Announcement on Launching the 2026 Special Action on Personal Information Protection by the Cyberspace Administration, Ministry of Industry and Information Technology, and Ministry of Public Security.

Since the implementation of the Personal Information Protection Law, the Cyberspace Administration of China, together with relevant departments, has continuously increased efforts to protect personal information, investigated and dealt with various illegal acts of collecting and using personal information, urged and guided personal information handlers to continuously improve their compliance level, and have achieved positive results. In 2026, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security will work together with relevant departments to further regulate typical issues of illegal collection and use of personal information in key areas such as apps, SDKs, internet advertising, education, transportation, healthcare, and finance, focusing on improving the satisfaction and sense of security of the people. Relevant departments will carry out a series of special actions focusing on the following key issues: 1. Special governance of illegal collection and use of personal information by Apps and SDKs Target of governance: Common types of Apps and embedded SDKs collecting and using personal information. Key issues: First, failure to disclose rules for collecting and using personal information, failure to provide effective account cancellation functions, failure to establish and publish channels for personal information security complaints, etc.; second, incomplete or inaccurate notification of the collection and use of personal information, inconsistency between the stated purpose, method, scope of collection and actual collection and use; third, collecting and using personal information without the consent of users, forcing users to agree to collect unnecessary personal information; fourth, collecting and using personal information beyond the necessary scope, collecting location, contacts, messages, etc. personal information in irrelevant scenarios, exceeding the minimum necessary frequency of invoking personal information permissions. 2. Special governance of illegal collection and use of personal information in the Internet advertising field Target of governance: Internet advertising intermediaries, media platforms, and other activities collecting and using personal information. Key issues: First, collecting personal information beyond the necessary scope; second, failing to clearly specify in the personal information processing rules that the collected personal information is used for advertising, user profiling, etc., failing to list the types of personal information provided to third parties, the purposes, methods, means, and contact information of the recipients; third, failure to provide users with convenient channels to exercise rights such as correction, deletion, refusal to process personal information, etc., incomplete or inadequate related functions; fourth, pushing ads using automated decision-making without setting up easy-to-understand, easy-to-access personalized recommendation turn-off options, failing to stop collecting personal information after users turn off personalized recommendations, and not providing functions to delete user personal feature tags and etc.; fifth, inadequate internal security management of personal information, access control, provision to third parties, inadequate technical security measures, etc. 3. Special governance of illegal collection and use of personal information in the education field Target of governance: Schools (higher education institutions, high schools, compulsory education schools, kindergartens, etc.), and education institutions such as off-campus training institutions. Key issues: First, education institutions handling personal information of minors under the age of fourteen without formulating specific rules for handling personal information and without obtaining consent from the parents or other guardians of the minors; second, websites and Apps operated by education institutions excessively collecting location, school, school records, parents' ID numbers, contact information, occupation, etc. personal information; third, off-campus training institutions providing personal information to cooperating third-party institutions without informing the data subjects of the names, purposes, methods, and scope of processing of personal information, and without obtaining consent from the data subjects; fourth, offline premises of education institutions, as well as websites, Apps, etc. utilizing non-facial recognition technology as the only way to verify parent and student identities, failing to implement security management requirements related to facial recognition technology applications; fifth, failure of education institutions to establish personal information protection management systems, failure to take effective security protection measures, presence of risks for personal information leakage, etc. 4. Special governance of illegal collection and use of personal information in the transportation field Target of governance: Operators of road, waterway, railway, civil aviation transportation, and related ticketing agents, online travel ticketing platforms, postal and express delivery companies, and public parking management platforms conducting activities of collecting and using personal information. Key issues: First, websites and Apps operated by relevant organizations collecting personal information such as location, contacts, etc. in irrelevant scenarios, accessing permissions such as microphone, storage, etc.; second, functions such as scanning codes for parking payments at public parking lots forcing users to register, log in, and collect personal information such as mobile numbers; third, online travel ticketing platforms providing personal information to cooperating ticketing agents and other third-party institutions without informing the data subjects of the names, purposes, methods, scope of processing of personal information, and without obtaining consent from the data subjects; fourth, postal and express delivery companies, online travel ticketing platforms, etc. leaking users' contact information, home addresses, personal travel records, etc.; fifth, relevant organizations failing to establish personal information protection management systems, failing to implement effective security protection measures, causing harm to personal information rights. 5. Special governance of illegal collection and use of personal information in the healthcare field Target of governance: Medical and healthcare institutions such as hospitals, health centers, clinics, disease control centers, etc. collecting and using personal information. Key issues: First, websites and Apps operated by medical and healthcare institutions collecting personal information such as location beyond the boundaries, failing to use effective verification methods to verify user identity, leading to unauthorized access by irrelevant individuals to others' medical records; second, medical and healthcare institutions disclosing images, text descriptions, etc. containing personal information of patients without the consent of the patients; third, websites and Apps operated by medical and healthcare institutions utilizing non-facial recognition technology to verify patient identity, making facial recognition technology the only verification method, failing to implement security management requirements related to facial recognition technology applications; fourth, medical and healthcare institutions failing to establish specific personal information protection management systems, failing to set up access management permissions for personal information, failing to define personal information protection responsibilities; fifth, internal information management systems of medical and healthcare institutions failing to adopt effective technical protection measures, failing to use encryption, de-identification, and other security technical measures for personal information; sixth, inadequate management of third-party personnel such as technical operations and maintenance, existence of risks of personal information leakage. 6. Special governance of illegal collection and use of personal information in the financial field Target of governance: Banks, insurance companies, securities firms, credit reporting agencies, payment institutions, as well as internet lending platforms and activities collecting and using personal information. Key issues: First, websites, Apps, etc. operated by relevant institutions collecting unnecessary personal information such as contacts, messages, call records, location, device information, application lists, etc. under the pretext of security risk control, loan services, etc., invoking permissions such as microphone, storage, etc. for personal information; second, internet lending platforms providing personal information to cooperating third-party institutions without informing the data subjects of the names, purposes, methods, etc. of processing personal information, failing to obtain consent from the data subjects; third, offline business verification and websites, Apps, etc. operated by relevant institutions utilizing non-facial recognition technology to verify user identity, making facial recognition technology the only verification method, failing to implement security management requirements related to facial recognition technology applications; fourth, relevant institutions failing to establish personal information protection management systems, failing to implement effective security protection measures, risks of personal information leakage, etc. 7. Special crackdown on crimes related to illegal use of personal information Target of governance: Criminal activities infringing on personal information. Key issues: Focusing on criminal activities infringing on personal information in key areas such as public services, financial lending, medical education, daily travel, etc., cracking down on "insiders" in the industry, and strictly cracking down on criminal activities infringing on personal information. The Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security will work together with relevant departments to orderly advance all tasks of the series of special actions, focus on rectifying various typical illegal issues, and strictly deal with those who refuse to rectify according to law; at the same time, relevant departments will dynamically adjust the key governance issues according to actual work needs to ensure the effectiveness of the special actions and effectively protect the security of citizens' personal information. This announcement is hereby made. Cyberspace Administration of China Ministry of Industry and Information Technology Ministry of Public Security April 2, 2026 This article is reprinted from the "Cyberspace China" WeChat public account, GMTEight Editor: Liu Jiayin.