China’s Internet Regulator Proposes New Rules on How Apps Collect and Use Personal Information
Published 13 January 2026
Xia Yu
On 10 January 2026, the Cyberspace Administration of China released the Draft Regulation on the Collection and Use of Personal Information by Internet Applications (“Draft Regulation”) for public comment, with the feedback period open until 9 February 2026. Requirements for the special protection of personal information are established under laws and regulations including the Cybersecurity Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and the Regulations on the Security Management of Network Data. The Draft Regulation formulates specific operational rules governing the collection and use of personal information in the course of operating internet applications (“Apps”) within China, as well as for software development kits (“SDKs”), distribution platforms, and smart terminal devices that provide services facilitating such collection and use by Apps. The Draft Regulation also applies to Apps that collect and use the personal information of natural persons within China from outside China for the purpose of analyzing or assessing the behavior of natural persons.
Rules for App Operators Concerning the Collection and Use of Personal Information
The Draft Regulation stipulates that the core responsibilities of App operators (including developers, owners, managers, or providers of an App) include: formulating and publishing rules on the collection and use of personal information (“Personal Information Rules”) in an open and transparent manner; ensuring users provide informed, voluntary, and explicit consent and safeguarding their right to withdraw consent; adhering to the principles of functional-scenario relevance, minimum frequency, and minimum scope, prohibiting “bundled” requests for authorization, excessive collection, and coercive requests for authorization; and bearing responsibility for reviewing and managing SDKs embedded within the App, thereby forming a closed-loop of security accountability. For large-scale Apps, such as those with over 50 million registered users or over 10 million monthly active users, the Draft Regulation specifically requires that revisions and updates to the Personal Information Rules be subject to public consultation for a period of not less than seven working days.
The Draft Regulation establishes particularly stringent rules for high-risk scenarios involving Apps, such as the use of sensitive permissions (e.g., location, microphone, biometrics), the protection of minors, and automated decision-making (personalized recommendations). It imposes strict, scenario-based and frequency-based restrictions on an App’s invocation of location permissions. The Draft Regulation distinguishes between “real-time location scenarios” and “single-access location scenarios” and explicitly restricts permissions for continuous background location access. It regulates the use of microphone (and related communication) permissions, including: prohibiting the collection of personal information of individuals other than the user through invoking contacts, call logs, or SMS permissions; permitting the invocation of microphone permissions only when the user actively chooses to use functions such as sending voice messages or audio/video recording; and requiring that invocation cease when the user stops using the relevant function or enters an unrelated scenario. It sets a high-level protection threshold for the collection, storage, and transmission of biometric information (e.g., facial, fingerprint, voiceprint), such as requiring collection to have a specific purpose and sufficient necessity; requiring such personal information to be stored within the biometric device (e.g., a mobile phone’s secure chip) and not transmitted externally via the internet; stipulating that the retention period shall not exceed the minimum time necessary to achieve the purpose; and requiring separate user consent for collection and use.
Rules for SDKs, Distribution Platforms, and Smart Terminal Devices Concerning the Collection and Use of Personal Information by Apps
An SDK refers to a software library that assists in software development. Its operators include the SDK’s developer, owner, manager, or provider. A distribution platform refers to a service provider that offers App publication, download, or dynamic loading services via the internet, including app stores, application markets, quick app centers, and mini-program platforms. A smart terminal device refers to a mobile communications terminal product capable of connecting to public networks, equipped with an operating system, and allowing users to install and uninstall Apps independently.
Chapter III of the Draft Regulation clarifies the independent responsibilities and specific rules for SDK operators in personal information collection and use activities, regulating them as independent personal information processors. SDK operators shall formulate and publish their Personal Information Rules. The scope of personal information collection and use shall be limited to the minimum necessary scope and lowest frequency. SDK operators are prohibited from collecting and using personal information beyond the scope declared in their Personal Information Rules. SDKs shall provide Apps with function-based configuration options for personal information, allowing Apps to manage and configure the SDK’s personal information collection behavior. They shall promptly respond to user requests regarding access, copying, correction, supplementation, deletion, or restriction of processing of their personal information forwarded by the App. Where automated decision-making is used for information push or commercial marketing to users, a personalized recommendation opt-out option shall be provided. SDKs shall establish effective methods and channels to directly respond to user requests, which shall be listed in their Personal Information Rules.
