China China Personal Information Protection Law PIPL

China's Third App-Naming Sweep in Six Weeks Reveals a Publicity-First Model for PIPL Enforcement

CAC, MIIT and MPS named 40 apps for illegal data collection June 22, including an ed-tech app cited over under-14 users' data.

China's App-Naming Enforcement Wave, May–June 2026 People of Internet Research · China 40 Apps named June 22 Named jointly by CAC, MIIT, and MP… 25 of 40 Apps lacking user consent Largest violation category in the … 3 Naming rounds in six weeks 41, then 30, then 40 apps named be… Jan 31 annually Minors data audit deadline CAC's Dec 2025 rule requires yearl… peopleofinternet.com
China's App-Naming Enforcement Wave, M… People of Internet Research · China 40 Apps named June 22 25 of 40 Apps lacking user consent 3 Naming rounds in six weeks Jan 31 annually Minors data audit deadline peopleofinternet.com

Key Takeaways

A third round in six weeks

On June 22, 2026, China's Cyberspace Administration (CAC), Ministry of Industry and Information Technology (MIIT), and Ministry of Public Security (MPS) jointly named 40 mobile apps for "illegal or irregular collection and use of personal information," based on testing the Ministry of Public Security's product-quality inspection center ran between May 6 and May 27 (Chinanews). It was not an isolated action. The same three agencies named 41 apps on May 14 and 30 more on June 11 (Chinanews) — three public naming rounds inside six weeks, all flowing from a special enforcement campaign the agencies launched on April 2, 2026 to "deepen governance" of apps, advertising, education, transport, healthcare, and finance (CAC).

Of the 40 apps in the June 22 batch, one drew the most serious citation: Doubanjiang (豆伴匠), an education app, was flagged for processing personal information belonging to children under 14 without formulating specialized processing rules or obtaining consent from a parent or guardian — the only app in the batch cited under that specific category (IT Home). The other 39 apps split across ten further violation types, the largest being 25 apps that collected personal data without user consent at all, alongside smaller clusters for incomplete disclosures, missing complaint channels, and excessive permission requests.

The case for taking children's data seriously

The minors' provision deserves to be judged on its own terms before any pro-innovation critique. Under China's Personal Information Protection Law (PIPL), the data of children under 14 is classified as sensitive personal information, triggering a heightened bar: parental consent plus a dedicated processing regime, not just a checkbox in a generic privacy policy. That mirrors the logic behind COPPA in the United States and the GDPR's Article 8 protections for minors — regulators across very different systems have converged on the view that children cannot meaningfully consent to data collection, and that education apps in particular reach a captive audience assigned by schools rather than chosen by users. Beijing has backed this with more than press releases: a CAC announcement on December 29, 2025 requires every processor of minors' personal information — with no minimum volume threshold — to file an annual compliance audit by January 31 each year, the first cycle already having come due (CAC). An ed-tech app that skipped parental consent for under-14 users, as Doubanjiang was cited for doing, is precisely the kind of violation that filing regime was built to catch. That part of the campaign is proportionate, evidence-based, and consistent with global norms.

Where the model runs thin

The problem is what the campaign does with the other 39 apps, and what it fails to do with any of them. Naming-and-shaming is fast and highly visible — three rounds, over 100 apps, in six weeks — but it is also opaque. None of the CAC/MIIT/MPS notices published fines, and there is no visible appeals channel for an app maker that believes its "unnecessary permission" was mischaracterized. IT Home's account of the June 22 notice records that eight apps from a prior round were retested and still found noncompliant — a sign that a notice-and-shame cycle without escalating penalties has a limited ceiling on deterrence for firms willing to absorb the reputational hit.

The bigger structural issue is that the campaign folds a genuinely serious harm — a child's data processed without parental consent — into the same 11-category list as apps that simply lack a convenient account-deletion button or an SDK disclosure page. All 40 apps get the same headline treatment ("named for illegal personal information collection"), which flattens the risk gradient for consumers and compliance teams alike. A parent scanning the list has no easy way to tell that Doubanjiang's citation is qualitatively worse than, say, a travel app's missing complaint hotline. For the wave of Chinese app developers now navigating this alongside annual audit filings, cross-border transfer rules, and sector-specific requirements in finance and healthcare, the compliance burden scales the same way whether a company is Tencent-sized or a five-person ed-tech studio — the December 2025 audit mandate applies with no minimum-volume carve-out.

What proportionate enforcement would look like

None of this argues against enforcing PIPL's minors' provisions — that piece is legitimate and, if anything, still under-resourced relative to the scale of China's app market. It argues for separating tiers of harm in how violations are communicated, publishing some measure of financial or operational consequence rather than relying on repeat public shaming, and giving smaller developers a clear, low-cost path to remediate paperwork-level gaps before they land in the same notice as a child-data violation. A regulator that wants both a safer app ecosystem and a functioning one needs enforcement that scales its response to the severity of the harm — not just the frequency of the press release.

Sources & Citations

  1. CAC: Minors' Data Compliance Audit Filing Announcement (Dec 29, 2025)
  2. CAC/MIIT/MPS: 2026 Personal Information Protection Special Action Announcement (Apr 2, 2026)
  3. Chinanews: 40 Apps Named for Illegal Data Collection (Jun 22, 2026)
  4. IT Home: Breakdown of 40-App Violation Categories
  5. Chinanews: 41 Apps Named in Prior Round (May 14, 2026)