scope of collecting and using personal information change, users are not notified in an appropriate way, including updating the privacy policy and other collection and use rules and reminding users to read them;

3. When applying to open the permission to collect personal information, or to collect personal sensitive information such as user ID number, bank account number, whereabouts, etc., the user is not informed of the purpose, or the purpose is unclear and difficult to understand
   ; Failure to simultaneously notify the purpose of personal sensitive information: APP actively applies for permissions, and should simultaneously notify the purpose, collection and use rules when collecting personal sensitive information]
   The following are considered violations:

   1. The APP does not clearly inform the purpose before applying for sensitive permissions such as phone calls, storage, cameras, microphones, contacts, text messages, calendars, and locations or after rejecting them
   2. Although the purpose is notified simultaneously when applying for sensitive permissions, the purpose of the notification is not clear
   3. The purpose of collecting such personal information, rules of use, etc.

   Example:
   
   

4. The content of collection and use rules is obscure, lengthy and cumbersome, and difficult for users to understand, such as using a large number of professional terms.

3. The following behaviors can be identified as "collecting and using personal information without the user's consent"

1. Start collecting personal information or turn on the permission to collect personal information before obtaining the user's consent

   [Reverse example: the configuration of the third-party SDK is not standardized, read/authorize the request for personal information as soon as the third-party SDK is opened-rectification-"Put the initialization of the third-party SDK after agreeing to the privacy policy]

   [When the APP is launched for the first time, the user should be reminded to read the privacy policy in an obvious way, and there should be no act of collecting personal information or applying for permission before authorization and consent] The following are considered violations
   :

   1. Apply for permission before the user authorizes and agrees to the privacy policy
   2. Before the user authorizes and agrees to the privacy policy, collect the user's personal information
   3. The user has already begun to collect personal information in the process of reading the privacy policy

   Counter example:
   

   

2. After the user expressly disagrees, still collecting personal information or opening the permission to collect personal information, or frequently asking for user consent, interfering with the normal use of the user, the
   following are considered violations:

   1. When starting, do not give permission to the APP pop-up window cycle
   2. APP pop-up window cycle at runtime
   3. Frequently apply for permissions when re-running
      . Counter-example:
      1. After denying the permission, when you switch back to this page again, the permission pop-up window will pop up (deny again, and it will pop up again when you switch back to this page)
      2. Or: kill the process and enter again, and the window will pop up

3. The actual collection of personal information or the open permission to collect personal information exceeds the scope of user authorization

4. Soliciting user consent in a non-express way such as choosing to agree to the privacy policy by default [can be changed to quit the app if you do not agree with the privacy policy]
   The following are considered violations:

   1. The startup pop-up window only provides options such as "OK" and "I know", but does not provide the option to disagree
   2. There is default consent behavior in the link of soliciting consent, such as registration interface and login interface
      . Counter-example:
      

5. Change the permission status of personal information that can be collected without the user's consent, such as automatically restoring the user's permission to the default status when the app is updated

6. Utilizing user personal information and algorithms to push targeted information without providing options for non-targeted push information
   The following are considered violations:

   1. The privacy policy clearly states that there is a personalized push function, but the personalization function is not provided in the app (separate shutdown is not counted, it must be a one-time shutdown)
      example:
      

7. Misleading users to agree to collect personal information or to open the authority to collect personal information by fraud, deception and other improper means, such as deliberately deceiving and concealing the real purpose of collecting and using personal information

8. Failure to provide users with ways and means to withdraw their consent to the collection of personal information

9. Collect and use personal information in violation of the stated collection and use rules.

4. The following behaviors can be identified as "violating the principle of necessity and collecting personal information irrelevant to the services it provides"

1. The types of personal information collected or the permissions opened to collect personal information are not related to existing business functions;
   the following are considered violations:
   1. The function corresponding to the business is not provided, and sensitive permissions are still applied
   2. When the function corresponding to the permission is not used, enable the permission in advance
      Counter-example:
      