Chapter IV of the Draft Regulation stipulates the review and management responsibilities of distribution platforms (e.g., app stores) throughout the entire process of App listing, display, and removal. Distribution platforms shall establish standardized profiles for Apps’ collection and use of personal information; record Apps’ issues concerning personal information and their history of being notified or penalized by regulatory authorities; display on distribution/download pages information such as the App operator’s details, main functions, list of permissions required, the text of or a link to the Personal Information Rules, and security risk warnings; and issue warnings, suspend distribution, or terminate distribution of Apps found to be non-compliant. When listing or updating an App, they shall verify and register the App operator’s authentic identity information. Apps lacking rules, account deletion functionality, or providing false information shall not be listed. For Apps already listed, the Draft Regulation sets a six-month transition period for reviewing and cleaning up existing inventory.
Chapter V of the Draft Regulation clarifies the key infrastructural responsibility of smart terminal device manufacturers (primarily referring to operating system providers or hardware manufacturers of mobile devices such as smartphones and tablets) within the personal information protection chain. The core obligation is to provide users with transparent and granular permission control capabilities through system-level design and management. When processing App pre-installation requests, smart terminal manufacturers shall register and verify the App operator’s authentic identity and contact information. Apps with incomplete or false information, or lacking Personal Information Rules or account deletion functionality, shall not be pre-installed. When an App requests high-sensitivity permissions such as for calendar, location, or microphone, the smart terminal’s operating system shall prompt the user via a pop-up window to obtain consent and provide granular authorization mode options based on time, frequency, accuracy, etc. (e.g., “Allow only while using the app”, “Allow only once”), moving away from the crude “all-or-nothing” authorization model. In a prominent screen location (e.g., the status bar), conspicuous icon-based indicators shall truthfully alert the user to the current invocation of sensitive permissions such as microphone, camera, or location. Smart terminals shall accurately record and centrally display detailed logs of an App’s invocation of sensitive permissions, including behavior during background silent launches, associated launches, and collection of clipboard data or device identifiers. Conclusion
The Draft Regulation constructs a whole-lifecycle regulatory framework involving four responsible entities—App and SDK operators, distribution platforms, and smart terminal manufacturers—for the collection and use of personal information by Apps. App operators bear primary responsibility for managing the App and embedded SDKs. SDK operators bear independent responsibility, requiring them to publish Personal Information Rules, provide relevant configurations, and directly respond to user requests. Distribution platforms bear review responsibility, requiring them to verify App operator identity, maintain profiles, publicize risks, and delist non-compliant Apps. Smart terminal manufacturers bear infrastructural guardian responsibility, requiring them to provide granular authorization, real-time prompts, and activity logging.
Rules for App Operators Concerning the Collection and Use of Personal Information
The Draft Regulation stipulates that the core responsibilities of App operators (including developers, owners, managers, or providers of an App) include: formulating and publishing rules on the collection and use of personal information (“Personal Information Rules”) in an open and transparent manner; ensuring users provide informed, voluntary, and explicit consent and safeguarding their right to withdraw consent; adhering to the principles of functional-scenario relevance, minimum frequency, and minimum scope, prohibiting “bundled” requests for authorization, excessive collection, and coercive requests for authorization; and bearing responsibility for reviewing and managing SDKs embedded within the App, thereby forming a closed-loop of security accountability. For large-scale Apps, such as those with over 50 million registered users or over 10 million monthly active users, the Draft Regulation specifically requires that revisions and updates to the Personal Information Rules be subject to public consultation for a period of not less than seven working days.
The Draft Regulation establishes particularly stringent rules for high-risk scenarios involving Apps, such as the use of sensitive permissions (e.g., location, microphone, biometrics), the protection of minors, and automated decision-making (personalized recommendations). It imposes strict, scenario-based and frequency-based restrictions on an App’s invocation of location permissions. The Draft Regulation distinguishes between “real-time location scenarios” and “single-access location scenarios” and explicitly restricts permissions for continuous background location access. It regulates the use of microphone (and related communication) permissions, including: prohibiting the collection of personal information of individuals other than the user through invoking contacts, call logs, or SMS permissions; permitting the invocation of microphone permissions only when the user actively chooses to use functions such as sending voice messages or audio/video recording; and requiring that invocation cease when the user stops using the relevant function or enters an unrelated scenario. It sets a high-level protection threshold for the collection, storage, and transmission of biometric information (e.g., facial, fingerprint, voiceprint), such as requiring collection to have a specific purpose and sufficient necessity; requiring such personal information to be stored within the biometric device (e.g., a mobile phone’s secure chip) and not transmitted externally via the internet; stipulating that the retention period shall not exceed the minimum time necessary to achieve the purpose; and requiring separate user consent for collection and use.
