Brief Summary:

In February this year, the Ministry of Industry and Information Technology (MIIT) issued a notice to address the current state of mobile internet application services, enhance industry service capabilities and user experience, and proposed 26 measures to further regulate mobile internet application service providers.

Unlike previous regulations that only mentioned app developers and platforms, this notice further delves into the upstream and downstream of the entire mobile internet industry, including regulation of the full life cycle of APP developers and operators, distribution platforms, SDKs (Software Development Kits), terminals, and access enterprises. At the same time, it strengthens penalties for violations, going beyond removal from app stores to “in accordance with the requirements of telecommunications regulatory authorities, lawfully taking necessary measures such as stopping access for non-compliant APPs and SDKs.”

This article provides a simple analysis based on the full text of the notice.

This article does not represent any legal advice.

Ministry of Industry and Information Technology Notice on Further Improving Mobile Internet Application Service Capabilities

MIIT Xin Guan Han [2023] No. 26

In recent years, the Ministry of Industry and Information Technology has vigorously promoted the improvement of mobile internet application service quality and effectively safeguarded users’ legitimate rights and interests, achieving positive social effects. However, problems such as non-standardized service behaviors of some enterprises and inadequate implementation of responsibilities in related areas still occur from time to time. In order to optimize service supply, improve user experience, maintain a good information consumption environment, and promote high-quality development of the industry, and in accordance with relevant laws, regulations, and rules such as the “Personal Information Protection Law,” “Telecom Regulations,” “Provisions on Standardizing the Order of the Internet Information Services Market,” and “Provisions on the Protection of Telecommunications and Internet User Personal Information,” the relevant matters are hereby notified as follows:

I. Improving Full-Process Service Perception and Protecting Users’ Legitimate Rights and Interests

(I) Standardizing Installation and Uninstallation Behaviors

1. Ensure informed consent for installation. When recommending APP downloads to users, the principles of openness and transparency should be followed, and necessary information such as the developer and operator’s name, product functions, privacy policies, and permission lists should be truthfully, accurately, and completely indicated, with obvious cancellation options provided simultaneously. Downloads and installations should only proceed after user confirmation and consent, effectively protecting users’ rights to know and choose. Users must not be deceived or misled into downloading and installing through methods such as “substitution,” “forced bundling,” or “silent downloads.”

Analysis:

This article addresses restrictions on platforms and promotional webpages for downloads.

When recommending game downloads to users, the necessary information must be listed on the page, and it must be ensured that “what you see is what you get.”

Most importantly, user consent must be obtained through clicking before download and installation can proceed. Automatic downloads or downloads triggered after a page停留 (dwell) time without user action (for example, using JavaScript to制作 (create) timer automatic download scripts) are not permitted.

2. Standardize webpage recommendation download behaviors. When users are browsing page content, apps should not be automatically or forcefully downloaded without user consent or active selection, nor should users be forced to download or open apps through methods such as folded displays, active pop-ups, or frequent prompts. Without justified reasons, downloading an app should not be tied to reading webpage content.

Analysis:

This article is more oriented toward applications that provide both webpage and mobile reading. Previous common practices such as hiding half an article on a webpage and then prompting “Download/Open [App Name] to read the rest” or showing a pop-up prompting “Download/Open [App Name] to read the rest” halfway through reading will be deemed non-compliant.

Webpages with such designs are advised to revise their designs as soon as possible.

3. Achieve convenient uninstallation. Except for basic function software, apps should be conveniently uninstallable and should not maliciously obstruct users from uninstalling through methods such as blank names, transparent icons, or background hiding.

Analysis:

Similar blank icon behaviors were reported in the media last year.

Some unscrupulous software increases the difficulty for users to delete by using blank PNG icons and hiding app names. This notice officially characterizes such behaviors as non-compliant.

It is advised not to adopt such methods to create “hidden” promotional programs.

(II) Optimizing Service Experience

4. Window closing is user-optional. Pop-up information windows such as splash screens and pop-ups should provide clear and effective close buttons so that users can conveniently close them; frequent pop-ups should not interfere with users’ normal use, nor should users be induced to perform operations through easily-mistriggered methods such as “full-screen heatmaps” or highly sensitive “shake to activate.”

Analysis:

This再次 (again) addresses standardization of splash screen ad pop-up methods.

For game companies building their own download platforms, attention should be paid to splash screen ad redirect designs, avoiding the aforementioned non-compliant methods.

