GB/T 41391-2022 Information security technology—Basic requirements for collecting personal information in mobile internet applications (English Version)
Information security technology—Basic requirements for collecting personal information in mobile internet applications
1 Scope
This document specifies the basic requirements for the collection of personal information by Apps, the necessary personal information scope and use requirements of Apps of common service types.
This document is applicable to the regulation of personal information collection activities by App operators, as well as the supervision, management and evaluation of personal information collection activities of Apps by regulatory authorities and third-party evaluation agencies.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069 Information security techniques—Terminology
GB/T 35273-2020 Information security technology—Personal information security specification
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069, GB/T 35273-2020 and the following apply.
3.1
mobile internet application
applications running on smart mobile terminal
Note: Including applications and mini programs, referred to as App for short, that are preset, downloaded and installed on smart mobile terminals.
3.2
mobile internet application operator
owner, manager or provider of mobile internet application
Note: App operator for short.
3.3
mini program
a mobile internet application based on the application open interface, which may be used by users without installation.
Note: By exposing its application programming interface (API) or function, an application enables an external program to add functions on the application or use its resources without changing the source code of the application.
3.4
business function
any function that meets the specific purpose of users
Note: The business functions of App can be divided into basic business functions and extended business functions.
[Source: GB/T 35273-2020, 3.17, modified]
3.5
service type
classification of business functions provided by mobile internet applications
Note: See Annex A for common service types such as map navigation, online car hailing, instant communication, online shopping, online payment, etc.
3.6
basic business function
the business functions of mobile internet application serving the main purposes of users
3.7
extended business function
business functions other than the basic business functions provided by mobile internet application
3.8
necessary personal information
personal information necessary to ensure the normal operation of basic business functions of mobile internet application, without which, mobile internet application cannot perform basic business functions
Note 1: See B.1 in Annex B for the relationship among App, basic business function and necessary personal information.
Note 2: The scope of personal information that can be collected by App is divided into necessary personal information and non-necessary but relevant personal information. Non-necessary but relevant personal information refers to personal information related to the services provided by the App but whose collection is optional, see B.2.
3.9
user
personal information subject using mobile internet application
Note: Users usually include consumer-side users and service-supply-side users. Consumer-side users are individual consumers who use App services, while service-supply-side users are users who provide services through Apps. For example, consumer-side users of online car hailing Apps are passengers and service-supply-side users are drivers.
3.10
system permission to access personal information
system permission of operating system of smart mobile terminal which is open to the mobile internet application and with the function of collecting personal information
Note: System permission or permission for short.
3.11
unique device identifier
a code that uniquely identifies the smart mobile terminal
Note 1: It is also known as UDID, and can be divided into changeable unique device identifiers and unchangeable unique device identifiers.
Note 2: Changeable unique device identifier refers to the unique device identifier that can be reset and changed, or be used to turn off tracking by the user. Unchangeable unique device identifier refers to the hardware identifier that remains unchanged regardless of device factory reset, safe uninstallation of application or other user operations.
3.12
targeted push
based on the personal information such as the network browsing history, interests, purchasing records and habits, the information content, search results of goods or services, recommendations of products or services, news, advertisements, etc. may be displayed and provided to the personal information subject through algorithm
Note: It is also known as personalized presentation or personalized recommendation.
[Source: GB/T 35273-2020, 3.16, modified]
3.13
user profiling
process of personal characteristic model formation through analyzing or predicting the personal characteristics of a particular natural person, such as occupation, economy, health, education, personal preference, credit and behavior, on the basis of collecting, gathering, and analyzing personal information
[Source: GB/T 35273-2020, 3.8, modified]
3.14
software development kit
software library assisting in software development
Note: A software development kit usually includes a collection of related binaries, documents, examples and tools.
3.15
third-party software development kit
software development kits provided by legal entities other than mobile internet application operators
3.16
system permission request
the process by which a mobile internet application claims to the operating system of smart mobile terminal and requests authorization from user to obtain permission to access data or functions
3.17
third-party application
an application provided by a legal entity other than the mobile internet application operator that provides services to users through the mobile internet application
Note 1: The forms of third-party applications provided usually include SDK, mini programs, Web pages, etc. If SDK does not provide services directly to users, it is not a third-party application defined in this document.
