China’s Cyberspace Administration of China (CAC), in coordination with the Ministry of Industry and Information Technology and the Ministry of Public Security, has released a new enforcement notice targeting serious personal information protection violations in mobile apps. The notice, published on April 27, 2026, highlights problems identified during the 2026 Personal Information Protection Special Campaign.
Official Notice Summary (Full Translation)
According to the joint announcement on the 2026 Personal Information Protection Series Special Actions, and in accordance with the Network Security Law, Personal Information Protection Law, Network Data Security Management Regulations, Methods for Identifying Illegal and Irregular Collection and Use of Personal Information by Apps, and other relevant laws and regulations, the CAC conducted inspections on apps (including mini-programs) regarding their collection and use of personal information. The following issues are hereby notified:
1. Failure to Provide or Properly Display Privacy Policies (15 Apps)
Apps such as 全能查询宝 (All-in-One Query Treasure), 商伴同恒, and 13 others have either no personal information collection and usage rules at all, or failed to clearly prompt users via pop-ups or other obvious methods to read the privacy policy upon first launch.
2. Failure to Disclose SDKs and Obtain Consent (2 Apps)
Apps including 雅思斩单词 (IELTS Word Killer) and 票豆 (Ticket Bean) did not individually list third-party Software Development Kits (SDKs) that collect personal information, nor did they obtain explicit user consent for these SDKs.
3. Violation of the Principle of Necessity (4 Apps)
Apps such as 贝利自动点击器 (Bailey Auto Clicker) and 万达普惠 (Wanda Pu Hui) collected personal information unrelated to the services they provide, breaching the “necessity principle” under Chinese law.
4. Barriers to Account Deletion (12 Apps)
Apps including 初念 (First Thought) and 零零汽 (Zero Zero Auto) failed to provide effective account cancellation channels or imposed unreasonable conditions for users to delete their accounts.
Deadline for Rectification: Affected app operators must complete corrections within 15 working days from the date of the notice, report the rectification results to the CAC, and face potential further penalties after verification by relevant authorities.
Contact: Tel: 010-55635865 | Email: appzhili@cac.gov.cn
Source: Cyberspace Administration of China Secretariat Bureau, April 27, 2026
Context and Implications
This latest enforcement action is part of China’s ongoing, high-priority national campaign to strengthen personal information protection. Since the Personal Information Protection Law (PIPL) took effect in 2021, Chinese regulators have maintained intense scrutiny on apps, especially those handling large volumes of user data. The 2026 special campaign emphasizes transparency, consent, data minimization, and user rights — particularly the “right to be forgotten” through easy account deletion.
Why this matters:
- Transparency failures (Category 1) prevent users from making informed decisions about their data.
- Hidden SDKs (Category 2) are a common loophole where third-party libraries quietly collect location, contacts, device IDs, or behavioral data without proper disclosure.
- Excessive data collection (Category 3) violates the core PIPL principle that data collection must be directly related to the service and kept to the minimum necessary.
- Account lock-in (Category 4) undermines user control and mobility between services.
Broader Regulatory Environment in China (2026)
China’s data governance framework continues to mature rapidly. The CAC, MIIT, and MPS regularly publish “name-and-shame” lists, which often lead to app store delistings, fines, or mandatory整改 (rectification) if companies fail to comply. Previous similar notices have resulted in swift updates from developers seeking to avoid heavier penalties.
This enforcement wave reflects growing public and governmental concern over:
– Over-collection of sensitive data (location, biometrics, browsing habits)
– Opaque third-party data sharing via SDKs
– Barriers that trap users in ecosystems once they sign up
– Risks to national data security from poorly governed apps
Recommendations for App Developers and Companies
1. Implement clear, layered privacy policies with prominent pop-up consent mechanisms on first launch.
2. Maintain and publicly disclose a detailed SDK inventory with purposes and data types.
3. Apply strict data minimization — only collect what is essential for core functionality.
4. Provide one-click or simple account deletion with confirmation, without unreasonable hurdles.
5. Conduct regular internal audits against the App Personal Information Protection Evaluation Guidelines.
International developers operating in China should treat PIPL compliance with the same seriousness as GDPR in Europe. Non-compliance risks not only fines but also reputational damage and restricted market access.
The full original Chinese notice is available here: CAC Official Page.