5. Service matters should be clearly informed in advance. Product function rights and charges should be clearly indicated. If there are附加 (additional) conditions such as membership activation or charges, they should be prominently indicated. Without clear indication, restrictive conditions should not be added in the process of providing products and services, nor should users’ normal use of product functions and services be terminated, or service experience be reduced on this basis.

Analysis:

Regarding the “screen casting restrictions” complaints that have been buzzing around recently, this article provides a basis for complaints.

For game products, if “monthly cards,” “battle passes,” and similar common “membership” chargeable services are involved, this article may also apply. Therefore, for products already “sold,” no actions that reduce user rights may be taken before expiration.

For products sold in the future, if product functions and service content are expected to need changes, they must be [clearly indicated] on the sales page (at minimum the user agreement, and players need to re-sign) that changes may occur based on time and actual circumstances, and players must be [clearly informed] after actual changes.

6. Startup and running scenarios should be reasonable. Without services being necessarily required or in unreasonable scenarios, apps should not self-start and associate-start other apps, nor perform behaviors such as waking up, calling, or updating.

Analysis:

This再次 (again) emphasizes restrictions on self-starting and chained starting, even adding restrictions on “updating.”

For game platforms, settings allowing users to permit background game updates need to be added;

For games themselves, self-waking should be avoided (even for updates).

7. Timely reminders for service renewals. For services provided through automatic renewal or automatic subscription methods, user consent should be obtained. Default selections should not be checked, nor should membership be forcibly bundled. Users should be reminded 5 days before automatic renewal or automatic subscription through prominent methods such as SMS or push notifications. During the service period, convenient unsubscription methods and automatic renewal or subscription cancellation channels should be provided.

Analysis:

Non-compliant default selection and forced bundling have been老生常谈 (a common topic) for a long time. This notice mainly confirms the reminder timing for automatic renewals.

If games have designed functions such as “automatic renewal” or “automatic subscription,” a function for SMS or push notifications 5 days before expiration (renewal) needs to be added.

Note: SMS notification or push notification functions also require user consent according to previous regulations. Therefore, when users confirm “automatic renewal,” they must also obtain user consent for related push notification functions through user agreement checkboxes or similar methods.

(III) Strengthening Personal Information Protection

8. Adhere to the principles of legality,正当 (legitimacy), and necessity. Personal information processing activities should have clear and reasonable purposes. Users should not be required to consent to personal information processing behaviors beyond scope or unrelated to service scenarios solely on the grounds of service experience, product research and development, algorithm recommendations, or risk control. When users refuse to provide non-essential personal information for current services, the basic functions of those services should not be affected.

Analysis:

It再次 (again) adds that “beyond scope” collection is not permitted as a reason. Game companies need to adjust user agreements according to the above.

It再次 (again) emphasizes that players can use basic functions without providing non-essential personal information (permissions). For the type of games, [personal information essential for current services] only includes mobile phone numbers and ID card real-name information.

9. Clearly indicate personal information processing rules. Users should be informed of personal information processing rules through concise, clear, and easy-to-understand methods. If changes occur, users should be promptly informed of the latest situation. Processing purposes, methods, and scope of sensitive personal information should be prominently displayed. An inventory of collected personal information should be established. User consent to personal information processing rules should not be obtained through default checkboxes,缩小 (shrinking) text, or冗长 (lengthy) text.

Analysis:

In simple terms:

(1) When user agreements or privacy policies change, players need to be notified;

(2) Content involving sensitive personal information processing needs to be [bolded], [enlarged], or [boxed] for prominent display;

(3) Default consent checkboxes cannot be used, and lengthy text describing collection content cannot be used (break it into more paragraphs).

10. Reasonably apply for and use permissions. Required permissions should be dynamically applied when corresponding business functions are started. Users should not be required to give blanket consent to multiple permissions not essential for the current business function. When calling terminal photo albums, address books, locations, etc., users should同步 (simultaneously) be informed of the purpose of applying for that permission. Without user consent, the status of unauthorized permissions should not be changed.

Analysis:

It再次 (again) emphasizes dynamic permission application.

In practice, unless a player clicks on that function, all permission allow boxes cannot be displayed to players when entering a game.

At the same time, when applying for permissions, the purpose of obtaining them must be provided to players. Permission application dialogs alone are not sufficient.

