China's top internet regulator has released comprehensive draft regulations that significantly expand oversight of personal data collection by mobile applications, marking a substantial shift that extends responsibility beyond app developers to include platform operators, device manufacturers, and third-party service providers.mlex
The Cyberspace Administration of China announced the provisions on personal information collection and use for internet applications on January 9, 2026, opening them for public consultation until February 9, 2026.
The draft rules aim to strengthen personal data protections while promoting reasonable data use, building upon existing frameworks established by the Cybersecurity Law, the Personal Information Protection Law, and the Regulations on the Security Management of Network Data.chinadaily
Expanded Governance Framework
The proposed regulations represent a significant departure from previous approaches by establishing a governance framework that extends well beyond individual app operators. Platform operators, including app store managers, must now conduct security assessments of applications distributed through their stores and remove non-compliant applications when compliance gaps cannot be effectively remediated.
This responsibility extends to manufacturers of smart terminal devices with pre-installed applications, such as mobile phone and smart home product manufacturers, who will be required to comply with platform operator obligations in addition to their existing hardware manufacturer duties.dlapiperdataprotection
Network platform service providers must clarify data security protection obligations for third-party product and service providers accessing their platforms through platform rules or contracts, and actively supervise these third parties to strengthen network data security management.
Platform operators must formulate rules and implement effective contracts with third parties residing on the platform to delineate data protection obligations and responsibilities.privacymatters.dlapiper
Stricter Data Collection Limitations
The draft regulations impose stringent restrictions on how applications collect and use personal information, emphasizing that collection must be strictly limited to what is necessary for providing products or services and must not exceed the required scope.
Apps must employ methods that have the least impact on the rights and interests of individuals.globaltimes
Applications can only invoke camera and microphone permissions when users actively choose to use functions such as taking photos, sending voice messages, or recording audio and video. They are explicitly prohibited from accessing these permissions when users have stopped using the relevant functions or in unrelated scenarios.
Upon first launch, applications must use prominent methods such as pop-up notifications to inform users about data collection rules and obtain explicit consent after users are fully informed.uniteddaily
The regulations specifically prohibit apps from collecting or using personal information of individuals other than the user by accessing address books, call logs, or SMS permissions, except where such access is necessary for communication purposes, adding contacts, or data backup.
When providing personal information to third parties, applications must obtain separate consent from users.chinadaily
Enhanced Biometric Data Protection
Internet applications collecting biometric information such as facial features, fingerprints, and voiceprints must demonstrate specific purposes and sufficient necessity, adopt methods that have the least impact on individual rights and interests, and implement strict protective measures.
Unless otherwise provided by laws or administrative regulations, or with the user's separate consent, biometric information should be stored on the biometric device and must not be transmitted externally via the internet.globaltimes
These requirements align with the Security Management Measures for the Application of Facial Recognition Technology, which became effective on June 1, 2025, establishing some of the world's strictest rules on facial recognition.
The measures mandate that facial data must be stored locally in China, preferably on the device or a secure domestic server, with internet transfers only allowed with legal approval or explicit user consent.global.ecovis
Special Protections for Minors
The draft rules emphasize that apps collecting and using personal information of children under the age of 14 must adopt dedicated rules and obtain consent from parents or other guardians.
This requirement complements the recently announced annual filing requirement for audits of minors' personal information processing, which took effect on December 29, 2025, requiring companies to file their audit results by January 31, 2026.privacymatters.dlapiper
All data controllers processing personal data of minors must now submit an annual report to the CAC covering processing activities in the previous year.
There is no volume threshold, meaning any data controller processing minors' data—even incidentally—is subject to this reporting requirement.
Account Cancellation and User Rights
The proposed regulations require apps to complete account cancellation within 15 working days and delete the relevant personal information collected, or anonymize it, unless otherwise stipulated by laws or administrative regulations.
Operating systems of smart devices must seek user consent via pop-ups when apps request permissions such as call logs, camera, location, or microphone, and offer fine-grained authorization options based on time, frequency, or precision depending on the permission involved.
Apps cannot refuse to provide products or services because a user does not agree to data collection and use, or withdraws consent, unless the personal information is necessary to provide the product or service.
Expert Perspectives and Industry Impact
Wang Sixin, vice dean and professor at the School of Politics and Law at the Communication University of China, characterized the draft as "a significant step in implementing China's evolving personal information protection framework".
Wang explained that the rules are "intended to enhance the protection of personal information, prevent app operators from over-exploiting personal information for secondary or even tertiary uses, and prevent them from appropriating all related rights and interests for themselves".
The regulations provide clearer operational guidelines for developers and platforms, which could help curb data misuse and foster a healthier digital environment.
However, they also introduce substantial compliance burdens, particularly for foreign companies operating in China or processing data of Chinese users.vistra
Enforcement and Penalties
The draft rules build upon China's existing enforcement regime under the Personal Information Protection Law, which imposes severe penalties for violations.
Companies can face fines up to RMB 50 million or 5 percent of the previous year's revenues, while individuals directly liable for violations may face fines up to RMB 1 million and prohibition from serving in senior management roles.hawksford
Recent enforcement actions demonstrate the government's commitment to these requirements. In 2025, multiple regulatory bodies including the Ministry of Industry and Information Technology, regional Cyberspace Administration offices, and other authorities have regularly published lists of non-compliant apps, resulting in notifications, mandatory rectifications, and delistings from app stores.
In July 2025 alone, the Shanghai CAC delisted 58 applications that failed to implement rectification as required.twobirds
The amended Cybersecurity Law, which took effect on January 1, 2026, further strengthened enforcement capabilities by introducing app closure powers, allowing authorities to shut down mobile apps for certain violations.
The amendments also established a tiered penalty structure distinguishing between general violations, serious consequences, and particularly serious consequences, with fines for the most severe violations reaching RMB 10 million for businesses.techinsights.linklaters
Broader Regulatory Context
The draft regulations are part of China's comprehensive approach to data governance, which has evolved rapidly since 2017 with the introduction of the Cybersecurity Law.
The Data Security Law, effective from 2021, obligates organizations to classify data by sensitivity and protect critical information. The Personal Information Protection Law, enacted in late 2021, governs how personal data is collected and processed, requiring clear and explicit consent from users.capgo
The Network Data Security Management Regulations, which took effect on January 1, 2025, further expanded this framework by imposing additional obligations on network platform service providers and clarifying definitions that previous laws failed to explain, such as "network data processor," "entrusted processing," "joint processing," and "separate consent".dirittocinese
Large online platform service providers with more than 50 million registered users or more than 10 million monthly active users face even more stringent requirements, including publishing annual social responsibility reports discussing personal information protection matters and implementing measures to prevent unfair competition conducted via their platforms.mmlcgroup
International Implications
The regulations apply not only to domestic companies but also extend extraterritorially to apps that collect, process, or store data from users in mainland China, regardless of where the developer is located.
This broad jurisdictional reach means that international app developers targeting Chinese users must ensure compliance or risk significant penalties and loss of market access.capgo
Companies operating in China must now review their app compliance as a matter of priority, particularly given the short public consultation period and the government's demonstrated willingness to enforce these requirements through regular compliance campaigns and public notifications of violations.reedsmith
The draft represents China's ongoing effort to balance technological innovation with privacy protection, national security concerns, and consumer rights in one of the world's largest digital markets.
As the public consultation period progresses through early February 2026, industry stakeholders will have the opportunity to provide feedback before the final regulations are implemented.bloomberg
