China: Cyberspace Administration of China issued notice on investigation findings into mobile applications and SDKs

On 6 May 2025, the Cyberspace Administration of China (CAC) issued a notice concerning personal data violations identified in 15 mobile applications and 16 software development kits (SDKs). The enforcement followed a joint investigation under the 2025 Personal Information Protection Special Operations campaign, led by the CAC, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation. The notice cited violations of the Cybersecurity Law, the Personal Information Protection Law, the draft Data Security Regulation for Network Data, and the App Personal Information Handling Illegal Practice Determination Rules. The listed applications, including Moji Weather TV, Youdao Premium Courses, and Tianjin Bus, were found to have failed to disclose or accurately document the SDKs used for collecting personal data, including the purposes, methods, and scope of such data handling. The 16 identified SDKs, such as CTP Penetration Collection and JSD Penetration Collection, were noted for failing to publish data collection rules, provide mechanisms to support users’ data rights, or respond to user complaints in a timely manner. The CAC required all involved app and SDK operators to complete rectification within 15 working days and submit reports accordingly. Follow-up inspections and regulatory measures will be coordinated with the relevant authorities.