(IV) Responding to User Requests

11. Establish customer service hotlines. Internet enterprises are encouraged to establish customer service hotlines. Major internet enterprises should post customer service hotline numbers in prominent positions on their websites and apps, and simplify procedures for transferring to human services. Encouraging improvement of customer service hotline response capabilities, with average monthly response time not exceeding 30 seconds and human service response rate exceeding 85%.

Analysis:

Considering that this is currently only [encouraged], only understanding is needed.

The response time of 30 seconds and response rate exceeding 85% in the requirements可见 (show) overall costs will be relatively high. At the current non-mandatory stage, one can first understand and prepare. When mandatory implementation occurs or sufficient capabilities are available, implementation can proceed.

12. Properly handle user complaints. Effective contact methods should be published to accept user complaints. Complaints on the internet information services complaint platform should be answered according to standards, ensuring processing is completed within 15 days and improving complaint handling satisfaction rates. Encouraging setting satisfaction survey links in apps to guide users to participate in surveys.

Analysis:

It clearly confirms the processing time limit for complaints such as 12345 work orders—processing must be completed within 15 days of receiving the work order (considering transfer time, it is recommended to calculate from the date of player complaint for 15 days).

At the same time, one can consider setting satisfaction surveys on websites or in games (though this is also encouraged and has lower costs than hotline customer service), facilitating complaint handling and meeting the notice’s requirements.

II. Improving Full-Chain Management Capabilities and Creating a Healthy Service Ecosystem

(I) Implementing APP Developer and Operator Subject Responsibility

1. Improve internal management mechanisms. Clearly designate leading management departments and responsible persons for user services and rights protection, establish personal information protection mechanisms for the full life cycle, improve assessment and accountability systems, implement relevant laws, regulations, and policy requirements in all aspects of product research and development, promotion, and operation, and continuously improve compliance levels. Regular compliance audits of personal information protection measures and implementation should be conducted to effectively prevent risk hazards.

Analysis:

It requires clearly designating departments and responsible persons for customer service and protection (so as to cooperate with work and handle accountability). At the same time, it requires that all laws, regulations, and policies must be implemented at all stages of research, promotion, and operation, and regular compliance audits are needed to prevent risk hazards.

The various new laws and regulations recently introduced continuously emphasize personal information protection and gradually increase penalties for violations. Full-process compliance will be something every enterprise must consider.

Considering the large number and wide scope of laws and regulations, one may consider seeking suitable professional institutions or teams to provide comprehensive and professional personal information protection solutions, gaining compliance advantages in the competitive market, enhancing corporate image and credibility, and avoiding missing markets due to compliance risks.

2. Enhance technical guarantee capabilities. Adopt security technical measures such as access control, technical encryption, and去标识化 (de-identification), and strengthen front-end and back-end security protection. Proactively monitor and detect risks such as personal information leakage,窃取 (theft), tampering, destruction, loss, and illegal use, and promptly respond to and handle requirements.

Analysis:

Spend money to buy protection, strengthen technical capabilities, and promptly apply security patches.

Technically minimize the risk of personal information leakage.

3. Strengthen SDK usage management. Conduct personal information protection capability assessments of SDKs before use. Clearly stipulate respective rights and obligations through contracts and other forms to ensure lawful and compliant personal information processing. Concentratedly display and promptly update the names, functions, and personal information processing rules of embedded SDKs. When jointly processing users’ personal information and causing damage to users’ rights, bear corresponding legal responsibility in accordance with the law.

Analysis:

It clearly proposes that SDK compliance management is also required, including risk assessment, contract constraints, and indication of related SDK information in user agreements/privacy policies.

This article also mentions that if two parties jointly process users’ personal information and infringe upon users’ rights, they must bear corresponding legal responsibility. Therefore, advance risk assessment and contract clause drafting will become important ways for enterprises to avoid being dragged down by third-party compliance risks.

(II) Strengthening Platform Distribution Management

4. Strictly review APP上架 (listing). Accurately register and verify basic information such as the true identity and contact information of APP developers and operators, main functions and purposes of APPs, and conduct technical testing of apps planned for listing. Relevant reviews should clearly designate responsible persons and retain review log records. Those not meeting requirements should not be listed. Fully publicly display apps on shelves, and indicate APP names and functions, developers and operators, version numbers, required user terminal permission lists and purposes, personal information processing rules, and other information in prominent positions. Those that have not yet established a distribution display interface should redirect APP download links to app stores, guiding users to download distributed apps from official channels.

