Secretariat of the National Information Security Standardization Technical Committee, Information Security Technology—Basic Specification for Collecting Personal Information in Mobile Internet Applications (App) (Draft)

(c)       the App may not collect personal information unrelated to the service being provided;

(d)       before sharing or transferring personal information with/to a third party, the App shall secure the prior express consent of the user; if the user does not give his/her consent, his/her personal information may not be shared or transferred with/to the third party;

(e)       the App may not collect unalterable unique equipment identifiers (e.g. IMEI numbers, MAC addresses, etc.), except for the purpose of ensuring network security or operating security;

(f)        once a user expressly refuses to use a certain type of service, the App may not repeatedly (e.g. more than once every 48 hours) seek to have the user agree to use the service in question, and shall ensure that he/she can normally use the other services; and

(g)       the App shall be liable for the collection of personal information by third-party code or plug-ins used by it; the collection of personal information by third-party code or a plug-in shall be treated as collection by the App, and the App shall guard against the collection of non-pertinent personal information by the third-party code or plug-in.

Note:    if the third-party code or plug-in itself expressly informs the user of its purpose for, method of, and scope of, collection and use of personal information and seeks the user's consent therefor, the third-party code or plug-in shall bear independent liability for its collection of personal information (Article 4.1).

The Schedule sets forth the minimum information collectible by 21 common types of service, namely map navigation, online ride hailing, instant messaging, blogs/forums, online payment, news, online shopping, short videos, courier delivery, meal order and delivery, transport ticketing, dating services, employment services, financial lending and borrowing, premises rental and sale, used vehicle trading, sports and fitness, registration to see a doctor, browser, input method and security management.

Given that an online payment App is granted a relatively large coverage of minimum information, it can collect the user's name, ID document number, term of validity of the ID document, a photocopy of the ID document, account number and password, as well as sensitive information such as bank card number, term of validity of the bank card, etc. The coverage of an instant messaging App is much narrower, it may only collect the user's account information, password, etc. Although such software can collect information on the user's friends and list of groups, it may not have mandatory access to the user's address book. As for a map navigation App, it can only collect two types of information, namely the user's online log and precise positioning information. The Draft also provides the minimum scope of authority of various service types, e.g. online ride hailing has location authority and phone dialing authority; short video has saving authority; sports and fitness has location authority and sensor authority; security management has saving authority, authority to assess an App account, authority to read telephone status, short messaging authority, etc.