html On December 27, the Ministry of Industry and Information Technology publicly solicited opinions on the "Notice of the Ministry of Industry and Information Technology on Further Improving Mobile Internet Application Service Capabilities (Draft for Comment)".
The consultation draft proposes to strengthen the protection of personal information throughout the entire process of mobile Internet application services. The principle of legality, legitimacy and necessity should be adhered to, personal information processing rules should be clearly stated, and use rights should be reasonably applied for; users should be informed of personal information processing rules in a concise, clear and easy-to-understand manner, highlight the purpose, method and scope of processing of sensitive personal information, and establish a list of collected personal information, etc.
The full text is as follows
Notice of the Ministry of Industry and Information Technology on Further Improving Mobile Internet Application Service Capabilities (Draft for Comments)
In recent years, our Ministry has vigorously promoted the improvement of mobile Internet application service quality, effectively safeguarded the legitimate rights and interests of users, and achieved positive social results. However, some enterprises have irregular service problems and the problems of insufficient implementation of responsibilities in relevant links still occur from time to time. In order to optimize service supply, improve user experience, maintain a good information consumption environment, and promote high-quality development of the industry, in accordance with the "Personal Information Protection Law", "Telecommunications Regulations", "Several Provisions on Standardizing the Order of the Internet Information Services Market", "Provisions on the Protection of Personal Information of Telecommunications and Internet Users" and other relevant laws and regulations, the relevant matters are notified as follows :
1. Improve the service awareness of the whole process and protect the legitimate rights and interests of users
(1) Standardize installation and uninstallation behavior
1. Ensure informed consent for installation. When recommends downloading apps to users, it should follow the principles of openness and transparency, truly, accurately and completely express developer information, product functions, privacy policies, permission lists and other necessary information, and provide an obvious "cancel" option at the same time. Download and installation can only be done after the user's confirmation and consent, thus effectively protecting the user's right to know and choose. It is not allowed to deceive and mislead users into downloading and installing through methods such as "stealing and substituting", "forced bundling", and "silent downloading".
2. Standardize the recommended download behavior of web pages. When users browse page content, they are not allowed to automatically or forcefully download Apps without the user's consent or active choice, or force users to download and open Apps by folding display, active pop-ups, frequent prompts, etc., which will affect users' normal browsing of information. Without reasonable and justifiable reasons, users may not be required to download the App or not be allowed to read the full text.
3. Implement convenient uninstallation of . In addition to basic functional software, Apps should be easily uninstallable and should not use blank names, transparent icons, background hiding, etc. to maliciously prevent users from uninstalling.
(2) Optimize service experience
4. Window closing is optional for users. Provide clear and effective closing buttons for opening and pop-up information windows. Frequent pop-ups are not allowed to interfere with users' normal use, or use "full-screen heat map", high-sensitivity "shake" and other methods that are likely to cause false triggers to induce user operations.
5. Inform of service matters in advance. Contents such as product function rights, tariff levels, etc. must be clearly stated. If there are additional conditions for membership activation, fees, etc., this should be prominently displayed. Without explicit explanation, you are not allowed to add restrictive conditions in the process of providing product services, and use this as a reason to terminate the product functions and services that users normally use, or to reduce the service experience.
6. The startup and running scenario is reasonable . You are not allowed to launch or associate other Apps, or perform actions such as waking up, calling, updating, etc. that are not required for the service or are not reasonable.
7. Timely reminder for service renewal. If uses automatic renewal or automatic renewal to provide services, it must obtain the user's consent and shall not check the box by default or force bundled activation.5 days before automatic renewal and automatic renewal, users will be reminded of their attention through text messages and other prominent means. During the service period, convenient unsubscription methods and automatic renewal and automatic renewal cancellation methods will be provided during the service period.
(3) Strengthen the protection of personal information
8. Adhere to the principle of legality, legitimacy and necessity. When engages in personal information processing activities, it should have a clear and reasonable purpose. It should not collect personal information in violation of regulations only for service experience, product development, algorithm recommendation, risk control, etc., or force users to agree to collect personal information unrelated to the service scenario. When the user refuses to provide personal information that is not necessary for the current service, it shall not affect the user's use of the basic functions of the service.
