Privacy & Cybersecurity Law Blog

On August 13, 2025, the National Computer Virus Emergency Response Center of China (the “Center”), a non-governmental technical and operational cybersecurity emergency response organization, announced that it had identified 70 mobile applications as being in violation of China’s Personal Information Protection Law (“PIPL”). The Center regularly conducts compliance checks to ensure adherence to the PIPL. The Center urged the relevant app operators to promptly address the identified violations, and warned that failure to comply could lead to the removal of the apps.

The Center observed the following types of violations of the PIPL across the mobile apps it identified, though not every app was found to have committed each violation:

1.  Transparency

a.  Upon app launch, the app did not prompt users (e.g., via pop-up window) to read the app’s privacy policy or other privacy disclosures.

b.  The app either did not have a privacy policy or its privacy policy was difficult to locate.

c.  The app did not provide required privacy disclosures, including the names of all data handlers and their contact information, and the purposes, methods and scope of personal information processing (including the activities of third-party processors, e.g., code or plug-ins embedded by a third party).

d.  The app did not provide privacy disclosures in a clear, conspicuous and understandable format.

e.  Where an app operator disclosed personal information to another data handler, the app operator did not disclose the name or contact information of the recipient data handler, the purpose of processing, the method of processing, or the data elements provided to such data handler.

2.  Consent

a. The app operator did not obtain users’ consent before processing their personal information.

b. The app operator did not obtain users’ separate consent to: (1) process sensitive personal information or (2) disclose personal information to another data handler.

c. The app operator failed to provide a convenient method to withdraw consent.

3.  Privacy Rights

a.  The app did not provide the ability to correct or delete personal information, or to cancel user accounts.

b.  The app operator did not respond to users’ privacy requests or complaints in a timely manner.

4.  Advertising and Marketing

a.  The app did not provide a convenient method to opt out of targeted advertising or automated decision-making.

b.  The app did not provide a “Close” icon on its in-app ads, or only allowed users to close the ad once played.

5.  Children’s Privacy

a.  For apps that process personal information of minors under 14 years old:

i.  The app operator did not provide a minor-specific privacy policy.

ii.  The app operator did not obtain parental consent before collecting minors’ personal information.

6.  Data Security and Data Minimization

a.  The app collected more personal information than is necessary.

b.  The app did not implement appropriate security measures (e.g., encryption, data deidentification).

The Center’s findings highlight potential areas of focus for regulatory enforcement. App operators in China should ensure full compliance with the PIPL, especially regarding the issues outlined above.