Analysis:

This can be understood in three parts:

(1) Distribution platforms must strictly review apps planned for listing and clearly designate review responsible persons and review logs—there is the possibility of post-hoc accountability. This means listing on distribution platforms/app stores may become increasingly strict in the future;

(2) Distribution platforms must fully display listed apps and clearly show related app information;

(3) If the above cannot be achieved, one can only redirect to major app stores without providing download functions (meaning non-compliance means no distribution downloads).

5. Strengthen巡查 (inspection) of listed apps. Strengthen dynamic inspection of apps to ensure publicly displayed information is truthful and accurate. For non-compliant apps whose publicly displayed information is inconsistent, or that擅自 (unauthorized) change main app functions, applied permissions, personal information collection and usage scenarios and scope through methods such as “hot updates” and “hot switching,” distribution of services should be stopped.

Analysis:

Distribution platforms must strengthen inspections of listed apps. Many games (especially user acquisition games) that previously adopted the approach of “listing first, hot updating, and hot switching later” will be deemed non-compliant and will be required to [stop] providing services (remove from shelves).

6. Improve distribution management mechanisms. Establish mechanisms such as APP developer and operator credit evaluation and risk alerts, encourage electronic signature certification for distributed apps, and achieve full-process traceability of listed applications and distribution behaviors. Strengthen linkage with public service platforms for testing and certification of mobile internet applications, and do well in information reporting, monitoring and traceability, information sharing, and response and disposal.

Analysis:

Distribution platforms need to establish credit ratings and risk alerts for listed apps and their developers (green, yellow, red cards, etc.—need relatively obvious prompts).

Consider adopting electronic signatures and other methods to confirm APP traceability (which may not be conducive to repackaged and renamed user acquisition). Link with related public service platforms to cooperate with regulatory work.

(III) Standardizing SDK Application Services

7. Establish information disclosure mechanisms. Publicly indicate basic information such as SDK names, developers, version numbers, main functions, usage instructions, and personal information processing rules. If SDKs independently collect, transmit, or store personal information, separate explanations should be provided. Encourage leveraging SDK management service platforms to guide APP developers and operators to use compliant SDKs.

Analysis:

Provide corresponding information on interfaces providing SDK distribution functions and other prominent positions, and it is advised to制作 (produce) general SDK information documents for APP developers and operators to use (paste into their privacy policies).

8. Optimize function configurations. Adhere to the minimum necessary principle. According to different application scenarios or purposes, clarify SDK functions and corresponding personal information collection scope, and provide APP developers and operators with configuration options for function modules and personal information collection. Do not collect personal information in a bundled manner.

Analysis:

Same collection restrictions as for APP developers above—permissions should only be requested when needed, and “bundled collection” is not permitted.

9. Strengthen service coordination. During the entire product usage life cycle, proactively provide APP developers and operators with compliant usage guides through clear and understandable methods, guide APP developers and operators to correctly and reasonably use them, and jointly improve compliance levels. When personal information processing rules change or risks are discovered, promptly update and inform APP developers and operators.

Analysis:

This implies that SDK providers have more compliance obligations than APP developers.

SDK providers must provide APP developers with compliance guides, guide them on how to use compliance, and promptly inform APP developers when rules change and risks are discovered.

Since this is an [obligatory] regulation, SDK providers must prepare related documents and risk notification functions to reduce the risk of being found “lax in regulation.”

(IV) Building Terminal Security Defense Lines

This part involves regulations for terminal (mobile phones, tablets, etc.) providers and is usually unrelated to software-related developers. However, one can understand the upcoming regulatory content to prepare in advance.

10. Strengthen APP operation management. Provide users with functions to close APP self-starting and associated starting, as well as convenient options to reset device identification codes. Strengthen monitoring of app silent downloads and hot updates, and prevent behaviors such as unauthorized starting, downloading, or installing.

Analysis:

The most important content of this article is that terminals need to develop [device identification code reset] functions and [hot update] monitoring functions.

The former means user tracking is more difficult. The latter means various patch updates may be prompted.

11. Strengthen APP behavior record reminders. Enhance the capability to record permission call behaviors and provide convenience for users to query permission call situations. Establish obvious reminder mechanisms for the in-use status of permissions such as address books, microphones, cameras, locations, and clipboards, ensuring users can timely and accurately understand personal information collection status.

Analysis:

Considering that current mainstream mobile operating systems already have related functions, this article is mainly reiterating.

12. Improve APP risk early warning capabilities. Promote the development of APP electronic signature certification and early warning notifications to users, and improve the capability to identify counterfeit, non-compliant, and violative apps.

