China Cracks Down on Forced Data Collection

China is progressing toward stricter regulation of how app developers gather user data. This week, the nation's cybersecurity authority initiated a public consultation regarding the permissible scope of user information that apps – ranging from instant messaging platforms to transportation network companies – can collect.

This action builds upon a proposed data protection law unveiled in October, which is currently undergoing evaluation. If enacted and put into practice, the extensive data privacy legislation would represent a significant achievement, as stated in an editorial published by China Daily, the official newspaper of the Chinese Communist Party. The law is intended to limit data handling practices not only within the private sector but also across governmental organizations.

The party newspaper highlighted that “certain instances of personal information exposure have led to financial harm for individuals when exploited for fraudulent purposes.” It further noted that “with the advancement of technology, the collection of personal data has expanded to include biological information, such as facial features or even genetic data, which could have severe repercussions if misused.”

Currently, many apps in China compel users to provide excessive personal information by denying functionality if consent is withheld. The newly released draft regulations address this issue by specifying the types of data collection deemed “lawful, appropriate, and essential.”

The draft defines “essential” data as that which is required to “ensure the standard functionality of apps.” Apps are obligated to provide access to users who have authorized the collection of this necessary data.

Below are examples of what is considered “necessary” personal data for various app categories, as translated by China Law Translate:

Navigation: location
Ride-hailing: the registered user’s verified identity (typically a mobile phone number in China) and location data
Messaging: the registered user’s verified identity and contact list
Payment: the registered user’s verified identity, and the banking details of the payer and payee
Online shopping: the registered user’s verified identity, payment information, and details about the recipient, including name, address, and phone number
Games: the registered user’s verified identity
Dating: the registered user’s verified identity, along with age, gender, and marital status for those seeking relationships

Certain app categories are also mandated to grant user access without requesting any personal information beforehand: live streaming, short video platforms, video/music streaming services, news applications, web browsers, photo editing tools, and app marketplaces.

It is important to recognize that while the draft establishes clear guidelines for app compliance, it does not detail enforcement mechanisms or penalties for violations. For example, it is unclear whether app stores will integrate these standards into their approval procedures, or whether the responsibility for oversight will fall to internet users. This remains to be determined.