9. Express personal information processing rules. informs users of personal information processing rules in a concise, clear and easy-to-understand manner, highlights the purpose, method and scope of processing sensitive personal information, and establishes a list of collected personal information. Default check boxes, reduced text, lengthy text, etc. are not allowed to be used to induce users to agree to personal information processing rules.
10. Reasonably apply for permission to use . When starts the corresponding business function, it dynamically applies for the required permissions and must not require users to agree to open multiple unnecessary permissions. When calling the terminal's photo album, address book, location and other permissions, the user is simultaneously informed of the purpose of applying for the permission. Permission status set by a user may not be changed without the user's consent.
(4) Respond to user demands
11. Establish a customer service hotline. Internet companies are encouraged to establish customer service hotlines. Major Internet companies will publish customer service hotline numbers in prominent locations on their websites and apps to simplify manual service transfer procedures. Encourage the improvement of customer service hotline capabilities. The average monthly response time is up to 30 seconds, and the response rate of manual services exceeds 85%.
12. Properly handle user complaints. publishes valid contact information and accepts user complaints. Respond to complaints on the Internet information service complaint platform in accordance with the requirements of the regulations, ensuring that the processing is completed within 15 days and improving the satisfaction rate of complaint handling. It is encouraged to set up user satisfaction evaluation links in the App to guide users to participate in the evaluation.
2. Improve full-chain management capabilities and create a healthy service ecosystem
(1) Implement the main responsibilities of App developers and operators
1. Improve the internal management mechanism. clarifies the leading management department and person in charge of user services and rights protection, establishes a full life cycle personal information protection mechanism, improves the assessment and accountability system, implements relevant laws and regulations and policy requirements into all aspects of product development, promotion and operation, and continuously improves compliance levels. Regularly conduct independent audits of personal information protection measures and implementation to effectively prevent potential risks.
2. Enhance technical support capabilities. adopts security technical measures such as access control, technical encryption, and de-identification to strengthen front-end and back-end security protection. Actively monitor and detect risks and threats such as personal information leakage, theft, tampering, damage, loss, illegal use, etc., and respond to disposal requirements in a timely manner.
3. Strengthen the use and management of software development tools (SDK). evaluates the personal information protection capabilities of the SDK before using it, and clearly stipulates their respective rights and obligations through contracts and other forms to ensure that personal information processing is in compliance with laws and regulations. Centrally display and timely update all embedded SDK names, functions and their rules for handling personal information. If the user's personal information is jointly processed and the user's rights and interests are infringed and damage is caused, the user shall bear joint and several liability in accordance with the law.
(2) Strengthen platform distribution management
4. Strictly review App listings. accurately registers and verifies basic information such as the real identity and contact information of the App developer and operator, the main functions and uses of the App, and conducts technical testing of the App to be put on the shelves. The person responsible for relevant audits should be clearly identified and audit log records should be kept. Anything that does not meet the requirements will not be put on the shelves.Publicize all existing Apps, and indicate the App name, developer and operator, version number, required user terminal permission list and purpose, personal information processing rules and other information in a prominent position. If the distribution display interface has not yet been established, the App download link should be linked to the application store, and users should be guided to download the distributed App from formal channels.
5. Strengthen inspection of existing apps. strengthens the dynamic inspection of Apps to ensure that the public information is true and accurate. For illegal apps that are inconsistent with the public information, or use "hot update, hot switch" and other methods to arbitrarily change the main functions of the app, the permissions applied for, the scenarios and scope of personal information collection and use, etc., the service should be stopped.
6. Improve the distribution management mechanism. establishes credit evaluation, risk warning and other mechanisms for App developers and operators, encourages electronic signature authentication of distributed Apps, and enables the traceability of the entire process of listing applications and distribution behaviors. Strengthen linkage with the public service platform for testing and certification of mobile Internet applications, and cooperate with regulatory authorities in data reporting, monitoring and traceability, information sharing, and response processing.