Analysis:

Current mainstream mobile operating systems already have related functions, usually only prompting risks. Whether subsequent restrictions will be imposed on software that has not undergone signature verification requires our attention.

(V) Consolidating Access Enterprise Responsibilities

13. Accurately register information. When providing network access services for APPs and SDKs, register and verify the true identity, contact information, and other information of APP and SDK developers and operators to improve traceability.

Analysis:

Identity verification is required when accessing developers. Current mainstream distribution platforms and APP stores have basically already done this—it is mainly reiterating requirements.

14. Ensure effective disposal. In accordance with the requirements of telecommunications regulatory authorities, lawfully take necessary measures such as stopping access for non-compliant APPs and SDKs, and effectively prevent their non-compliant behaviors that harm users’ rights.

Analysis:

This changes from [removal from shelves] (but still operational) to [stopping access] (ceasing operations). The cost of violations significantly increases—compliance work must be placed in an important position.

III. Work Requirements

(1) Organize and implement well. All units should adhere to the people-centered development philosophy, improve political stance, strengthen responsibility, refine and decompose tasks, earnestly implement this notice, and ensure results are achieved. Relevant enterprises should implement subject responsibility, conduct self-inspection and self-correction according to this notice’s requirements, and effectively protect users’ legitimate rights and interests. At the same time, establish long-term mechanisms, innovate models and methods, continuously improve mobile internet application service levels, and continuously enhance users’ sense of gain, happiness, and security.

Analysis:

Considering this notice is effective upon issuance, all enterprises need to carry out self-inspection and self-correction as soon as possible to achieve compliance as quickly as possible.

Long-term compliance mechanisms need to be established and reviews conducted for subsequent products to avoid unnecessary risks.

(2) Strengthen guidance and supervision. The Ministry of Industry and Information Technology should improve and perfect evaluation, notification, ranking, and public disclosure mechanisms, promote solid and orderly work, promptly summarize and promote excellent cases and experiences. Local communications management bureaus should strengthen supervision and inspection, and guide and supervise enterprises within their jurisdictions to implement this notice’s various requirements. For those implementing poorly or committing violations, lawfully take measures such as ordering deadline corrections, social announcements, and organizational removals, and strictly investigate and punish.

Analysis:

Regulatory authorities add [Communications Management Bureaus], which also need to be held accountable for institutions implementing poorly.

This article also specifies concrete punishment behaviors: deadline corrections, social announcements, removal from shelves (and stopping access organized by telecommunications authorities as mentioned above).

(3) Strengthen technology application. The China Academy of Information and Communications Technology should organize industrial forces, comprehensively apply new technologies such as artificial intelligence and big data, upgrade and build a national public service platform for mobile internet application testing and certification, continuously improve platform functions, and do well in technical testing, monitoring services, and regulatory support work. Actively promote and apply traceable technical methods such as electronic signature certification to promote improved service management capabilities.

Analysis:

The government will launch APP electronic signature certification and other technical services. Future game版号 (approval) applications may add related content for [accessing electronic signature certification].

At the same time, considering the government’s attitude toward “renamed packages,” packages without版号 may not be able to obtain electronic signatures and thus be prompted with risks by terminals.

(4) Promote industry self-discipline. Encourage industry associations and related institutions to formulate industry self-discipline conventions, technical standards, and service norms, and strengthen assessment, certification, and talent cultivation. Further streamline channels to listen to public opinions, promote exchange and interaction among all parties, guide enterprises to operate lawfully and compliantly, continuously optimize and improve services, create a good environment for striving for excellence and mutual promotion, and promote high-quality development with high-quality services.

Analysis:

It expresses the government’s attitude: “operate lawfully and compliantly, continuously optimize and improve services, create a good environment for striving for excellence and mutual promotion, and promote high-quality development with high-quality services.”

February 6, 2023

Summary:

The issuance of this notice is more “grounded” and “aligned with business reality” than previous notices, clearly showing that the government has gradually gotten to the bottom of the mobile internet business’s various chains.

As the new generation begins serving in relevant departments, it can be foreseen that regulatory work will become increasingly detailed and increasingly “knowledgeable.” Various “tactics” from the era of blind growth will all be discovered, and newly emerging tactics will also be stopped more quickly. Non-compliant promotion methods may become a “double-edged sword”—bringing profits while also bringing risks.

[Compliance] review will become an important procedure in the future mobile internet software development process, as well as a prerequisite for going live and operating.