2. Refusal to provide business functions because the user does not agree to collect unnecessary personal information or open unnecessary permissions;
   the following are considered violations:
   1. When starting, do not give permission and do not allow non-essential permissions to be used. For example, the one-click login function requires imei and MAC address as the unique identifier, and the imei number needs to apply for phone permission. How to avoid violations after rejection: do not take imei number, only take MAC】
   2. When running, do not give permission and do not allow use
3. The personal information collected by the app for new business functions exceeds the scope of the user's original consent. If the user does not agree, the original business functions will be refused, except for the new business functions that replace the original business functions;
4. The frequency of collecting personal information exceeds the actual needs of business functions;
   the following shall be deemed as violations:
   1. The privacy policy has not been notified, nor has the user's authorization and consent
   2. The privacy policy does not specify the purpose of the third-party SDK to collect contacts, text messages, and call records, nor is it authorized by the user
   3. During operation, frequently upload device information, location information, etc. when switching function interfaces or clicking a function
   4. During the running process, when switching the function interface or clicking a function every time, the third-party SDK frequently uploads device information, location information, etc.
   5. Standing on a certain functional interface, there is a behavior of frequently collecting personal information according to certain rules
   6. Out-of-scope collection when running silently or in the background
   7. SDK silent background overfrequency collection
5. Compulsoryly require users to agree to collect personal information only for the purpose of improving service quality, enhancing user experience, directional push information, developing new products, etc.;
6. The user is required to agree to open multiple permissions that can collect personal information at one time. If the user does not agree, it cannot be used.

5. The following behaviors can be identified as "providing personal information to others without consent"

1. Without the user's consent or anonymization, the app client directly provides personal information to third parties, including providing personal information to third parties through third-party codes and plug-ins embedded in the client;
2. Without the user's consent and without anonymization, after the data is transmitted to the App backend server, the collected personal information is provided to a third party; [This is generally not detectable, but you must do it yourself]
3. The app accesses third-party applications and provides personal information to third-party applications without the user's consent.
   [Sharing personal information to third-party SDKs, applets, etc. without user authorization]
   The following are considered violations:
   1. The privacy policy does not inform the user of the purpose, type, and identity of the recipient of the personal information provided or transferred externally, and the data is provided to a third party through the client or embedded SDK and other codes and plug-ins without processing the data
   2. The privacy policy clearly informs the third-party SDK of the purpose and scope of collecting personal information, but the personal information is provided to a third party before the user authorizes and agrees to the privacy policy
   3. The privacy policy does not inform the user of personal information transfer abroad, and there is data transmission abroad
   4. Directly provide personal information to third-party entities such as mini programs, official accounts, service applications, etc. without notification or consent of users

6. The following behaviors can be identified as "failing to provide the function of deleting or correcting personal information in accordance with the law" or "failing to publish information such as complaints and reporting methods"

1. Failure to provide effective correction, deletion of personal information and cancellation of user account functions
   The following shall be deemed as violations:
   1. The APP does not provide the function of canceling the account
   2. The logout function provided by the APP is not available
2. Set unnecessary or unreasonable conditions for correcting, deleting personal information or canceling user accounts.
   Principle: Cannot provide redundant information provided during registration, and it is convenient and convenient to cancel.
   The following are considered violations:
   1. Cancellation requires verification of identity information, and the re-provided personal information should not exceed the personal information collected during registration, use and other service links.
      When canceling, the user is required to provide a photo of the front and back of the ID card in hand, and when correcting personal information, it is required to provide personal information such as face authentication information. Sensitive information
   2. Users should not be required to fill in accurate historical operation records as a necessary logout condition
   3. It should not only prompt the existence of points, participation in activities, authorized login and unbinding, etc. that affect the exercise of rights, but do not provide channels to solve specific problems
   4. Setting the cancellation of a single account as multiple products or services should be explained in detail to the user before cancellation
3. Although the functions of correcting, deleting personal information, and canceling user accounts are provided, but the corresponding operations of the user are not responded to in a timely manner, and manual processing is required, it is not within the promised time limit (the promised time limit shall not exceed 15 working days, and if there is no promised time limit, 15 working days shall be charged. working days) to complete the verification and processing
   [account cancellation requires manual review and processing]
   the following are deemed to be violations:
   1. Although the functions of correcting, deleting personal information, and canceling user accounts are provided, but the user's response operation is not responded to in a timely manner, and manual processing is required, it is not within the promised time limit (the promised time limit does not exceed 15 working days, and if there is no promised time limit, 15 working days working days) to complete the inspection and processing
4. User operations such as correction, deletion of personal information, or cancellation of user accounts have been completed, but the background of the App has not been completed
5. Failure to establish and publish channels for personal information security complaints and reports, or failure to accept and handle within the promised time limit (the promised time limit shall not exceed 15 working days, or within 15 working days if there is no promised time limit).
   The following are considered violations:
   1. No channels for complaints and feedback
   2. Although the relevant channel is provided, the channel is unavailable, no one responds, no reply, etc.
   3. The relevant channels provided did not respond to user requests within the prescribed time limit, completed the processing, and the promised time limit exceeded 15 working days

