7.1. Does the system follow the principle of "legal, proper and necessary" in the process of collecting and using the user's personal information during its development, testing, and deployment?
According to the Announcement on the Special Rectification of App Illegal Collection and Use of Personal Information, the following behaviors can be identified as "collecting personal information unrelated to the services it provided in violation of the necessary principles" (1) The type of personal information collected or the open permission to collect personal information is irrelevant to its existing business functions. (2) Refuse to provide business functions because the user does not agree to collect non-essential personal information or to open non-essential permissions. (3) The personal information for which the new business functions of the App applied exceeds the user's original consent. If the user does not agree, the App refuses to provide the original business functions, except for the replacement of the original business functions with the new business functions. (4) The frequency of collecting personal information exceeds the actual needs of business functions. (5) Force users to agree to collect personal information only on the grounds of improving service quality, enhancing users’ experience, pushing targeted information, research and development of new products, etc. (6) Require the users to agree to open several permissions to collect personal information at a time. If the user does not agree, the App cannot be used anymore.
7.2. Does the system provide users with authentic, accurate and sufficient information to ensure their right to know before collecting and using their personal information during its development, testing, and deployment?
According to the Announcement on the Special Rectification of App Illegal Collection and Use of Personal Information, the following behaviors can be identified as "the rules of collection and use undisclosed". (1) There is no privacy policy in the App, or there is no rule for the collection and use of personal information in the Privacy Policy. (2) When the App is running for the first time, the user is not clearly prompted to read the Privacy Policy and rules of collection by ways such as pop-up windows. (3) The Privacy policy and rules of collection and use are difficult to access, for example, when getting into the App main interface, it takes more than 4 clicks and other operations to access. (4) The Privacy Policy and rules of collection and use are difficult to read because of undersize, overcrowded, light-colored and blurred text, or without Chinese Simplified version. According to the Announcement on the Special Rectification of App Illegal Collection and Use of Personal Information, the following behaviors can be identified as "the purpose, manner and scope of the collection and use of personal information unstated". (1) The purpose, manner and scope of App (including entrusted third party or embedded third party code, plug-in) collection and use of personal information are not listed in sequence. (2) When the purpose, manner and scope of the collection and use of personal information has changed, the user is not notified in an appropriate manner, including updating the Privacy Policy and rules of collection and use and reminding the user to read. (3) When applying for opening the permission to collect personal information, or applying for the collection of personal and sensitive information such as user's ID card number, bank account number, whereabouts, etc., the user is not informed synchronously the purpose, or the purpose is unclear and difficult to understand. (4) The content of the rules of collection and use is obscure, lengthy and cumbersome, which makes the user difficult to understand, such as the use of a large number of professional terms.;If the system is intended for children, is it communicated in a clear and understandable manner to the child, parent, legal guardian or other caregiver?
7.3. Will the system obtain users' consent before collecting and using their personal information during its development, testing, and deployment?
According to the Announcement on the Special Rectification of App Illegal Collection and Use of Personal Information, the following behaviors can be identified as "collecting and using personal information without the user's consent". (1) Start collecting personal information or opening permissions to collect personal information before obtaining the user's consent. (2) Collect personal information or open permissions to collect personal information, or frequently solicit the user's consent and interfere with the normal use after the user has clearly expressed disagreement. (3) The personal information actually collected or the permissions opened to collect personal information is beyond the scope of the user's authorization. (4) To seek the user's consent by default opting into the Privacy Policy and other non-explicit means. (5)Alter the status of the collectable personal information permission without the user's consent, for example, the user's permissions are automatically restored to the default status when the App is updated. (6) Use the user's personal information and algorithm to push targeted information, and do not provide the option of pushing untargeted information. (7) Mislead users by fraud and deception to agree the collection of personal information or open the permission to collect personal information, such as deliberately concealing, disguising the real purpose of collecting and using personal information. (8) Fail to provide users with ways and means of withdrawing their consent to collect personal information. (9) Collect and use personal information in violation of the rules of collection and use it stated.According to the Announcement on the Special Rectification of App Illegal Collection and Use of Personal Information, the following behaviors can be identified as "providing personal information to others without consent". (1) Without the user's consent or anonymization, the App client provides personal information directly to third parties, including through third-party code, plug-ins embedded in the App client. (2) Without the user's consent or anonymization, the App provides personal information to third parties after the data is transferred to the App back-end server. (3) Without the user's consent, the App provides personal information to third parties when it gets access to third-party applications.;If the system is intended for children, does it ensure the knowledge and consent of guardians?
7.4. Does the system comply with other agreements with users in the process of collecting and using their personal information during its development, testing, and deployment?
7.5. Is the personal information collected from users adequately secured (both institutionally and technically) against possible theft, tampering, disclosure, or other illegal use? How effective are those security measures?
7.6. Has the system been designed with an effective data and service authorization revocation mechanism and been made known to the users? Is there a convenient way to help users manage their data? How much can users' data "been forgotten"?
According to the Announcement on the Special Rectification of App Illegal Collection and Use of Personal Information, The following behaviors can be identified as "failure to provide the function of deleting or correcting personal information as required by law" or "failure to publish information such as complaints, reporting methods, etc." (1) Fail to provide effective functions of correcting, deleting personal information and cancelling users’ accounts. (2) Set unnecessary or unreasonable conditions for correcting, deleting personal information or cancelling users’ accounts. (3) Although the functions of correcting, deleting personal information and canceling users’ accounts are provided, the App does not respond to the corresponding user's operations in a timely manner. And for the one needs manual handling, the related verification and processing cannot be completed within the commitment time limit (the commitment time limit shall not exceed 15 working days, so is the one without commitment time limit). (4) The user has completed such operations as correcting, deleting personal information or cancelling accounts, while the App back-end has not finished relevant operations. (5) The personal information security complaints and reporting channels have not been established and published. Or the acceptance and processing cannot be completed within the commitment time limit (the commitment time limit shall not exceed 15 working days, so is the one without commitment time limit).