Core Viewpoint - The National Internet Information Office has drafted the "Regulations on the Collection and Use of Personal Information by Internet Applications (Draft for Comments)" to enhance personal information protection and regulate the collection and use of personal information by internet applications [1][5]. Group 1: General Principles - The regulations aim to standardize the collection and use of personal information by internet applications, ensuring that such activities comply with relevant laws and protect personal information rights [5][6]. - Collection and use of personal information must follow principles of legality, necessity, and honesty, and must not mislead or coerce individuals [6][7]. Group 2: User Consent and Information Collection - Internet applications must inform users of the rules regarding personal information collection and obtain explicit consent, especially for sensitive information [1][6]. - Users should not be denied services if they refuse to provide personal information, except when such information is essential for service provision [1][6]. Group 3: Application Security Management - Internet applications must adhere to security management requirements, including clear disclosure of information collection rules and obtaining user consent through prominent notifications [8][9]. - Applications must provide options for users to manage their personal information collection preferences based on specific functionalities [11][17]. Group 4: Third-Party Data Sharing - Internet applications must obtain separate consent from users before sharing personal information with third parties [2][10]. - Applications are prohibited from collecting information from users outside their own data, except in specific cases where it is necessary for communication or data backup [2][10]. Group 5: Software Development Kits (SDKs) - SDKs must provide options for personal information configuration based on functionality, allowing applications to manage data collection practices [2][17]. - SDKs are required to respond promptly to user requests regarding personal information management [17][25]. Group 6: Distribution Platforms - Distribution platforms must strengthen the review process for applications, ensuring compliance with personal information collection regulations and maintaining a record of any violations [3][18]. - Platforms are required to complete audits of existing applications within six months of the regulations coming into effect [3][18]. Group 7: Smart Terminal Management - Smart terminals must obtain user consent for accessing various permissions and provide clear notifications regarding the use of such permissions [20][22]. - The operating system of smart terminals should display information about the permissions currently being accessed by applications [22][23]. Group 8: Supervision and Compliance - The National Internet Information Department is responsible for coordinating and supervising personal information protection across applications, SDKs, distribution platforms, and smart terminals [24][26]. - Entities that fail to comply with the regulations may face legal consequences, including criminal liability for serious violations [26][27].

Core Viewpoint - The National Internet Information Office has drafted the "Regulations on the Collection and Use of Personal Information by Internet Applications (Draft for Public Comment)" to standardize the collection and use of personal information by internet applications, protect personal information rights, and promote reasonable use of personal information, with feedback due by February 9, 2026 [1]. Group 1: General Principles - The regulations aim to standardize the collection and use of personal information by internet applications, ensuring compliance with relevant laws such as the Cybersecurity Law and the Personal Information Protection Law [3]. - Internet applications operating within China must adhere to these regulations when collecting and using personal information, including those that collect information from individuals in China while operating outside the country [3]. - The collection and use of personal information must follow principles of legality, legitimacy, necessity, and integrity, and must not involve misleading or coercive practices [3]. Group 2: Responsibilities and Transparency - Internet application operators are responsible for the collection and use of personal information and must conduct audits on embedded software development kits (SDKs) and distribution platforms [4]. - Operators must provide clear and transparent information regarding the collection and use of personal information, including the purpose, method, types of data collected, and user rights [6]. - Users must be informed of any changes to the collection and use rules, especially for applications with over 50 million registered users or 10 million monthly active users [7]. Group 3: User Consent and Rights - Internet applications must obtain explicit user consent before collecting personal information and cannot refuse service based on a user's refusal to provide information, except when the information is necessary for service provision [4]. - Users should have easy access to options for managing their personal information, including the ability to view, copy, delete, or restrict processing of their data [12]. - Applications must provide a straightforward process for users to cancel their accounts and must delete or anonymize personal information within 15 working days after account cancellation [12]. Group 4: Security and Compliance - Internet applications must implement adequate management and technical measures to protect the personal information of minors and prevent unauthorized access or data breaches [11]. - The regulations encourage the establishment of self-regulatory mechanisms within the industry to guide members in lawful personal information collection and usage [6]. - The National Cybersecurity Department will oversee compliance with these regulations, and violations may lead to administrative penalties or criminal liability [37].