As 2025 comes to a close, China’s personal information protection enforcement continues to demonstrate sustained intensity and increasing sophistication. Regulatory activity over the past year confirms that personal data protection compliance has become a long-term supervisory priority, characterized by frequent enforcement actions, expanding coverage, and closer scrutiny of actual implementation.
In March 2025, the Cyberspace Administration of China, together with the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation, announced a nationwide series of special enforcement actions targeting the unlawful collection and use of personal information. While the initiative spans a wide range of technologies and scenarios, enforcement actions involving mobile applications have been among the most visible and instructive.
This article uses app-related enforcement as a starting point to observe broader developments in China’s personal information protection regime. Although apps represent only one category of regulated activity, enforcement practice in this area provides useful insight into regulators’ priorities, methodologies, and expectations.
Overall Enforcement Scope and Focus Areas
As part of this nationwide series of special enforcement actions targeting the unlawful collection and use of personal information, regulators have taken enforcement action across a variety of personal information processing scenarios. Regulatory notices indicate that enforcement has focused in particular on the following areas, among others:
- Apps and related services, including mini programs and official accounts on platforms such as WeChat;
- SDKs embedded in apps that engage in unlawful data collection or processing;
- Smart terminals and connected devices, such as smart watches and other wearable technologies;
- Facial recognition technologies used in public venues, including public transportation and hotel accommodation, etc.;
- Offline consumption scenarios, such as QR code-based ordering and registration processes;
- Administrative and criminal cases involving personal information infringements, with particular focus on sectors such as online lending, recruitment, tourism and accommodation.
Taken together, these enforcement areas illustrate regulators’ increasing focus on end-to-end data processing activities, from data collection at the user interface to downstream sharing and misuse.
Why App Cases Are Particularly Illustrative
App-related enforcement has attracted sustained regulatory attention due to the combination of high user penetration, frequent data interactions, and complex technical structures. In many cases, regulators have focused not only on the app operator itself, but also on embedded SDKs, third-party service providers, and discrepancies between stated privacy policies and actual data processing behavior.
Viewed in context, app enforcement cases offer a practical lens through which regulatory expectations on transparency, necessity, consent management, and user rights protection can be observed. They also reflect a broader regulatory focus on technical implementation and downstream integrations, as opposed to a sole emphasis on formal documentation.
Local Enforcement Practice: The Shanghai Experience
Shanghai’s enforcement activities provide a useful illustration of current regulatory practice. In 2025, Shanghai Communications Administration reportedly inspected more than 5,000 apps, notified 750 apps of compliance issues, and removed 207 apps for failure to complete required rectifications. These actions highlight that remediation obligations are actively monitored and that non-compliance may result in immediate commercial consequences.
Key Compliance Issues Identified through App Enforcement
Based on enforcement notices and public disclosures by Chinese regulators, such as the Cyberspace Administration of China, the Ministry of Public Security, and various provincial communications authorities, regulators have consistently focused on the following areas:
- Transparency failures, such as privacy policies that are difficult to access, incomplete, or not prominently presented upon first app launch;
- Consent management failures, including collection of personal information before obtaining valid consent, lack of consent withdrawal mechanisms, and improper processing of sensitive personal information or minors’ data;
- Data minimization violations, including excessive permission requests and collection of personal information beyond what is necessary for core business functions;
- Automated decision-making risks, particularly forced acceptance of targeted push notifications without non-personalized alternatives or convenient opt-out mechanisms;
- User rights deficiencies, such as ineffective mechanisms for data correction, deletion, or account cancellation, and delayed handling of complaints.
Year-End Observations
From a year-end perspective, app-related enforcement actions offer a useful lens through which to assess broader trends in China’s personal information protection regime. Regulators are increasingly focused on actual implementation and user experience, rather than formalistic compliance alone. Enforcement actions have become faster and more consequential, with app removals, public notifications, and technical testing results now used as routine supervisory tools.
More broadly, these app cases reflect a regulatory approach that extends across the entire personal information processing lifecycle, including third-party SDKs, technical service providers, and offline data collection scenarios. For companies providing enterprise-facing products, services, or technical solutions that involve the processing of personal information, whether directly or through downstream customers, this enforcement practice underscores the importance of ongoing reviews of privacy notices, data flows, consent management, and contractual and operational safeguards as regulatory scrutiny continues to deepen.