7. Failure to protect the security and rights of users' personal information

1. Failure to take security measures such as encryption when transmitting and storing sensitive personal information
   The following are identified as violations:
   1. Clear text transmission of sensitive personal information such as user ID cards, account passwords, etc.
2. Deceiving and misleading users to download the APP
   is as follows:
   1. There is no APP download prompt on the advertising page, opening screen advertisement, main screen and other functional pages
   2. Advertising pages, opening screen advertisements, home screens and other functional pages are deceptive and misleading by means of "whether to start the game immediately" and "receive red envelopes"
   3. Users automatically download apps that are not voluntarily downloaded by users
   4. The application promoted on the advertising page, opening screen advertisement, main screen and other functional pages does not match the promotion

question and answer

1. Judgment of frequent pop-ups: more than 3 times (including 3 times) will count as frequent pop-ups
2. There are no functions that cannot be written in the privacy policy
3. Personalized display of products on the homepage, counted as personalized push
4. SMS push and push content of interest based on user browsing habits are considered personalized push
5. The number of user information modifications can be limited, but this function cannot be absent
6. Accessed advertisements are classified as promotional advertisements, because they are not based on user preferences and are not personalized push
7. A certain function requires a certain permission. Every time this function is used, an authorization pop-up window will pop up, which is not a frequent pop-up window.

Related Links:

• Notice on Printing and Distributing the "Methods for Identifying the Illegal Collection and Use of Personal Information by Apps" (2019.12.30) http://www.cac.gov.cn/2019-12/27/c_1578986455686625.htm
• Notice on Issuing the Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (2021.03.22) http://www.cac.gov.cn/2021-03/22/c_1617990997054277.htm
• Notice of the Ministry of Industry and Information Technology on Carrying Out the Special Rectification Action of APP Infringement on User Rights and Interests (2020.07.22) http://www.gov.cn/zhengce/zhengceku/2020-08/02/content_5531975.htm
• Xiamen Unified Internet Filing and Supervision Platform http://ga.xm.gov.cn/wa/login
• Detection website:
  • App treasure
  • National APP technology testing platform (APP public service system) https://app.caict.ac.cn/#/login?redirect=%2Fsystem%2Fdetection

developer self-test

original

Check whether sensitive information has been reported before the privacy policy pops up

1. Install two apps

   1. Use to VirtualXposedinstall a virtual system on your phone
   2. reinstallHookLoginDemo

2. Install your own app

3. Open VirtualXposedfor operation and log

   1. "Add Application"" select HookLoginDemo and your own app

      

   2. Open the "Settings" page of Xposed, select "Module Management", check HookLogin, exit to the "Settings" page and click "Restart"

      

   3. Exit the "Settings" page, swipe up (app page) and click HookLogin to start it, and exit to the background after startup. Still on this Xposed application page, click on your own app to start it

      

   4. Check the log: "Settings" > "Module Management" > button in the upper left corner, log

      If saving to a file, the local log path/storage/emulated/0/Android/data/de.robv.android.xposed.installer/files/xposed_error_xxx.log