A third round in six weeks
On June 22, 2026, China's Cyberspace Administration (CAC), Ministry of Industry and Information Technology (MIIT), and Ministry of Public Security (MPS) jointly named 40 mobile apps for "illegal or irregular collection and use of personal information," based on testing the Ministry of Public Security's product-quality inspection center ran between May 6 and May 27 (Chinanews). It was not an isolated action. The same three agencies named 41 apps on May 14 and 30 more on June 11 (Chinanews) — three public naming rounds inside six weeks, all flowing from a special enforcement campaign the agencies launched on April 2, 2026 to "deepen governance" of apps, advertising, education, transport, healthcare, and finance (CAC).
Of the 40 apps in the June 22 batch, one drew the most serious citation: Doubanjiang (豆伴匠), an education app, was flagged for processing personal information belonging to children under 14 without formulating specialized processing rules or obtaining consent from a parent or guardian — the only app in the batch cited under that specific category (IT Home). The other 39 apps split across ten further violation types, the largest being 25 apps that collected personal data without user consent at all, alongside smaller clusters for incomplete disclosures, missing complaint channels, and excessive permission requests.
The case for taking children's data seriously
The minors' provision deserves to be judged on its own terms before any pro-innovation critique. Under China's Personal Information Protection Law (PIPL), the data of children under 14 is classified as sensitive personal information, triggering a heightened bar: parental consent plus a dedicated processing regime, not just a checkbox in a generic privacy policy. That mirrors the logic behind COPPA in the United States and the GDPR's Article 8 protections for minors — regulators across very different systems have converged on the view that children cannot meaningfully consent to data collection, and that education apps in particular reach a captive audience assigned by schools rather than chosen by users. Beijing has backed this with more than press releases: a CAC announcement on December 29, 2025 requires every processor of minors' personal information — with no minimum volume threshold — to file an annual compliance audit by January 31 each year, the first cycle already having come due (CAC). An ed-tech app that skipped parental consent for under-14 users, as Doubanjiang was cited for doing, is precisely the kind of violation that filing regime was built to catch. That part of the campaign is proportionate, evidence-based, and consistent with global norms.
Where the model runs thin
The problem is what the campaign does with the other 39 apps, and what it fails to do with any of them. Naming-and-shaming is fast and highly visible — three rounds, over 100 apps, in six weeks — but it is also opaque. None of the CAC/MIIT/MPS notices published fines, and there is no visible appeals channel for an app maker that believes its "unnecessary permission" was mischaracterized. IT Home's account of the June 22 notice records that eight apps from a prior round were retested and still found noncompliant — a sign that a notice-and-shame cycle without escalating penalties has a limited ceiling on deterrence for firms willing to absorb the reputational hit.
The bigger structural issue is that the campaign folds a genuinely serious harm — a child's data processed without parental consent — into the same 11-category list as apps that simply lack a convenient account-deletion button or an SDK disclosure page. All 40 apps get the same headline treatment ("named for illegal personal information collection"), which flattens the risk gradient for consumers and compliance teams alike. A parent scanning the list has no easy way to tell that Doubanjiang's citation is qualitatively worse than, say, a travel app's missing complaint hotline. For the wave of Chinese app developers now navigating this alongside annual audit filings, cross-border transfer rules, and sector-specific requirements in finance and healthcare, the compliance burden scales the same way whether a company is Tencent-sized or a five-person ed-tech studio — the December 2025 audit mandate applies with no minimum-volume carve-out.
What proportionate enforcement would look like
None of this argues against enforcing PIPL's minors' provisions — that piece is legitimate and, if anything, still under-resourced relative to the scale of China's app market. It argues for separating tiers of harm in how violations are communicated, publishing some measure of financial or operational consequence rather than relying on repeat public shaming, and giving smaller developers a clear, low-cost path to remediate paperwork-level gaps before they land in the same notice as a child-data violation. A regulator that wants both a safer app ecosystem and a functioning one needs enforcement that scales its response to the severity of the harm — not just the frequency of the press release.