事关互联网应用程序个人信息收集使用 国家网信办公开征求意见

Core Viewpoint - The National Internet Information Office has drafted the "Regulations on the Collection and Use of Personal Information by Internet Applications (Draft for Public Comment)" to standardize the collection and use of personal information by internet applications, protect personal information rights, and promote reasonable use of personal information, with feedback due by February 9, 2026 [1]. Group 1: General Principles - The regulations aim to standardize the collection and use of personal information by internet applications, ensuring compliance with relevant laws such as the Cybersecurity Law and the Personal Information Protection Law [3]. - Internet applications operating within China must adhere to these regulations when collecting and using personal information, including those that collect information from individuals in China while operating outside the country [3]. - The collection and use of personal information must follow principles of legality, legitimacy, necessity, and integrity, and must not involve misleading or coercive practices [3]. Group 2: Responsibilities and Transparency - Internet application operators are responsible for the collection and use of personal information and must conduct audits on embedded software development kits (SDKs) and distribution platforms [4]. - Operators must provide clear and transparent information regarding the collection and use of personal information, including the purpose, method, types of data collected, and user rights [6]. - Users must be informed of any changes to the collection and use rules, especially for applications with over 50 million registered users or 10 million monthly active users [7]. Group 3: User Consent and Rights - Internet applications must obtain explicit user consent before collecting personal information and cannot refuse service based on a user's refusal to provide information, except when the information is necessary for service provision [4]. - Users should have easy access to options for managing their personal information, including the ability to view, copy, delete, or restrict processing of their data [12]. - Applications must provide a straightforward process for users to cancel their accounts and must delete or anonymize personal information within 15 working days after account cancellation [12]. Group 4: Security and Compliance - Internet applications must implement adequate management and technical measures to protect the personal information of minors and prevent unauthorized access or data breaches [11]. - The regulations encourage the establishment of self-regulatory mechanisms within the industry to guide members in lawful personal information collection and usage [6]. - The National Cybersecurity Department will oversee compliance with these regulations, and violations may lead to administrative penalties or criminal liability [37].