In recent years, there have been a large number of phenomena such as excessive collection of personal information, mandatory authorization, and excessive claims by apps. The problem of illegal and illegal use of personal information is very prominent.
In order to regulate the personal information collection behavior of apps and solve the current outstanding problems of over-range collection and mandatory authorization, the four departments of the State Internet Information Office, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration of Market Supervision jointly issued a joint issue on the issuance of the “Common Types of Mobile Internet “Regulations on the Scope of Necessary Personal Information for Applications”, which will be officially implemented on May 1. Game companies should conduct self-inspections in a timely manner to prevent game apps from being removed from the shelves due to data violations such as excessive collection of personal information, mandatory authorization, and excessive claims for rights, which may cause huge losses.
1. What is the necessary personal information collected by the game?
According to the “Information Security Technology Personal Information Security Specification”, it is required that the type of personal information collected by an enterprise should be directly related to the business function of the product or service (“direct connection” means that if there is no participation of the personal information, Will not be able to realize the function of the product or service); frequency and quantity are the minimum required to realize the function of the product or service. So, for game products, what is the necessary personal information collected by the game?
The “Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications” clarify that mobile Internet application operators shall not refuse users to use basic functions and services of the APP because users do not agree to collect non-essential personal information. Regarding online games, the regulation clarifies that its basic functional service is “providing online game products and services”, and the necessary personal information is: registered user’s mobile phone number. This means that, in addition to compelling users to provide phone numbers, game companies are compelling users to agree to collect address book, location information and other information to provide services, which will constitute an over-range collection of personal information.
2. Personal information collected by common games
Although only the registered user’s mobile phone number belongs to the necessary personal information of the game product, the functions and scenes in the game can only be used after collecting other personal information of the user or accessing relevant permissions. With the authorization and consent of the game user, the game manufacturer can also collect relevant information. Or access related permissions. In addition to the necessary personal information, the user’s personal information and information authority involved in the game mainly lie in the following aspects:
- User name, personal valid ID number, home address, e-mail address, etc.-used for user real-name authentication, login game account, etc.
- Location information-used to match and interact with nearby players.
- Transaction records-used to protect the security of the user’s virtual items, and facilitate users to query transaction records.
- Game log-used for game operation statistical analysis, customer service complaint handling and other game security analysis, so that users can view game history.
- Device information-used to maintain the normal operation of the basic functions of the game, optimize the performance of the game product, enhance the user’s gaming experience and ensure the security of the user’s account.
- Usage habits, preference information-used to display information that may be of interest to users in products or services.
- Camera and microphone permissions-it is convenient for users to interact with other game players and participate in live broadcasts.
3. Game data violations that the regulations are concerned about
(1) Collecting personal information beyond the scope
“Over-range collection of personal information” means that the APP collects personal information, which is not necessary for the service or has no reasonable application scenarios, collects personal information such as address book, location, face, etc. beyond the range or over-frequency, or opens the permission to collect personal information and Nothing to do with existing business functions. For example, apply for the permission to open the location in the calculator tool app, and apply for the permission to open the address book in the input method app.
(2) Mandatory request for authority
“Mandatory request for permission” means that when the app is installed and running, it asks the user for permission that has nothing to do with the current service scenario. After the user refuses the authorization, the app exits or closes. For example, in a certain game, when the user logs in for the first time, he will ask the user for the permission to access the “photo, media content and file permissions on the device” and the “access device information” permission. When the user refuses the authorization, the game will provide the user with “Read Writing the Sim card is a necessary permission. If this permission is not granted, the game cannot be played normally.” The game’s act of asking the user for the read and write Sim card permissions as a necessary permission is a compulsory claim.
(3) Excessive request for authority
“Excessive request for permissions” means that when the user does not use related functions or services, the APP applies for permission to open the address book, location, SMS, recording, camera, etc. in advance, or applies for address book, location, and SMS beyond its business functions or services. , Recording, camera and other permissions.
For example, in a certain fishing game, when the user logs into the APP for the first time, he asks the user for location permission without a reasonable application scenario. This situation is an excessive request for permission.
(4) Frequently apply for permissions
“Frequent application for permissions” means that after the user explicitly rejects the permission application, the APP frequently applies for permission to open the address book, location, text messages, recording, camera, etc. that are not related to the current service scenario, and harass the user.
When the user explicitly disagrees with the APP access permission, every time the user reopens the APP, he asks whether he agrees to the APP access to collect this type of permission, which is a frequent request for permission.
Fourth, compliance recommendations
With the promulgation of regulations, the state will gradually increase the protection of user privacy and data, and game companies must pay attention to data compliance. In response to the data compliance issues of game companies, the lawyers of this team put forward the following suggestions:
1. Adhere to the principle of minimum necessity to collect user personal information
Game products must not collect personal information unrelated to the services provided by the App, and must not apply for system permissions unrelated to the services provided by the App (even if the user can choose to refuse). Follow the principle of minimum necessity, only collect/apply for personal information types/system permissions that are directly related to App business functions, and only ask for permissions when the user triggers the relevant application scenario. The user shall not refuse to provide services due to the user’s refusal to provide personal information other than the minimum necessary information.
2. Obtain the user’s explicit authorization before collecting personal information
3. Respect the user’s choice and do not frequently ask for permissions
The frequency of collecting personal information for game products should be within a reasonable range necessary for the App to achieve business functions. When the user rejects the permission application, unless the system permission is necessary for the function triggered by the user, it should not frequently apply or prompt the lack of relevant permissions, which will interfere with the normal use of the user.
4. Use personal information strictly in accordance with the user’s authorization
When game companies use personal information, they must not exceed the scope of direct or reasonable connection with the stated purpose when collecting personal information. If it is necessary to use personal information beyond the above scope due to business needs, the user’s consent shall be obtained again. When gaming companies provide users’ personal information to third parties, they shall obtain the user’s consent and enter into a security agreement with the personal information recipient to clarify the personal information protection responsibilities of each party and require the personal information recipient to protect it in accordance with the law.
With the promulgation of a series of legal regulations and policies, the protection of users’ personal information has been continuously strengthened, and the punishment for infringement of privacy has also become heavier. Game companies should attach great importance to user privacy and data compliance issues to prevent product removal due to data violations.
As a team of professional lawyers in the game field, Nuocheng lawyers can provide special legal services according to the needs of game companies, assist in customizing incentive management systems, and draft supporting confidentiality and intellectual property agreements, competition restriction agreements, equity or option incentive agreements. Please add the team’s lawyer WeChat: 13913541030.
Author: Tao Jing
Source: Nuocheng Game Law