Note 2: If an application provider is a legal entity different from the App operator but belongs to the same enterprise group as the App operator and complies with the same set of management system, conducting unified security and operation and maintenance management, such application is not a third-party application of the App operator. Affiliates are usually the third parties of App operators.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
API: Application Programming Interface
GPS: Global Positioning System
ICCID: Integrate Circuit Card Identity
IMEI: International Mobile Equipment Identity
IMSI: International Mobile Subscriber Identity
MAC: Media Access Control
MEID: Mobile Equipment Identifier
SDK: Software Development Kit
SN: Serial Number
WAP: Wireless Application Protocol
WEB: World Wide Web
5 App function division
The requirement for an App to collect personal information is closely related to its functions. The basic business functions and extended business functions of Apps shall be clearly divided according to the following requirements:
a) It shall be clear that the service type of the business function that realizes the main purpose of the user is the type of the App;
b) If the type of App is the common service type given in Annex A, the basic business function of the App shall be classified based on the corresponding service type in Annex A;
Note 1: Annex A provides the basic business functions and necessary personal information scope of Apps of common service types and the use requirements for necessary personal information in accordance with the Provisions on necessary personal information scope of common types of mobile internet applications. The basic business functions and necessary personal information scope of Apps of common service types in Annex A of this document are consistent with the Provisions on necessary personal information scope of common types of mobile internet applications.
c) If the type of App is not the common service type given in Annex A, the business functions that realize the main purpose of users shall be classified as the basic business functions of App, and the business functions other than the basic business functions provided by App shall be classified as extended business functions;
Note 2: If App provides various types of services, service types other than App types are called "other service types", and business functions of other service types are extended business functions. For example, the map navigation Apps also provide online shopping and online car-hailing services, so the business functions of online shopping and online car-hailing services are all extended business functions.
d) Business functions only for the purpose of improving service quality, enhancing user experience and targeted pushing of information and new product development shall be classified as extended business functions;
e) Business functions provided by external third parties or affiliates shall be classified as extended business functions, except for the basic business functions of Apps of common service types given in Annex A;
f) If there are multiple optional methods for implementing the basic business functions, the implementation methods that have a greater impact on users' personal rights and interests shall be classified as extended business functions.
Note 3: If new implementation methods of basic business functions appear due to technological development, and collect personal information more sensitive than that of the traditional methods and have a greater impact on personal rights and interests, they can be classified as extended business functions, which are usually used as optional alternatives and supplements for basic business functions. For example, new identification methods based on the development of biometric identification technology (such as face recognition, voiceprint recognition, fingerprint recognition, etc.) collect biometric information instead of passwords, which has a greater impact on personal rights and interests.
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 App function division
6 Basic requirements for App to collect personal information
6.1 Minimum necessary collection
6.2 Necessary personal information
6.3 Specific types of personal information
6.4 Informed consent
6.5 System permission
6.6 Third party access management
6.7 Other requirements
Annex A (Nominative)
A.1 Map navigation Apps
A.2 Online car hailing Apps
A.3 Instant communication Apps
A.4 Online community Apps
A.5 Online payment Apps
A.6 Online shopping Apps
A.7 Food delivery Apps
A.8 Express mail delivery Apps
A.9 Transportation ticketing Apps
A.10 Online dating Apps
A.11 Recruitment Apps
Annex B (Informative) Explanation of concepts such as App, business functions and necessary personal information
Annex C (Nominative) Collection requirements for specific types of personal information
Annex D (Informative) Scope of system permission to access personal information
Annex E (Informative) Android system permissions of low relevance to common service types
Annex F (Informative) Common unchangeable unique device identifiers
GB/T 41391-2022 Information security technology—Basic requirements for collecting personal information in mobile internet applications (English Version)
Standard No.
