China’s National Computer Virus Emergency Response Center (CVERC) has been the country’s leading cybersecurity emergency response center for over two decades. One of their areas of expertise is reviewing and identifying mobile apps that violate China’s privacy laws.
Recently in an original report by Xinhua News Agency Tianjin, the CVERC, through internet activity monitoring, reported on 12 mobile apps that have violated critical personal privacy regulations. These violations put people’s personal data privacy at risk when using the non-compliant apps on their smartphones or tablets, and have a high risk of data breaches involving personal and sensitive user information.
Below is an overview of the eight main privacy law and regulation violations and the non-compliant apps that violated them.
1) Failure to Disclose App Operator Details and the Validity of Privacy Policies
The top privacy regulation non-compliance issue identified was the non-disclosure of critical app operator details and valid privacy policies. The following 10 apps violated this regulation in some way:
- Yi Jia Assistant (Version 1.11, Tencent App Store)
- Le Hu (Version 1.08, Tencent App Store)
- Qin Qin Bear Literacy (Version 2.0.03, Wandoujia)
- UHomes (Version 7.66.0, Xiaomi App Store)
- Dou Dou Accounting (Version 1.0.0, Tencent App Store)
- Shi De Driver (Version 1.9.4, Tencent App Store)
- Xi Xi Gu (Version 1.1, 360 Mobile Assistant)
- You Fang Hui Agent (Version 2.1.6, 360 Mobile Assistant)
- Dian Yao Network (Version 1.3.0, Tencent App Store)
- Chong Qi Zheng Tu (Version 1.3.3, 360 Mobile Assistant)
Mobile app developers are legally obligated to disclose essential details about themselves under China’s Personal Information Protection Law. These details include their name, contact details, and information confirming the validity of their privacy policies.
Without disclosing this information, app users have no idea which person or company is accessing and managing their personal data. Since these apps do not have any valid privacy policies published, users will remain unaware of how the app collects, shares, and processes their information. It is a significant breach of China’s information disclosure laws.
2) Not Enough Information About How the Apps Collect and Use Data
China requires mobile apps to provide privacy policies that explain how they will collect and use people’s data. If this process involves any third-party codes, plugins or integrations, they must also be disclosed in the privacy policies.
The following seven apps failed to provide enough information about how they collect and use data:
- Yi Jia Assistant (Version 1.11, Tencent App Store)
- Le Hu (Version 1.08, Tencent App Store)
- Xixi Princess Dress-Up Story (Version 1.0.08, Tencent App Store)
- Qin Qin Bear Literacy (Version 2.0.03, Wandoujia)
- Qing Qu Assistant (Version 7.0.20240829, Vivo App Store)
- Shi De Driver (Version 1.9.4, Tencent App Store)
- Dian Yao Network (Version 1.3.0, Tencent App Store)
Users have a right to know what the apps do with their data. That way, they can decide whether to consent to letting the app share their data with any specific third-party entity.
Suppose an app does not provide this information in its privacy policies. In that case, users are less likely to trust it because there is a higher risk of data breaches and unauthorized data sharing.
3) Sharing User Data with Unauthorized Third Parties
All mobile apps must obtain user consent before transmitting their personal information to third parties, including through embedded codes or plugins (such as software development kits, or SDKs).
Unfortunately, the following four apps reportedly had shared personal user data with third parties without obtaining user consent or desensitizing personal data:
- Xixi Princess Dress-Up Story (Version 1.0.08, Tencent App Store)
- UHomes (Version 7.66.0, Xiaomi App Store)
- Xi Xi Gu (Version 1.1, 360 Mobile Assistant)
- Chong Qi Zheng Tu (Version 1.3.3, 360 Mobile Assistant)
The unauthorized third parties receiving this data can see sensitive user information, including their contact details and location. That information sometimes allows unsolicited targeted ads to be directed toward them.
In addition, the app operators failed to alert users about how their information was processed or the names, contact details, purpose and method of data processing, and the types of personal data that recipients could access. An additional user consent for permission to share data was also not obtained.
4) Gathering User Personal Data without Consent
China’s data privacy law requires apps to obtain consent before starting to collect personal information from users. There was one app that was found not compliant with this regulation by collecting data without obtaining user consent first:
- UHomes (Version 7.66.0, Xiaomi App Store)
Gathering user personal data without consent violates China’s cybersecurity and personal information protection laws. Users have the right to approve or deny apps from sharing their information with any other entity.
The CVERC can impose operational restrictions, fines, and bans on apps that are not compliant with this regulation.
5) A Lack of Sufficient Options for Users to Manage Their Data
Apps must provide users with enough options to manage their data efficiently. For instance, they must allow users to easily correct personal data, deactivate accounts, delete data, and withdraw consent to share data.
The following five apps were found not compliant with this regulation by making it difficult or impossible for users to select these options:
- Xixi Princess Dress-Up Story (Version 1.0.08, Tencent App Store)
- UHomes (Version 7.66.0, Xiaomi App Store)
- Qing Qu Assistant (Version 7.0.20240829, Vivo App Store)
- Shi De Driver (Version 1.9.4, Tencent App Store)
- Xi Xi Gu (Version 1.1, 360 Mobile Assistant)
Many users reportedly had to go through unreasonable or unnecessary conditions to manage their data. Those who wanted to delete their accounts had to wait for them to be manually deactivated, where the guaranteed timeframe is longer than 15 business days.
6) No Clear Privacy Complaint Channels
Apps must provide clear channels for users to submit privacy complaints and reports.
The following app failed to publish the necessary channels that would allow users to submit privacy complaints and reports:
- Xi Xi Gu (Version 1.1, 360 Mobile Assistant)
This privacy regulation also covers apps that provided the channels but failed to promptly process the complaints or reports. When app operators don’t address privacy complaints quickly, users are exposed to the increased risk of data breaches and unauthorized access to information.
7) Failure to Offer Options to Remove User Consent for Processing Data
Users must consent to allow app operators to process and share their data. However, they also have the right to withdraw that consent at any time. The app needs to provide the option to submit the withdrawal request.
The following two apps did not provide an easy way for users to remove their consent for other parties processing their personal information:
- Shi De Driver (Version 1.9.4, Tencent App Store)
- Le Hu (Version 1.08, Tencent App Store)
Any app that makes it difficult or impossible for users to revoke their consent is not compliant with this privacy law.
8) Failure to Obtain Guardian Consent for Publishing Personal Data of Minors
China has strict laws that prevent app operators from processing the personal information of minors under 14 without consent from their parents or guardians. An app can only process and share a minor’s personal data if they have received consent first.
The following app was found not compliant with this regulation:
- Qing Qu Assistant (Version 7.0.20240829, Vivo App Store)
The app operators must also establish specific rules about how they handle minors’ personal information. If they don’t present these rules to the guardians at the time of their consent, it is still a violation of this privacy law.
Conclusion
The CVERC identified 12 mobile apps that were not compliant with one or more privacy laws and regulations outlined above. The work to detect and announce all of these non-compliant activities are a testament to the importance of data security in protecting sensitive app user information.
In this digital age, cybersecurity emergency response centers like the CVERC are critical to identifying violators and enforcing China’s privacy laws for the greater good of its citizens. All app operators must be transparent and accountable to comply with the rules and satisfy the privacy needs of their users.
The CVERC reminds mobile phone users to be cautious when downloading and using the above-mentioned non-compliant mobile apps, to carefully read their user agreements and privacy policies, take care when deciding to open or agree to unnecessary privacy permissions, take care when deciding to enter personal privacy information, and to regularly maintain and clean up their data to avoid the leakage of personal privacy information.
