China’s Cyberspace Administration of China (CAC) published a major new draft regulation on January 10, 2026, targeting how internet applications collect and use personal information. Titled “Regulations on the Collection and Use of Personal Information by Internet Applications (Draft for Comment),” the proposal strengthens existing frameworks under the Personal Information Protection Law (PIPL), Cybersecurity Law, and Network Data Security Management Regulations. The public comment period runs until February 9, 2026, giving developers, businesses, and users a final opportunity to influence the rules before they are finalized.
These regulations apply broadly to apps operating in China, including downloadable apps, pre-installed software, mini-programs, and embedded SDKs (software development kits). They also cover app distribution platforms, smart device manufacturers, and even overseas apps that collect data from Chinese residents. With China’s app ecosystem serving billions of users, the rules address long-standing issues like excessive permissions, hidden data collection, and third-party SDK overreach.
Why These Regulations Matter in 2026
The draft arrives amid rising user complaints about privacy intrusions and aligns with China’s ongoing push for stricter data governance. By emphasizing “legality, legitimacy, necessity, and good faith,” the CAC aims to curb misleading consent practices, limit unnecessary data gathering, and give users more control. For global tech companies—especially social media, e-commerce, gaming, and fintech apps—these rules could require significant compliance updates to maintain access to the Chinese market.
Core Principles and User Rights
The regulations reinforce data minimization and informed consent as foundational requirements:
- Minimal and Necessary Collection: Apps may only collect data essential for declared functions and cannot deny core services if users refuse non-essential data sharing.
- Clear, Structured Disclosures: Privacy rules must be written in simple language with itemized lists covering purposes, data types, permissions, storage periods, embedded SDK details, and user rights (access, correction, deletion, consent withdrawal, account cancellation).
- Separate Consent for Sensitive Data: Biometric information (facial recognition, fingerprints, voiceprints) requires specific justification, minimal-impact methods, and device-local storage whenever possible.
- Permission Handling: Permissions for camera, microphone, location, and storage can only be requested when actively needed. Background location tracking is heavily restricted, and apps must use system frameworks to avoid direct access where possible.
- Minors Under 14: Special privacy rules and mandatory parental/guardian consent are required, with enhanced safeguards against leaks, tampering, or loss.
- Personalized Recommendations: Users must have easy opt-out options for algorithmic advertising and content pushes; opting out stops all related data use immediately.
- Account Cancellation: Apps must process cancellations within 15 working days, delete or anonymize data, and avoid demanding extra verification (like ID photos) unless strictly necessary for security.
Large-scale apps (over 50 million registered users or 10 million monthly active users) face additional scrutiny, including a mandatory 7-working-day public comment period for any rule changes.
Responsibilities Across the Ecosystem
The draft distributes accountability clearly:
- App Operators: Primary responsibility for their own and embedded SDK data practices. They must technically audit SDK behavior, forward user requests to SDK providers, and ensure consistency with disclosed rules.
- SDK Providers: Must publish their own privacy rules, limit collection to declared scopes, provide configuration options, and establish direct channels for user rights requests.
- Distribution Platforms: Required to verify app identities, review privacy rules, reject non-compliant uploads, and display clear permission lists and risk warnings for penalized apps.
- Smart Terminal Manufacturers: Must audit pre-installed apps, provide granular permission controls, visibly indicate active permissions (camera, microphone, location), and log background activities for user review.
The rules also prohibit unauthorized access to communication secrets (messages, calls) and require aggregated personal information to be handled with state-secret-level protections.
Enforcement and Penalties
Oversight will be coordinated nationally by the CAC, with local net info offices handling regional enforcement alongside telecom, public security, and other agencies. Apps must provide accessible complaint channels and respond within 15 working days. Violations will be penalized under existing laws (PIPL, Cybersecurity Law), potentially including fines, app suspensions, or criminal liability in severe cases.
Implications for Developers and Businesses
For app developers, compliance will likely involve technical overhauls: redesigning permission flows, auditing SDK integrations, simplifying privacy notices, and building robust cancellation processes. Global companies may need to create China-specific versions or localized data handling to meet requirements without disrupting worldwide operations.
The emphasis on SDK accountability is particularly significant, as many privacy issues stem from third-party kits. Developers will need contractual agreements that clearly allocate responsibilities and enable technical monitoring. Distribution platforms and device makers will also face heightened review burdens, potentially slowing app launches but improving overall ecosystem trust.
Compared to frameworks like Europe’s GDPR, China’s approach shares similarities in consent and minimization but adds unique elements—stronger SDK oversight, device-level controls, and integration with national security priorities.
How to Submit Feedback
The CAC welcomes public input until February 9, 2026:
- Visit www.cac.gov.cn and check the announcement section.
- Email comments to shujuju@cac.gov.cn.
- Mail to: Network Data Administration, National Internet Information Office, No. 15 Fucheng Road, Haidian District, Beijing (Postcode: 100048). Clearly mark the envelope with the draft title.
As China continues to refine its digital privacy landscape, these draft regulations signal a maturing regulatory environment focused on user empowerment and accountable innovation. Businesses operating in or targeting the Chinese market should review the full text now and prepare for potential implementation later in 2026.