Rules for SDKs, Distribution Platforms, and Smart Terminal Devices Concerning the Collection and Use of Personal Information by Apps
An SDK refers to a software library that assists in software development. Its operators include the SDK’s developer, owner, manager, or provider. A distribution platform refers to a service provider that offers App publication, download, or dynamic loading services via the internet, including app stores, application markets, quick app centers, and mini-program platforms. A smart terminal device refers to a mobile communications terminal product capable of connecting to public networks, equipped with an operating system, and allowing users to install and uninstall Apps independently.
Chapter III of the Draft Regulation clarifies the independent responsibilities and specific rules for SDK operators in personal information collection and use activities, regulating them as independent personal information processors. SDK operators shall formulate and publish their Personal Information Rules. The scope of personal information collection and use shall be limited to the minimum necessary scope and lowest frequency. SDK operators are prohibited from collecting and using personal information beyond the scope declared in their Personal Information Rules. SDKs shall provide Apps with function-based configuration options for personal information, allowing Apps to manage and configure the SDK’s personal information collection behavior. They shall promptly respond to user requests regarding access, copying, correction, supplementation, deletion, or restriction of processing of their personal information forwarded by the App. Where automated decision-making is used for information push or commercial marketing to users, a personalized recommendation opt-out option shall be provided. SDKs shall establish effective methods and channels to directly respond to user requests, which shall be listed in their Personal Information Rules.
Chapter IV of the Draft Regulation stipulates the review and management responsibilities of distribution platforms (e.g., app stores) throughout the entire process of App listing, display, and removal. Distribution platforms shall establish standardized profiles for Apps’ collection and use of personal information; record Apps’ issues concerning personal information and their history of being notified or penalized by regulatory authorities; display on distribution/download pages information such as the App operator’s details, main functions, list of permissions required, the text of or a link to the Personal Information Rules, and security risk warnings; and issue warnings, suspend distribution, or terminate distribution of Apps found to be non-compliant. When listing or updating an App, they shall verify and register the App operator’s authentic identity information. Apps lacking rules, account deletion functionality, or providing false information shall not be listed. For Apps already listed, the Draft Regulation sets a six-month transition period for reviewing and cleaning up existing inventory.
Chapter V of the Draft Regulation clarifies the key infrastructural responsibility of smart terminal device manufacturers (primarily referring to operating system providers or hardware manufacturers of mobile devices such as smartphones and tablets) within the personal information protection chain. The core obligation is to provide users with transparent and granular permission control capabilities through system-level design and management. When processing App pre-installation requests, smart terminal manufacturers shall register and verify the App operator’s authentic identity and contact information. Apps with incomplete or false information, or lacking Personal Information Rules or account deletion functionality, shall not be pre-installed. When an App requests high-sensitivity permissions such as for calendar, location, or microphone, the smart terminal’s operating system shall prompt the user via a pop-up window to obtain consent and provide granular authorization mode options based on time, frequency, accuracy, etc. (e.g., “Allow only while using the app”, “Allow only once”), moving away from the crude “all-or-nothing” authorization model. In a prominent screen location (e.g., the status bar), conspicuous icon-based indicators shall truthfully alert the user to the current invocation of sensitive permissions such as microphone, camera, or location. Smart terminals shall accurately record and centrally display detailed logs of an App’s invocation of sensitive permissions, including behavior during background silent launches, associated launches, and collection of clipboard data or device identifiers. Conclusion
The Draft Regulation constructs a whole-lifecycle regulatory framework involving four responsible entities—App and SDK operators, distribution platforms, and smart terminal manufacturers—for the collection and use of personal information by Apps. App operators bear primary responsibility for managing the App and embedded SDKs. SDK operators bear independent responsibility, requiring them to publish Personal Information Rules, provide relevant configurations, and directly respond to user requests. Distribution platforms bear review responsibility, requiring them to verify App operator identity, maintain profiles, publicize risks, and delist non-compliant Apps. Smart terminal manufacturers bear infrastructural guardian responsibility, requiring them to provide granular authorization, real-time prompts, and activity logging.