China China Personal Information Protection Law PIPL

MIIT's 57th App-Naming Batch Shows China's Data-Privacy Enforcement Has Become Routine, Not Reactive

The naming of 32 apps for PIPL violations is China's third enforcement action in three weeks — evidence of a standing compliance machine, not a one-off crackdown.

China's App-Privacy Enforcement Ladder, June–July 20… People of Internet Research · China 32 Apps named, MIIT Batch 57 Named July 2, 2026 for PIPL and Cy… 57 Naming batches since inception MIIT's app-naming mechanism has no… 46 Apps delisted in Shanghai Removed June 24 for failing to rec… 30 Apps named by CAC, June 11 Preceded MIIT's batch by three wee… peopleofinternet.com
China's App-Privacy Enforcement Ladder… People of Internet Research · China 32 Apps named, MIIT Batch 57 57 Naming batches since inception 46 Apps delisted in Shanghai 30 Apps named by CAC, June 11 peopleofinternet.com

Key Takeaways

On July 2, 2026, the Ministry of Industry and Information Technology's Information and Communications Administration Bureau published its fourth public-naming bulletin of the year — Batch 57 in a numbering series that has been running since well before 2026. Thirty-two apps and SDKs, spanning ride-hailing, web fiction, tools, and e-commerce, were cited for unauthorized or beyond-scope collection of personal information, forced and excessive permission demands, auto-launch and chained-launch behavior, uncloseable pop-ups with abusive redirects, and inadequate SDK disclosure. The legal basis is familiar: the Personal Information Protection Law (2021), the Cybersecurity Law (2017), the Telecommunications Regulations, and the Provisions on Protection of Personal Information of Telecommunications and Internet Users.

An Assembly Line, Not a Crackdown

What makes this notice notable isn't its content — it's its place in a sequence. The batch sits inside a joint CAC-MIIT-MPS "2026 Special Actions on Personal Information Protection," announced April 2, 2026, covering seven fronts: apps and SDKs, internet advertising, education, transportation, healthcare, finance, and criminal enforcement against personal-information trafficking. Within the app-and-SDK track alone, three distinct enforcement actions landed in three weeks. On June 11, the Cyberspace Administration of China named 30 apps and mini-programs, with violations broken down precisely — 7 for undisclosed collection rules, 4 for excessive permissions, 5 for incomplete SDK disclosure, 14 for ineffective account-cancellation functions — and gave operators 15 working days to rectify. On June 24, the Shanghai Communications Administration escalated: it ordered 46 apps and SDKs, mostly long-tail O2O lifestyle services (moving, housekeeping, pet care, local travel agencies, group-buy food, fitness), removed from distribution outright, having failed to fix violations flagged in earlier rounds. Then, on July 2, MIIT's national bureau issued this latest 32-app batch — the 57th since the mechanism began.

That cadence is the story. A batch number in the high 50s means naming-and-shame has moved from occasional spectacle to standing bureaucratic process, cycling through discovery, notice, rectification window, and escalation to delisting on a near-monthly rhythm.

The Case Regulators Would Make

Before arguing against this machine, it's worth stating its strongest defense fairly. China's app market has produced genuine, widely-felt harms: SDKs bundled into ordinary apps that silently harvest location and contact data, permission prompts that reappear until a user relents, pop-up ads that cannot be closed and redirect through several domains before landing anywhere useful. These are not hypothetical grievances — they are the top consumer complaints in China's tech sector, and they are hard to fix through litigation alone given the sheer number of small developers and third-party SDK vendors involved. Naming-and-shame with a rectification window, rather than an immediate fine or ban, is in principle a proportionate middle path: it gives operators due notice, publishes the specific defect, and reserves harder penalties — delisting, administrative fines, credit blacklisting — for those who ignore the warning. Compared to a regime that could simply pull an app without explanation, this is closer to a compliance ladder than a trapdoor.

Where the Ladder Gets Steep

The trouble is what happens between the rungs. The criteria distinguishing a CAC notice from an MIIT notice from a provincial delisting are not published in a way outside observers — or, more importantly, small developers — can easily audit. Zhejiang's provincial communications bureau ran its own parallel "2026 Batch 4" naming of 11 apps in May under the identical legal basis, meaning a single small SDK vendor could plausibly face national, provincial, and campaign-specific notices for functionally the same defect, each carrying its own rectification clock. Larger platforms absorb this with dedicated compliance teams; the long-tail operators who dominate the Shanghai delisting list — pet-service apps, local moving companies — do not have that luxury, and "failure to rectify" often just means failure to notice the notice in time.

Unlike GDPR enforcement, where the EU's data protection authorities publish full decisions, penalty calculations, and appeal pathways, China's batches are announced by short bulletin — company names and specific findings, but no public reasoning for why one violation warrants a warning and another warrants delisting.

That asymmetry matters more as the mechanism scales. A once-a-quarter naming exercise is easy to treat as a compliance checkpoint; a monthly-or-faster cycle across four overlapping campaigns starts to function as continuous supervision with real market-access consequences, but without the procedural transparency — published legal reasoning, a formal appeal route — that would let a genuinely compliant developer contest an erroneous listing.

The Practical Upshot

For foreign and domestic developers alike, the lesson from Batch 57 isn't about the specific 32 names on this list — it's that periodic PIPL audits are no longer sufficient. With naming batches, provincial parallel actions, and delisting orders now overlapping on a weeks-not-months timeline, SDK-level data practices need continuous monitoring, not annual review. China's underlying instinct — proportionate escalation over blunt bans — is defensible. What it still lacks is the transparency infrastructure to make that escalation predictable for the small operators who bear its weight.

Sources & Citations

  1. CAC: 2026 Special Actions on Personal Information Protection announcement
  2. Zhejiang Communications Administration (MIIT) app naming notice, 2026 Batch 4
  3. Data Compliance China — Enforcement tracker
  4. China News Service: 32 apps and SDKs named for PIPL violations
  5. China Briefing: China 2026 Personal Information Protection Enforcement