This article will focus on the personal information protection compliance perspective of Mini Programs, and answer questions for Mini Program-related practitioners in the form of questions and answers. Below is the Q&A list:Question 1: What is a Mini Program?Question 2: What is the differe

This article will focus on the  personal information protection compliance perspective of Mini Programs, and answer questions for Mini Program-related practitioners in the form of questions and answers. Below is the Q&A list:

• Question 1: What is a Mini Program?

• Question 2: What is the difference between a Mini Program and an App?

• Question 3: Are Mini Programs regulated by personal information protection?

• Question 4: Should Mini Programs set and publicize personal information processing rules to users?

• Question 5: How should Mini Programs protect the realization of user rights?

• Question 6: What rules should Mini Program operators pay attention to?

• Question 7: What are the legal responsibilities faced by Mini Program operators?

• Question 8: Is there any notification or punishment for violations of the Mini Programs at this stage?

• Question 9: Are there any compliance or security testing tools for Mini Programs on the market?

• Question 10: How do Mini Program operators carry out data compliance, and what are the general steps?

Question 1: What is a Mini Program?

Mini Programs are a brand-new way to connect users and services, which can be quickly deployed and propagated within the host App, while providing a convenient user experience. Its biggest feature is "no installation" and "no download", relying on the super app with huge traffic and technical resources to quickly go online and provide services to the existing users accumulated by the app. For example, the most common WeChat applet and Alipay applet are built in WeChat App and Alipay App respectively to provide services to users.

At present, there is no clear definition of Mini Programs at the regulatory level. Referring to the identification of Mini Programs in the first case of  Mini Programs [2] , “Mini Programs are a set of framework web page structures independently operated by developers. The developer server communicates with the developer server, and the developer server data is not stored in Tencent, and the developer directly provides data and services to users through the applet.” It can be seen that the  applet is essentially a mobile page access technology service, although the underlying development and The operating environment depends on the operating system and tools provided by the App platform (that is, the host App), but the internal space configuration, page layout, product or service content, etc. of the Mini Program are all set by the Mini Program operator, and the relevant data is also stored in the Mini Program. in the operator's server. In layman's terms, Mini Programs can be regarded as lightweight applications with App as the platform .

Question 2: What is the difference between a Mini Program and an App?

During the development phase and the running phase, the host App will open the applet developer tools (such as frameworks, components and interfaces) to assist the development of the applet to be invoked, and provide information access between the applet developers and users aisle. Thanks to the traffic and technical support of the host app, the operating costs of mini program development and promotion have dropped significantly compared to developing a new app.

However, it is also because the development and operation of the applet depends on the host App environment, and the applet is subject to the host App in terms of interface calling, permission acquisition and management, and message push, and needs to comply with the host App's developer documentation and various rules. , so compared with the App, the related capabilities are relatively simple, and the operation process is also limited by the host App . For example, the number of API interfaces that the applet has the right to call is less than that of the app; the permission that the applet can obtain is less than that of the app; the channels for the applet to push messages are fewer than those of the app, etc. [3]

Question 3: Are Mini Programs regulated by personal information protection?

Mini program operators will collect and process personal information in the process of providing services to users. The collection method can either accept user information (such as user avatar, nickname, ID) from the host App to share, or directly collect personal information through interaction with users. . The collected personal information is stored in a server under the control of the Mini Program operator, and the Mini Program operator shall take security measures to ensure data security for the Mini Program operator's own business purposes. From this perspective, there should be no doubt about the identity of the Mini Program operator as a "personal information processor" under the Personal Information Protection Law.

We have noticed that in recent years, the field of legislation and law enforcement has also paid attention to the new application of "mini-programs". For example, "Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications", "Basic Requirements for Information Security Technology Mobile Internet Applications (Apps) Collecting Personal Information", "Network Security Standards Practice Guidelines - Mobile Internet Applications (Apps) Collect and Use Personal Information" The Self-Assessment Guidelines and the Guidelines for Personal Information Security Prevention of Mobile Internet Applications (Apps) (Draft for Comments) have clearly included Mini Programs in the scope of management and given them the same regulatory requirements as Apps. In Tianjin, Hainan, Jiangxi  [4] and other places, the network information departments regard mini programs as apps for supervision, and have reported some violations one after another (  see Question 8 for details ). Therefore, App regulatory regulations and compliance requirements also apply to Mini Programs, and it is expected that subsequent enforcement actions against Mini Programs will be more frequent .

Question 4: Should Mini Programs set and publicize personal information processing rules to users?

The answer is yes. As a type of mobile application, mini programs have the function and ability to collect users' personal information. According to the requirements of the Personal Information Protection Law, personal information processors shall truthfully, accurately and completely inform individuals of relevant matters in a conspicuous manner and in clear and understandable language. Therefore, for those Mini Program operators who collect personal information, the privacy policy should be disclosed in a timely manner, and it is convenient for users to view and save it.