GB/T 41391-2022
Status
valid
Language
English
File Format
PDF
Word Count
24000 words
Price(USD)
620.0
Implemented on
2022-11-1
Delivery
via email in 1 business day
Detail of GB/T 41391-2022
Standard No.
GB/T 41391-2022
English Name
Information security technology—Basic requirements for collecting personal information in mobile internet applications
Information security technology—Basic requirements for collecting personal information in mobile internet applications
1 Scope
This document specifies the basic requirements for the collection of personal information by Apps, the necessary personal information scope and use requirements of Apps of common service types.
This document is applicable to the regulation of personal information collection activities by App operators, as well as the supervision, management and evaluation of personal information collection activities of Apps by regulatory authorities and third-party evaluation agencies.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069 Information security techniques—Terminology
GB/T 35273-2020 Information security technology—Personal information security specification
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069, GB/T 35273-2020 and the following apply.
3.1
mobile internet application
applications running on smart mobile terminal
Note: Including applications and mini programs, referred to as App for short, that are preset, downloaded and installed on smart mobile terminals.
3.2
mobile internet application operator
owner, manager or provider of mobile internet application
Note: App operator for short.
3.3
mini program
a mobile internet application based on the application open interface, which may be used by users without installation.
Note: By exposing its application programming interface (API) or function, an application enables an external program to add functions on the application or use its resources without changing the source code of the application.
3.4
business function
any function that meets the specific purpose of users
Note: The business functions of App can be divided into basic business functions and extended business functions.
[Source: GB/T 35273-2020, 3.17, modified]
3.5
service type
classification of business functions provided by mobile internet applications
Note: See Annex A for common service types such as map navigation, online car hailing, instant communication, online shopping, online payment, etc.
3.6
basic business function
the business functions of mobile internet application serving the main purposes of users
3.7
extended business function
business functions other than the basic business functions provided by mobile internet application
3.8
necessary personal information
personal information necessary to ensure the normal operation of basic business functions of mobile internet application, without which, mobile internet application cannot perform basic business functions
Note 1: See B.1 in Annex B for the relationship among App, basic business function and necessary personal information.
Note 2: The scope of personal information that can be collected by App is divided into necessary personal information and non-necessary but relevant personal information. Non-necessary but relevant personal information refers to personal information related to the services provided by the App but whose collection is optional, see B.2.
3.9
user
personal information subject using mobile internet application
Note: Users usually include consumer-side users and service-supply-side users. Consumer-side users are individual consumers who use App services, while service-supply-side users are users who provide services through Apps. For example, consumer-side users of online car hailing Apps are passengers and service-supply-side users are drivers.
3.10
system permission to access personal information
system permission of operating system of smart mobile terminal which is open to the mobile internet application and with the function of collecting personal information
Note: System permission or permission for short.
3.11
unique device identifier
a code that uniquely identifies the smart mobile terminal
Note 1: It is also known as UDID, and can be divided into changeable unique device identifiers and unchangeable unique device identifiers.
Note 2: Changeable unique device identifier refers to the unique device identifier that can be reset and changed, or be used to turn off tracking by the user. Unchangeable unique device identifier refers to the hardware identifier that remains unchanged regardless of device factory reset, safe uninstallation of application or other user operations.
3.12
targeted push
based on the personal information such as the network browsing history, interests, purchasing records and habits, the information content, search results of goods or services, recommendations of products or services, news, advertisements, etc. may be displayed and provided to the personal information subject through algorithm
Note: It is also known as personalized presentation or personalized recommendation.
[Source: GB/T 35273-2020, 3.16, modified]
3.13
user profiling
process of personal characteristic model formation through analyzing or predicting the personal characteristics of a particular natural person, such as occupation, economy, health, education, personal preference, credit and behavior, on the basis of collecting, gathering, and analyzing personal information
[Source: GB/T 35273-2020, 3.8, modified]
3.14
software development kit
software library assisting in software development
Note: A software development kit usually includes a collection of related binaries, documents, examples and tools.
