Conventus Law

Conventus Law

by

Did you know? 

The Cyberspace Administration of China released draft “Provisions on the collection and use of personal information by internet applications” on 10 January 2026. The draft Provisions are open for public consultation until 9 Feb 2026 and aim to protect and ensure the proper use of personal data by internet apps. 

Why does this matter to you? 

The draft Provisions are comprehensive and apply not just to the collection and use of personal information by downloadable apps, mini-programmes and installation-free quick apps1 but also software development kits (SDKs), distribution platforms, as well as intelligent terminals operated within the Chinese Mainland. 

The draft Provisions also apply to internet apps that collect the personal information of natural persons inside the Chinese mainland from outside of mainland China under circumstances set out in Article 3(2) of China’s Personal Information Protection Law (PIPL). This includes situations where personal information is processed for providing products/ services to or analysing the activities of natural persons in the mainland. 

In line with the PIPL requirements and some existing practices, apps cannot refuse to provide products or services because a user does not agree to collection and use of his personal information, or withdraws consent, unless the personal information is necessary to provide the product or service. 

When an app is first launched, it must inform users of its rules on collecting and using personal information through a prominent pop-up notification or other clear means, and obtain the user’s explicit consent. 

Also, an app should not collect or use any personal information before users consent to such rules. This will impact mobile apps which require users to key in contact details such as mobile numbers in advance for identification or verification, before users have the opportunity to read and consent to the privacy rules. Considerable updates to user interfaces would be needed in order to comply. 

There are other detailed and more stringent requirements regarding privacy policies and consent arrangements, aiming to curb excessive personal information collection and use, as well as unnecessary permissions. For example: 

  • The consent sought must be limited to the scope of personal information necessary for the specific functions of an app which a user chooses to use. 
  • Permissions should only be requested from user when he/she activates those functions. Seeking advance permission is not allowed. 
  • Moreover, if relevant functions are no longer required, the permission is at an end. For instance, once a user stops using the camera, voice messaging, and audio/voice recording functions of an app, the app must stop relying on the permissions granted to avoid collecting non-essential personal information. 
  • Real-time positioning functions such as map navigation or takeout deliveries should limit the frequency of invoking permission to use and collect personal information to the minimum extent necessary. If the positioning function is needed, for example, when a user chooses to add locations, search content, or ask for content recommendations, the app should only permit a single-use of the position function when the user enters or refreshes the apps’ interface. Background location tracking by apps is generally prohibited. 
  • Apps must not collect or use the personal information of people other than the user by accessing permissions such as contacts, call logs, or text messages, unless it is genuinely necessary for functions such as communication, adding friends, or data backup. 
  • Biometrics such as facial features, fingerprints and voiceprints etc. should only be collected for specific purposes and with justification. They should be locally stored and not transmitted externally via the internet. 
  • In line with existing practice, the Provisions require apps to offer enhanced protection for minors under the age of 14, including putting in place dedicated rules for the collection and use of minors’ personal information and obtaining consent from parents or guardians. 

It is also noteworthy that SDKs must provide their own rules on collecting and using personal information. For providers of SDKs offering different versions of their product, the draft Provisions require such rules to specify how personal information will be collected and used for each version. 

The draft Provisions also clarify: 

  • How app users should be notified about privacy policy updates and under what circumstances re-consent is needed. 
  • A separate consent from users is needed if the app will provide personal information to third parties. 
  • In the case of account cancellation, apps will be required to complete the cancellation process within 15 working days and delete the relevant collected personal information, or anonymize it, unless otherwise stipulated by laws or administrative regulations. 

1 A new type of mobile apps that does not require installation, mainly supported by Chinese mobile phone manufacturers 

WRITTEN BY

For further information, please contact:

Dora Si – Deacons,
dora.si@deacons.com

Dora is a Partner in the China IP Practice.

Dora is admitted as a solicitor in Hong Kong and England and Wales. She holds a LLM (Commercial and Corporate Law) degree from the University College London and a LLB (Hons) degree from the University of Hong Kong.

Dora’s practice covers all aspects of China IP protection and enforcement. She has supported many multinational and Asian businesses in IP portfolio management, and has extensive experience in brand protection, particularly brand selection, re-branding, and conducting trade mark opposition proceedings and settlement negotiations. Dora has handled complex cross-border and online infringement cases, involving administrative actions and contentious proceedings in China and has successfully obtained well-known trade mark recognition for international clients in China.

Dora advices on a wide range of commercial IP transactions including e-commerce issues, advertising compliance, celebrity rights, licensing, franchising and distribution. She has represented many clients in relation to IP audits, due diligence for mergers and acquisitions, technology transfer, and technology development cooperation.

Dora also advises on China-related data privacy and cybersecurity issues including advising on the legal framework for the protection of personal data, important data, confidential information, trade secrets and state secrets in China, cross-border data transfer issues, data privacy audits, policies and compliance strategies.

Dora has been recognised as a Top 40 under 40 Lawyer (2020) by Asian Legal Business, as a Silver Tier Individual in Enforcement and Litigation in Hong Kong (2019-2021) by World Trademark Review 1000 and a Recommended IP Lawyer in China (2020-2021) by Legal 500.

Highlights

  • Advising on copyright transfer in China for a US video games and software company.
  • Successful recordal of franchise for a Swedish furniture wholesaler in China.
  • Advising on distribution and licensing arrangements involving garments and home products for a global sourcing firm based in Hong Kong.
  • Advising a US-based cosmetic and personal care corporation on data protection issues in relation to its launch of a new e-commerce platform including local law compliance of its global privacy policy and website terms and conditions.
  • Advising a Hong Kong-listed conglomerate on the compliance requirements to facilitate the cross-border transfer of personal data from Mainland China to Hong Kong, including preparing template data transfer contracts and data protection clauses in employees’ contract and assisting with self-security assessment.
  • Managing trade mark portfolios in China and Hong Kong for multinational clients including a US-based direct sales company, a leading US car manufacturer, a world leading fashion magazine, a global banking card company and a US-based food manufacturer.
  • Successful petition on behalf of a French veterinary pharmaceutical company to Beijing Communications Authority to close down website suspected of trade mark infringement in China.
  • Successful advising a US-based technology company in relation to a .CN domain name dispute and limitation issues.
  • Advising a US-based sports equipment company in trade mark proceedings in China resulting in recognition as a well-known trade mark.

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES