On 2 April 2026, the Cyberspace Administration of China (CAC) together with the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS) jointly issued a notice to launch a nationwide campaign on personal information protection for 2026. The move builds on several years of enforcement following the implementation of the Personal Information Protection Law, aiming to address persistent abuses in data collection and use. The campaign focuses on improving transparency, limiting excessive data practices, and strengthening accountability across industries. The regulatory authorities have identified the following key areas and specific issues:
Regulating Apps and SDKs
A major focus of the campaign is the widespread misuse of personal data by apps and embedded SDKs. Authorities are targeting practices such as failing to disclose data collection rules, not offering account deletion options, and lacking complaint channels. Another key issue is misleading or incomplete disclosures about how data is collected and used. Regulators will also address situations where users are forced to consent to unnecessary data collection, or where apps access sensitive information, like location, contacts, or messages, without clear justification or beyond what is needed for core functions.
Cleaning Up Data Practices in Online Advertising
The campaign also takes aim at the online advertising ecosystem, where personal data is heavily used for profiling and targeting. Regulators are concerned about excessive data collection and the lack of transparency regarding how data is shared with third parties. Companies will be required to clearly explain how personal data is used for advertising and to provide accessible tools for users to correct, delete, or opt out of such processing. Special attention is given to algorithmic recommendation systems, with a requirement to offer clear and functional options to disable personalized ads and stop further data collection tied to profiling.
Protecting Students and Families in the Education Sector
In the education sector, the campaign highlights the need for stronger safeguards, especially for minors under 14. Schools and training institutions must obtain parental consent and establish dedicated rules for handling children’s data. Authorities are also cracking down on excessive data collection, such as gathering unnecessary details about students or parents. The sharing of data with third-party partners without proper disclosure and consent is another key concern. Additionally, the use of facial recognition as the sole method of identity verification is being restricted where less intrusive alternatives are available.
Strengthening Data Security in Transportation Services
Transportation services, including ticketing platforms and delivery companies, are under scrutiny for over-collecting data and misusing permissions such as access to microphones or storage. Regulators are also addressing forced registration practices, such as requiring users to provide phone numbers for simple services like parking payments. Data sharing with third-party agents without user consent, as well as leaks of sensitive information like travel records and home addresses, are key enforcement targets. Companies are expected to establish proper data protection systems and reduce unnecessary data exposure.
Safeguarding Sensitive Health Information
Healthcare institutions are being urged to tighten control over highly sensitive personal data. Issues include over-collection of information, weak identity verification systems that allow unauthorized access to medical records, and the unauthorized publication of patient information. The campaign also challenges the overuse of facial recognition in healthcare settings and emphasizes the need for encryption, access controls, and clear internal responsibilities. Managing third-party technical staff is another area of concern, given the risks of data leakage during system maintenance.
Reinforcing Compliance in the Financial Sector
Financial institutions and online lending platforms are being examined for collecting excessive personal data under the guise of risk control or service provision. This includes access to contacts, messages, call logs, and device information that may not be necessary. The campaign also targets undisclosed data sharing with third parties and the over-reliance on facial recognition for identity verification. Institutions are expected to improve internal governance, implement stronger security measures, and reduce the risk of data breaches.
Cracking Down on Data-Related Crimes
Beyond compliance issues, the campaign includes a strong enforcement component against illegal activities involving personal data. Authorities will focus on the full chain of data-related crimes, from leaks and trafficking to misuse. Particular attention is given to insider threats within organizations, as well as illegal activities in sectors such as public services, finance, healthcare, and transportation. The goal is to dismantle networks that profit from personal data and to deter future violations through stricter penalties.
Comment
This campaign signals a shift from broad legal frameworks to more targeted and practical enforcement. For businesses, the message is clear: compliance is no longer just about having policies in place, but about how systems actually behave. In the longer term, these efforts may push the industry toward more privacy-conscious design and help build a more trustworthy digital environment.
Regulating Apps and SDKs
A major focus of the campaign is the widespread misuse of personal data by apps and embedded SDKs. Authorities are targeting practices such as failing to disclose data collection rules, not offering account deletion options, and lacking complaint channels. Another key issue is misleading or incomplete disclosures about how data is collected and used. Regulators will also address situations where users are forced to consent to unnecessary data collection, or where apps access sensitive information, like location, contacts, or messages, without clear justification or beyond what is needed for core functions.
Cleaning Up Data Practices in Online Advertising
The campaign also takes aim at the online advertising ecosystem, where personal data is heavily used for profiling and targeting. Regulators are concerned about excessive data collection and the lack of transparency regarding how data is shared with third parties. Companies will be required to clearly explain how personal data is used for advertising and to provide accessible tools for users to correct, delete, or opt out of such processing. Special attention is given to algorithmic recommendation systems, with a requirement to offer clear and functional options to disable personalized ads and stop further data collection tied to profiling.
Protecting Students and Families in the Education Sector
In the education sector, the campaign highlights the need for stronger safeguards, especially for minors under 14. Schools and training institutions must obtain parental consent and establish dedicated rules for handling children’s data. Authorities are also cracking down on excessive data collection, such as gathering unnecessary details about students or parents. The sharing of data with third-party partners without proper disclosure and consent is another key concern. Additionally, the use of facial recognition as the sole method of identity verification is being restricted where less intrusive alternatives are available.
Strengthening Data Security in Transportation Services
Transportation services, including ticketing platforms and delivery companies, are under scrutiny for over-collecting data and misusing permissions such as access to microphones or storage. Regulators are also addressing forced registration practices, such as requiring users to provide phone numbers for simple services like parking payments. Data sharing with third-party agents without user consent, as well as leaks of sensitive information like travel records and home addresses, are key enforcement targets. Companies are expected to establish proper data protection systems and reduce unnecessary data exposure.
Safeguarding Sensitive Health Information
Healthcare institutions are being urged to tighten control over highly sensitive personal data. Issues include over-collection of information, weak identity verification systems that allow unauthorized access to medical records, and the unauthorized publication of patient information. The campaign also challenges the overuse of facial recognition in healthcare settings and emphasizes the need for encryption, access controls, and clear internal responsibilities. Managing third-party technical staff is another area of concern, given the risks of data leakage during system maintenance.
Reinforcing Compliance in the Financial Sector
Financial institutions and online lending platforms are being examined for collecting excessive personal data under the guise of risk control or service provision. This includes access to contacts, messages, call logs, and device information that may not be necessary. The campaign also targets undisclosed data sharing with third parties and the over-reliance on facial recognition for identity verification. Institutions are expected to improve internal governance, implement stronger security measures, and reduce the risk of data breaches.
Cracking Down on Data-Related Crimes
Beyond compliance issues, the campaign includes a strong enforcement component against illegal activities involving personal data. Authorities will focus on the full chain of data-related crimes, from leaks and trafficking to misuse. Particular attention is given to insider threats within organizations, as well as illegal activities in sectors such as public services, finance, healthcare, and transportation. The goal is to dismantle networks that profit from personal data and to deter future violations through stricter penalties.
Comment
This campaign signals a shift from broad legal frameworks to more targeted and practical enforcement. For businesses, the message is clear: compliance is no longer just about having policies in place, but about how systems actually behave. In the longer term, these efforts may push the industry toward more privacy-conscious design and help build a more trustworthy digital environment.