(3) Standardize SDK application services
7. Establish an information disclosure mechanism. publicly states basic information such as SDK name, developer, version number, main functions, instructions for use, as well as personal information processing rules. If the SDK independently collects, transmits, and stores personal information, it must provide a separate explanation. Encourage the role of SDK management service platform and guide App developers and operators to use compliant SDKs.
8. Optimize function configuration . follows the minimum necessary principle and clarifies the SDK functions and corresponding personal information collection scope based on different application scenarios or uses, and provides App developers and operators with configuration options for each functional module and personal information collection, and must not collect excessive personal information in a blanket manner.
9. Strengthen service coordination. Throughout the product life cycle, proactively provides App developers and operators with compliance usage guidelines in a clear and easy-to-understand manner, guiding App developers and operators to use them correctly and rationally, and jointly improve compliance levels. When personal information processing rules change or risks are discovered, promptly update and notify App developers and operators.
(4) Build a strong terminal security defense line
10. Strengthen App operation management. provides users with the shutdown function of App auto-start and associated startup, as well as a convenient device identification code reset option, strengthens the monitoring of App silent downloads and hot updates, and prevents unauthorized downloads and installations without user consent.
11. Enhance App behavior record reminder. enhances the ability to record permission invocation behaviors, providing convenience for users to query permission invocation situations. Establish a clear reminder mechanism for the status of permissions such as address book, microphone, camera, location, clipboard, etc. to ensure that users understand the collection status of personal information in a timely and accurate manner.
12. Improve App risk warning capabilities. Promote the implementation of electronic signature authentication of apps, and provide early warning prompts to users to improve the ability to identify risky apps such as counterfeit, bad, and illegal apps.
(5) Consolidate access to corporate responsibility
13. Accurately register information. When provides network access services for Apps and SDKs, it registers and verifies the real identity, contact information and other information of App and SDK developers and operators to improve traceability.
14. Ensure effective disposal. In accordance with the requirements of the telecommunications regulatory authorities, takes necessary measures such as stopping access to illegal Apps and SDKs in accordance with the law to effectively prevent their violations of user rights and interests.
3. Work requirements
(1) Do a good job in organization and implementation. All units must adhere to the people-centered development philosophy, improve their political stance, strengthen their responsibilities, refine and decompose tasks, and conscientiously organize and implement various requirements to ensure effective results.Relevant enterprises must fulfill their main responsibilities, carry out self-examination and self-correction according to the requirements of this notice, and effectively safeguard the legitimate rights and interests of users. At the same time, we will improve long-term mechanisms, innovate models and methods, and continuously improve the level of mobile Internet application services, so that users can have a greater sense of gain, happiness, and security.
(2) Strengthen supervision and guidance. The Ministry of Industry and Information Technology has improved the evaluation, reporting, ranking, and publicity mechanisms, promoted the work to be carried out in a solid and orderly manner, and timely summarized and promoted excellent cases and experiences and practices. All local communications bureaus must strengthen supervision and inspection, guide and urge local enterprises to implement the requirements of this notice. For those who fail to implement or violate regulations, measures such as ordering rectification within a time limit, announcing to the public, organizing removal from shelves, suspending services, administrative penalties and other measures will be taken in accordance with the law, and serious accountability and investigation will be carried out.
(3) Strengthen technical means. China Academy of Information and Communications Technology should organize industrial forces, comprehensively use artificial intelligence , big data and other new technologies and new methods to upgrade and create a national testing and certification public service platform for mobile Internet applications, continue to improve platform functions, and do a good job in technical testing, monitoring services and regulatory support. Actively promote the application of traceability technical means such as electronic signature authentication to promote the improvement of service management capabilities.
(4) Promote industry self-discipline. Encourage industry associations and related institutions to formulate industry self-discipline conventions and technical standards, and strengthen evaluation, certification and talent training. We should further open channels to listen to the opinions of the masses, promote communication and interaction among all parties, guide enterprises to operate in compliance with laws and regulations, continuously optimize and improve services, create a good environment for excellence, mutual promotion and mutual advancement, and promote high-quality development with high-quality services.
Source: Official website of the Ministry of Industry and Information Technology
