Draft proposes apps get clear consent for data usage

China's top cyberspace regulator on Saturday released a draft regulation that seeks to manage how internet apps should collect and use personal information, and opened it for public comment.

Drafted by the Cyberspace Administration of China, the document states that apps should fully inform users of the rules in place for collecting and using personal data and obtain the user's consent. It adds that separate consent should be obtained for the collection and use of sensitive personal information.

Apps cannot refuse to provide products or services because a user does not agree to such collection and use, or withdraws consent, unless the personal information is necessary to provide the product or service, the draft noted.

The document also said an internet app should, when first launched, inform users of its rules on collecting and using personal information through a prominent pop-up notification or other clear means, and obtain the user's explicit indication of consent on the basis of full understanding.

According to the proposed regulation, apps must not collect or use the personal information of people other than the user by accessing permissions such as contacts, call logs or text messages, unless it is genuinely necessary for functions such as communication, adding friends or data backup.

It also said apps should request only the necessary permissions for a specific function when the user makes use of it, and state the purpose at the same time, rather than asking in advance.

The draft rule also stipulates that apps that collect biometric data — such as facial features, fingerprints and voiceprints — should have a specific purpose and clear necessity, and use methods that minimize the impact on individual rights and apply strict safeguards.

Unless otherwise provided by laws or administrative regulations, or with the user's separate consent, such information should be stored on the biometric device and must not be transmitted externally via the internet, the draft said.

The draft also emphasized apps that collect and use the personal information of children under the age of 14 should adopt dedicated rules and obtain consent from parents or other guardians.

In addition, for account cancellation, it required apps to complete the process within 15 working days and delete the relevant personal information collected, or anonymize it, unless otherwise stipulated by laws or administrative regulations.

When an app requests permissions such as call logs, camera, location or microphone, the operating system of the smart device should seek user consent via a pop-up and offer fine-grained authorization options, such as by time, frequency or precision, depending on the permission involved, the draft said.

The regulator said the draft regulation is aimed at protecting personal information rights and interests, and promoting the lawful and reasonable use of personal information.