China’s top cyberspace regulator has released a draft regulation that would significantly refine how internet applications collect, use, and share personal information. The proposal marks another step in the country’s effort to standardize data governance and bring greater discipline to everyday app behavior.
The draft, formally titled 《互联网应用程序个人信息收集使用规定(征求意见稿)》 (Provisions on the Collection and Use of Personal Information by Internet Applications, Draft for Comments), was issued on January 10, 2026, and is open for public consultation through February 9. It builds on the Personal Information Protection Law and related cybersecurity rules, focusing on practical enforcement at the application level.
A Shift Toward Stricter Data Minimization
At the core of the draft is a clear principle: apps should collect only what is necessary to provide their stated services, and nothing more. Broad or open-ended data harvesting is explicitly discouraged.
Under the proposed rules, internet applications must:
- Limit data collection and use to what is strictly required for functionality
- Clearly disclose data practices when the app is first launched, using prominent notices such as pop-up dialogs
- Obtain explicit user consent before collecting or processing personal information
- Seek separate consent before providing personal data to third parties
- Refrain from accessing address books, call logs, or SMS data belonging to non-users, except where essential for communication, contact management, or backup purposes
These requirements respond directly to long-standing complaints about excessive permissions, vague disclosures, and unclear consent mechanisms across China’s app ecosystem.
Accountability Beyond App Developers
One notable feature of the draft is its expanded scope of responsibility. Oversight is no longer limited to app developers alone.
The proposed framework also places obligations on:
- SDK providers, whose embedded tools often collect data invisibly
- App distribution platforms, which are expected to strengthen review and compliance checks
- Smart terminal manufacturers, who must monitor app behavior at the device level and ensure consistent permission management
By extending accountability across the entire app supply chain, the regulation aims to close gaps where personal data could be collected indirectly or without meaningful user awareness.
What Users Are Likely to Experience
If adopted largely as written, the regulation would translate into noticeable changes for everyday users in China.
These may include more precise consent prompts, clearer explanations for why specific permissions are required, fewer apps requesting access to sensitive functions such as call logs or SMS, and more consistent behavior across different devices and operating systems.
For international residents and business professionals who rely on local apps for payments, transport, communication, and administrative services, the result could be a more predictable and intelligible digital environment, one that increasingly resembles global norms around transparency and user choice.
Public Consultation and Regulatory Direction
The open consultation period runs through February 9, 2026. While primarily directed at domestic stakeholders, the process is formally open, and foreign-invested companies, industry groups, and individuals with a presence in China may also submit comments.
Beyond the specific provisions, the draft sends a broader signal. China’s regulatory focus is shifting from headline legislation to detailed operational rules that govern how data practices actually play out on users’ phones.
An Incremental but Meaningful Development
As with any draft regulation, revisions are likely before final adoption. Still, the direction is clear: tighter limits on data collection, stronger consent requirements, and wider accountability across the app ecosystem.
For those living and working in China, especially those deeply integrated into its mobile-first digital infrastructure, this represents a measured but meaningful move toward greater clarity, control, and consistency in how personal information is handled.
Related article: Afraid to Sell Your Old Computer or Phone? New China Rules for Data Safety