It should be noted that if the personal information processor owns both an applet and an app, and the business functions and types of information collected between the applet and the app are not exactly the same, they need to customize the personal information processing rules for the applet, and cannot copy the app’s. Privacy policy, otherwise it is equally vulnerable to regulatory questioning.

Figure: Privacy Policy Display Operation of Some Enterprise Mini Programs

Question 5: How should Mini Programs protect the realization of user rights?

Excessive claims, forced collection of information, inability to change information, and failure to provide a logout path are all frequent violations of Mini Programs that have been criticized and complained about by users. In 2021, a small program of a catering company in Shanghai illegally collected 5,893 pieces of consumer personal information by forcing consumers to authorize their mobile phone numbers to "scan code to order food", and was eventually warned and fined by the Market Supervision and Administration Bureau. [5]

Under the Personal Information Protection Law, users have full rights in accordance with the law, including the right to inquire, copy, correct, delete, etc. Mini Program operators, as personal information processors, should provide convenient ways for users to exercise such rights. In practice, it is obviously untenable for some enterprises to refuse or hinder the realization of users' rights on the grounds that "mini program operation platform is not supported", "version incompatibility", "technological development is too complicated" and other reasons. We recommend that Mini Program operators take into account the concept of privacy compliance during the development process, and design a user-friendly interface and self-service exercise buttons to facilitate users to exercise their legal rights.

Illustration: The operation mechanism of some enterprise mini-programs to protect user rights

Question 6: What rules should Mini Program operators pay attention to?

In addition to national laws and regulations closely related to Mini Program operators, there is another type of rules that are easily ignored in practice, namely the Mini Program platform rules announced by App operators. Taking the WeChat Mini Program platform as an example, at present, WeChat has officially issued platform rules such as the "WeChat Mini Program Platform Operation Specifications", "WeChat Mini Program Platform Terms of Service" and a series of developer documents. "WeChat Mini Program Platform Operation Specifications" and "WeChat Mini Program Platform Terms of Service" have special chapters on "15. User Privacy and Data Specifications" and "4. User Personal Information Protection", which require Mini Program operators to strictly abide by them. If the applet violates the user's privacy and other illegal acts, the WeChat platform has the right to ban the corresponding ability of the applet according to the degree of violation until the account is banned. Such service agreements and operation specifications constitute a legally binding agreement between the App platform and the Mini Program operator. If the Mini Program operator fails to abide by the agreement, it constitutes a breach of contract and may need to bear the corresponding liability for breach of contract.

Figure: Typical case of “collecting user privacy” officially announced by WeChat

It is worth noting that in addition to the agreement, the WeChat platform will also require WeChat applet developers to improve the level of personal information protection through technical audits. According to the "User Privacy Protection Guidelines Filling Instructions", each time a Mini Program developer submits a code review during the development phase, the WeChat platform will pull the current version of the Mini Program's privacy protocol by default, and enter the platform review as the privacy protocol of the development version. If the development version submitted for review has a discrepancy between the invocation of the privacy interface and the content of the privacy agreement, or the content of the privacy agreement is empty, the developer will be reminded to update it when it is submitted for review. In other words, only after WeChat has reviewed and confirmed that the code and interface submitted by the Mini Program developers are consistent with their privacy policy descriptions, the Mini Programs are allowed to be published on the WeChat platform.

Question 7: What are the legal responsibilities faced by Mini Program operators?

Infringement of personal information has both civil tort liability and administrative penalty liability. If the illegal acquisition or sale of citizens' personal information reaches the prescribed circumstances, it will also lead to criminal legal liability. In addition, Mini Program operators may also face breach of contract claims from the App platform.

In the first mini-program case, the court held that Tencent only provided basic network services for the accused mini-program operator. Tencent neither stored the data of the mini-program, nor could it access the developer's server to view or process the relevant content. Constitutes the infringement of assistance, and does not bear the liability for infringement. Although the case mainly revolves around the "right of information network communication", it can also be inferred from this that when the App platform is subjectively "unknown" and has no technical ability to intervene in the various infringements of the Mini Program. Judicial practice will tend to determine that the operator of the Mini Program is solely responsible for all violations of the law and breach of contract.

Question 8: Is there any notification or punishment for violations of the Mini Programs at this stage?

As early as December 2018, Tong Cheng Yilong was interviewed by the Ministry of Industry and Information Technology and asked to make rectification because the applet did not publicize the rules for the collection and use of users' personal information. The Ministry of Industry and Information Technology also asked Tencent to strengthen the management of the distributed application applet. [6] Since 2020, Tianjin Netcom [7] and Hainan Netcom [8] have reported a total of more than a dozen mini-programs handling personal information in violation of laws and regulations (see the table below for details). Judging from the violations reported by local network and information departments, the main problems of small program violations are similar to those of apps, including privacy policy, device permissions, sensitive information notification and individual consent mechanisms on pages, and user rights implementation issues. The regulatory measures are mainly to require corrections within a time limit. It can be seen that the Mini Program is no longer an "extrajudicial place".