China steps up scrutiny of personal data gathering practice online — here's what the new rules propose | Today News

China has issued draft regulations aimed at tightening the governance of personal information collected from the internet, outlining stricter rules for how such data can be gathered, stores, and used by applicants, Bloomberg News reported.

The proposal is part of the country's broader efforts to protect the rights of online users and promote greater transparency in the system, ensuring that personal data is used responsibly while preventing any potential misuse.

This development comes just months after India also implemented similar measures with the Digital Personal Data Protection (DPDP) rules, establishing a citizen-focused framework balancing individual rights and promoting responsible use of digital personal data.

The Cyberspace Administration of China released the rules from the draft on Saturday, which will be open for public consultation until 9 February, 2026. The framework includes: — Inform users: One of the key requirements is that apps must clearly disclose collection rules, obtain informed consent from users, and limit data usage to essential purposes only.

— Hold accountability: This also means that app operators will bear the responsibility for security, compliance, and software development kit oversight.

— Protection of minors: The proposed regulations has also called for granular permission settings, bans on excessive or unauthorized data collection, and strict protection for minors and biometric data.

— Ensure compliance: Platforms and device manufacturers must also enforce compliance through mandatory audits and risk warnings.

— Limit access: Apps may access camera and microphone permissions only when users are actively using related functions, such as taking photos, or recording video/audio, and must stop access once those functions end.

In view of rising privacy concerns and alleged misuse of online data, China has decided to introduce these rules and bring some reforms in how organisations and applicants handle personal information available on the internet.

Last year in September, Beijing imposed administrative penalties on LVMH’s Dior brand in Shanghai for violating data privacy rules.

A probe found that the Shanghai unit of Dior did not use encryption to protect personal information that it collected. The luxury brand was also accused of sharing data with LVMH’s headquarters in France without obtaining the rightful consent of the users, Bloomberg reported earlier.

Under the rules, companies will need to comply with the Act’s provisions within 12–18 months from the date of implementation, including appointing consent managers and data-protection officers, putting in place systems for express user permission, and reporting data breaches within 72 hours.

Such platforms should also mandatorily take parents’ consent for users under 18, and cannot use certain data, such as data that enables targeted ads, which is a change that the industry had long sought, Mint reported earlier.