互联网应用程序个人信息收集使用拟规范

Core Viewpoint - The draft regulation aims to standardize the collection and use of personal information by internet applications, ensuring the protection of individual rights and promoting reasonable utilization of personal data [1] Group 1: Collection and Use of Personal Information - The draft stipulates that the collection and use of personal information should minimize the impact on individual rights and be limited to what is necessary for providing products or services [1] - It emphasizes that personal information must be collected in a lawful, fair, necessary, and honest manner, without misleading or coercive practices [1] - Internet applications must inform users of the collection rules and obtain their consent, especially for sensitive personal information [1][2] Group 2: User Consent and Notification - Internet applications are required to notify users of personal information collection rules prominently at the first launch and obtain explicit consent [2] - Any updates to the personal information collection rules must be communicated to users through noticeable methods, such as pop-ups, and require re-consent [2][4] - Applications must not collect information from third parties without user consent, except for specific functionalities like contact management [2] Group 3: Biometric Data and Minor Protection - The collection of biometric data (e.g., facial, fingerprint, voice recognition) must have specific purposes and be necessary, with strict protective measures in place [3] - Biometric data should be stored locally on devices and not transmitted over the internet unless legally required or with user consent [3] - Special rules must be established for collecting information from minors under 14, requiring parental consent [3] Group 4: Updates and Permissions Management - Applications with over 50 million registered users or 10 million monthly active users must publicly solicit opinions on updates to their personal information collection rules [4] - The draft also mandates that smart devices must obtain user consent for accessing various permissions and provide detailed options for granular control [4][5] - Smart devices should transparently record and display the usage of permissions by applications, ensuring users are informed about data access [5]