Super comprehensive arrangement｜"App Privacy Compliance Guide"

It is reported that the Ministry of Industry and Information Technology will launch a national App technology testing platform management system before the end of August 2020, and complete testing covering 400,000 mainstream Apps by December 10.

How to ensure collection compliance and avoid compliance risks?

I have sorted out an App Compliance Guide. In order for your App collection to be compliant, we strongly recommend that you read the following "Guide" carefully, adjust compliance measures in a timely manner, and conduct self-examination in a timely manner.

What illegal collection issues are current regulatory concerns about? How do I stay compliant?

(1) Illegal collection of users’ personal information

1. “Private collection of personal information”: that is, the App does not clearly inform the purpose, method and scope of collecting and using personal information and obtain user information. Collect user personal information before consent.

2. "Collection of personal information beyond the scope": that is, the App collects personal information that is not necessary for the service or has no reasonable application scenarios, and collects personal information beyond the scope or frequency, such as address book, location, ID card , face, etc.

Solution:

1. In order to solve the problem of "private collection of personal information", you should prepare an independent "Privacy Policy" for the App and make it clear to users The purpose, method and scope of collecting and using personal information by the App. If there are business functions related to the collection and use of children's personal information, personal information protection rules for children need to be formulated. If you use Umeng SDK, you need to explain to users the services and collection conditions provided by the SDK in the "Privacy Policy" (see the reference terms below for details).

2. In order to solve the problem of "out-of-scope collection of personal information", you should ensure that your collection is related to the App service functions, and the personal information fields involved have been disclosed in the "Privacy Policy" and obtained User authorization.

(2) Illegal use of users’ personal information

1. “Privately sharing personal information with third parties”: that is, the App interacts with other apps without the user’s consent Share and use users' personal information, such as device identification information, product browsing records, search usage habits, commonly used software application lists, etc.

2. “Forcing users to use the targeted push function”: That is, the App does not inform the user or does not mark it in a conspicuous manner, and uses the collected personal information such as user searches, browsing records, usage habits, etc. for targeted purposes Push or precision marketing without providing an option to turn off this feature.

Solution:

1. If you do not disclose the use of Umeng SDK in your privacy policy, you may be deemed to be "privately sharing personal information with a third party". To resolve this issue, you can disclose the details of the SDK in the Appendix to the Privacy Policy and include a link to the Privacy Policy. If you integrate more SDKs, you can list them one by one in the form of a table in the appendix of the "Privacy Policy". See the reference format below for details.

2. In order to solve the problem of "forcing users to use the targeted push function", we recommend that if you provide the targeted push function, you should inform users in the "Privacy Policy" and clearly mark the targeted push. At the same time, you should provide users with the option to turn off targeted recommendations to ensure users’ right to choose and meet regulatory requirements.

(3) Unreasonable requests for user permissions

1. "No permissions are given": that is, when the App is installed and running, the user is asked for information that has nothing to do with the current service scenario. Permission, after the user refuses authorization, the application will exit or close.

2. "Frequent application for permissions": that is, after the user explicitly rejects the permission application, the App frequently applies to open permissions such as address book, positioning, text messages, recording, camera, etc. that are irrelevant to the current service scenario, harassing the user.

3. "Excessive request for permissions": that is, when the user is not using relevant functions or services, the App applies in advance to open permissions such as address book, positioning, text messages, recording, camera, etc., or exceeds its business functions or services In addition, apply for permissions such as address book, positioning, text messages, recording, camera, etc.

Solution:

1. In order to solve the problem of "not allowing permission to be used", you should pay attention to explaining to users in detail what the App needs to retrieve through the "Privacy Policy" and other means. Permissions and purposes, and ensure that permission retrieval is related to service functions. When users deny irrelevant permissions, they can still use other functions of the App normally.

2. In order to solve the problem of "frequently applying for permissions", you need to pay attention to not frequently (such as within 48 hours) repeatedly applying for permissions after the user refuses authorization.

3. In order to solve the problem of "excessive request for permissions", you should ensure that the permissions required by the App are related to the business functions provided. For highly sensitive permissions such as text messages, address books, and microphones, you should be cautious when requesting permissions, clearly inform users, and obtain user authorization.

(4) Setting up obstacles for user account cancellation

"Account cancellation is difficult": that is, the App does not provide users with account cancellation services, or sets up unreasonable obstacles to the cancellation service.

Solution:

1. Provide the user with an account cancellation entrance;

2. The information required by the user when canceling the account shall not exceed the user registration and use Information provided during the App; 3. After the account is canceled, the user information should be deleted in a timely manner, or the user's personal information should be removed from the system involved in realizing daily business functions so that it cannot be retrieved or accessed;

4. The response time for user account cancellation shall not exceed 15 working days at most.

Which personal information fields or permissions are regulatory requirements to be written in the "Privacy Policy"?

Apps should list the personal information fields collected in the "Privacy Policy" and explain the purpose and use of collection to users. For a template of the "Privacy Policy", please refer to Appendix D of "GB/T 35273-2020 Information Security Technology Personal Information Security Specifications".

For personal information fields, see Appendix A/B of "GB/T 35273-2020 Information Security Technology Personal Information Security Specifications" for details.

Regarding personal information permissions, the iOS system focuses on: positioning, address book, calendar, reminders, photos, microphone, camera, health, etc.; the Android system focuses on: calendar, call history, camera, address book , location, microphone, phone, sensor, SMS, storage, etc.

Please note that current regulatory regulations do not prohibit the above collection, but you need to ensure that your collection behaviors are reasonably related to business functions, and comply with the "inform consent" rules to disclose to users and obtain user authorization. .

How to display the "Privacy Policy" in compliance with regulations?

1. You should ensure the independence and legibility of the Privacy Policy. The Privacy Policy should be a separate document and not part of the User Agreement or other documents. After entering the main function interface of the App, users can access the Privacy Policy by clicking/swiping within 4 times.

2. The "Privacy Policy" should itemize each business function and the type of personal information collected, and clearly identify the types of personal sensitive information (such as bold fonts, asterisks, underlining, italics, color, etc.), please refer to Appendix B of "GB/T 35273-2020 Information Security Technology Personal Information Security Specifications" for details of the types of personal sensitive information.

3. Users should choose whether to agree to the "Privacy Policy". Be careful not to obtain user authorization by checking "Agree" by default.

The above are self-organized and summarized rectification directions and suggestions for problems in privacy compliance testing. They will be continuously improved and updated in the future. Developers are invited to refer to them.

For example, regarding APP privacy compliance If you have any doubts about the test, you can leave a message in the comment area!