3.15
third-party software development kit
software development kits provided by legal entities other than mobile internet application operators
3.16
system permission request
the process by which a mobile internet application claims to the operating system of smart mobile terminal and requests authorization from user to obtain permission to access data or functions
3.17
third-party application
an application provided by a legal entity other than the mobile internet application operator that provides services to users through the mobile internet application
Note 1: The forms of third-party applications provided usually include SDK, mini programs, Web pages, etc. If SDK does not provide services directly to users, it is not a third-party application defined in this document.
Note 2: If an application provider is a legal entity different from the App operator but belongs to the same enterprise group as the App operator and complies with the same set of management system, conducting unified security and operation and maintenance management, such application is not a third-party application of the App operator. Affiliates are usually the third parties of App operators.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
API: Application Programming Interface
GPS: Global Positioning System
ICCID: Integrate Circuit Card Identity
IMEI: International Mobile Equipment Identity
IMSI: International Mobile Subscriber Identity
MAC: Media Access Control
MEID: Mobile Equipment Identifier
SDK: Software Development Kit
SN: Serial Number
WAP: Wireless Application Protocol
WEB: World Wide Web
5 App function division
The requirement for an App to collect personal information is closely related to its functions. The basic business functions and extended business functions of Apps shall be clearly divided according to the following requirements:
a) It shall be clear that the service type of the business function that realizes the main purpose of the user is the type of the App;
b) If the type of App is the common service type given in Annex A, the basic business function of the App shall be classified based on the corresponding service type in Annex A;
Note 1: Annex A provides the basic business functions and necessary personal information scope of Apps of common service types and the use requirements for necessary personal information in accordance with the Provisions on necessary personal information scope of common types of mobile internet applications. The basic business functions and necessary personal information scope of Apps of common service types in Annex A of this document are consistent with the Provisions on necessary personal information scope of common types of mobile internet applications.
c) If the type of App is not the common service type given in Annex A, the business functions that realize the main purpose of users shall be classified as the basic business functions of App, and the business functions other than the basic business functions provided by App shall be classified as extended business functions;
Note 2: If App provides various types of services, service types other than App types are called "other service types", and business functions of other service types are extended business functions. For example, the map navigation Apps also provide online shopping and online car-hailing services, so the business functions of online shopping and online car-hailing services are all extended business functions.
d) Business functions only for the purpose of improving service quality, enhancing user experience and targeted pushing of information and new product development shall be classified as extended business functions;
e) Business functions provided by external third parties or affiliates shall be classified as extended business functions, except for the basic business functions of Apps of common service types given in Annex A;
f) If there are multiple optional methods for implementing the basic business functions, the implementation methods that have a greater impact on users' personal rights and interests shall be classified as extended business functions.
Note 3: If new implementation methods of basic business functions appear due to technological development, and collect personal information more sensitive than that of the traditional methods and have a greater impact on personal rights and interests, they can be classified as extended business functions, which are usually used as optional alternatives and supplements for basic business functions. For example, new identification methods based on the development of biometric identification technology (such as face recognition, voiceprint recognition, fingerprint recognition, etc.) collect biometric information instead of passwords, which has a greater impact on personal rights and interests.
Contents of GB/T 41391-2022
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 App function division
6 Basic requirements for App to collect personal information
6.1 Minimum necessary collection
6.2 Necessary personal information
6.3 Specific types of personal information
6.4 Informed consent
6.5 System permission
6.6 Third party access management
6.7 Other requirements
Annex A (Nominative)
A.1 Map navigation Apps
A.2 Online car hailing Apps
A.3 Instant communication Apps
A.4 Online community Apps
A.5 Online payment Apps
A.6 Online shopping Apps
A.7 Food delivery Apps
A.8 Express mail delivery Apps
A.9 Transportation ticketing Apps
A.10 Online dating Apps
A.11 Recruitment Apps
Annex B (Informative) Explanation of concepts such as App, business functions and necessary personal information
Annex C (Nominative) Collection requirements for specific types of personal information
Annex D (Informative) Scope of system permission to access personal information
Annex E (Informative) Android system permissions of low relevance to common service types
Annex F (Informative) Common unchangeable unique device identifiers