China is a step closer to cracking down on unscrupulous data collection by app developers. This week, the country’s cybersecurity watchdog began seeking comment on the range of user information that apps from instant messengers to ride-hailing services are allowed to collect.
The move follows in the footstep of a proposed data protection law that was released in October and is currently under review. The comprehensive data privacy law is set to be a “milestone” if passed and implemented, wrote the editorial of China Daily, the Chinese Communist Party’s official mouthpiece. The law is set to restrict data practices not just by private firms but also among government departments.
“Some leaking of personal information has resulted in economic losses for individuals when the information is used to swindle the targeted individual of his or her money,” said the party paper. “With increasingly advanced technology, the collection of personal information has been extended to biological information such as an individual’s face or even genes, which could result in serious consequences if such information is misused.”
Apps in China often force users into surrendering excessive personal information by declining access when users refuse to consent. The draft rules released this week take aim at the practice by defining the types of data collection that are “legal, proper and necessary.”
According to the draft, “necessary” data are those that ensure the “normal operation of apps’ basic functions.” As long as users have allowed the collection of necessary data, apps must grant them access.
Here are a few examples of what’s considered “necessary” personal data for different types of apps, as translated by China Law Translate:
- Navigation: location
- Ride-hailing: the registered user’s real identity (normally in the form of one’s mobile phone number in China) and location information
- Messaging: the registered user’s real identity and contact list
- Payment: the registered user’s real identity, the payer/payee’s bank information
- Online shopping: the registered user’s real identity, payment details, information about the recipient like their name, address and phone number
- Games: the registered user’s real identity
- Dating: the registered user’s real identity, and the age, sex and marital status of the person looking for marriage or dating
There are also categories of apps that are required to grant users access without gathering any personal information upfront: live streaming, short video, video/music streaming, news, browsers, photo editors and app stores.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
It’s worth noting that while the draft provides clear rules for apps to follow, it gives no details on how they will be enforced or how offenders will be punished. For instance, will app stores incorporate the benchmark into their approval process? Or will internet users be the watchdog? It remains to be seen.
