The Shanghai Cyberspace Administration has proposed the "Six Nos" for personal information protection, targeting dine in mobile ordering consumers | personal information | Shanghai
Under the guidance of the Law Enforcement Bureau of the State Cyberspace Administration, the "Bright Sword Pujiang · Consumer Personal Information Rights and Interests Protection Special Law Enforcement Action" was launched in mid June. The Shanghai Cyberspace Administration, the Municipal Market Supervision Bureau, and other relevant departments, in conjunction with the Municipal Commission of Commerce, focused on the widespread illegal and irregular behavior of excessive collection, frequent induction, and even forced solicitation of non essential personal information from consumers in the catering industry and carried out centralized rectification. Through various methods such as soliciting reporting clues, on-site law enforcement, interview guidance, education and training, compliance guidance, "look back" inspections, and media supervision, we aim to promote the continuous improvement of personal information protection awareness among major catering enterprises in this city, and fully fulfill their personal information protection obligations.
In the stage of centralized rectification, the network information departments at both levels of the urban area, together with the market supervision department, will take unified action and concentrate on tackling difficulties. For the main commercial districts and road sections in each district, the focus will be on inspecting 2187 catering operators such as coffee shops, milk tea shops, hot pot restaurants, fast food restaurants, and barbecue restaurants. At the same time, based on consumer preferences, key inspections were carried out on the ordering mini programs of major catering chain enterprises in various sub sectors. Comprehensive inspections were conducted on various problem clues such as inspection findings and reports from netizens, and guidance was given to enterprises for rectification. 45 relevant catering operators were interviewed, and currently, more than 35000 nationwide chain catering stores involved in the problem clues have completed rectification. During this period, the Shanghai Cyberspace Administration and the Municipal Market Supervision Bureau also conducted network security inspections and problem rectification "look back" inspections on some catering enterprises that collect and store a large amount of consumer personal information. They further urged and guided enterprises to take effective measures to ensure that personal information processing activities comply with laws and administrative regulations, and to prevent security risks such as consumer personal information leakage, tampering, and loss.
On the basis of organizing and conducting legal education on personal information protection for chain catering enterprises in the early stage, the Shanghai Cyberspace Administration, the Shanghai Municipal Bureau of Market Regulation, and the Shanghai Municipal Commission of Commerce supported the Shanghai Consumer Protection Commission, in conjunction with the Shanghai Catering and Cooking Industry Association, to formulate and release the "Compliance Guidelines for Consumer Personal Information Protection of Online Dining Services in Shanghai". Specific compliance requirements and operational guidelines were proposed for catering operators to collect, use, and store consumer personal information in different scenarios of online ordering, in order to effectively improve the level of consumer personal information protection in the catering industry.
In order to better assist consumers in strengthening personal information protection when scanning QR codes and ordering, the Shanghai Cyberspace Administration has put forward the following "six no's" suggestions, hoping that the public can jointly raise awareness of personal information rights protection, and also provide clues for reporting related suspected illegal and irregular behaviors.
01
Privacy policy does not inform and does not continue
The first time consumers use the QR code ordering service, they scan the QR code and then jump to the mini program page to order, but the mini program does not inform consumers of their privacy policy through prominent means such as pop ups; Alternatively, the privacy policy can be checked by default on the ordering and login pages, allowing personal information to be provided to catering enterprises by default. Consumers can choose offline ordering methods or try to avoid providing personal information in subsequent QR code ordering services.
02
Non essential personal information not provided
During the process of ordering food at the store or on the checkout page, the mini program requires or induces consumers to fill in personal information unrelated to catering services. Consumers should be wary of merchants requesting personal information unrelated to catering services.
03
One click login requires a number and is not allowed
After scanning the QR code and placing an order, consumers will receive pop-up prompts such as "WeChat phone number one click login" to obtain their phone number, "WeChat one click login" to obtain their nickname and profile picture, or request a phone number when making a purchase. Consumers can choose not to provide the "reject" or "cancel" button.
04
Induce disagreement with precise positioning
After consumers scan and place orders, the mini program applies for location permission to obtain accurate location information for the convenience of consumers to choose nearby stores, etc. Consumers can choose to use the store search function to place an order.
05
Attracted by members and not impulsive in following
After consumers scan the code and order, the applet repeatedly displays pop-up applications in the name of optimizing the service experience, providing member discounts, etc., to induce consumers to authorize personal information such as precise locations or mobile phone numbers, or to induce consumers to pay attention to the enterprise official account. Consumers can carefully provide personal information according to their own service selection needs.
06
Targeted marketing advertisements are not accepted
After consumers scan and place orders, the mini program induces them to agree to accept targeted advertising and marketing information in the name of providing convenience and pushing promotional information. Consumers can refuse or choose to agree according to their own needs, and have prior knowledge of the method of unsubscribing from such marketing advertising information.
In the next stage, the Shanghai Cyberspace Administration, together with relevant departments such as the Municipal Market Supervision Bureau, will continue to dig deeper into illegal clues, strengthen supervision and guidance, promote catering operators to provide online ordering services in a standardized manner, and effectively fulfill their main responsibility for personal information protection. At the same time, according to the deployment of the "Bright Sword Pujiang" special action, the organizers will also carry out comprehensive rectification and special law enforcement around consumption scenarios such as parking QR code scanning, children's learning and training, online financial and small loans, real estate intermediaries, renting chargers, shopping in supermarkets, and car 4S stores, in response to issues such as "excessive collection, forced acquisition, induced retrieval, and illegal use" of personal information. Welcome netizens to actively participate and provide clues truthfully through the following channels.
Shanghai Internet Illegal and Bad Information Reporting Center
Website: http://www.shjbzx.cn
Email: shjbzx@126.com
Phone: 12345, 12315
[Attachment]
Shanghai Online Dining Service Consumer Personal Information Protection Compliance Guidelines
general provisions
Article 1 Purpose and Basis
In order to strengthen the protection of personal information of consumers in the catering industry in this city and effectively improve the compliance level of catering operators, with the support of the Shanghai Cyberspace Administration, the Shanghai Municipal Bureau of Market Regulation, and the Shanghai Municipal Commission of Commerce, the Shanghai Consumer Rights Protection Committee and the Shanghai Catering and Cooking Industry Association have formulated this guideline in accordance with the Personal Information Protection Law of the People's Republic of China, the Consumer Rights Protection Law of the People's Republic of China, the Shanghai Consumer Rights Protection Regulations, and the Methods for Determining the Illegal Collection and Use of Personal Information by Apps, based on the current development status of the catering industry in this city, and in combination with the results of social supervision investigations.
Article 2 Scope of Application
This guideline is applicable to all types of catering operators within the administrative area of this city, and serves as a guiding suggestion for catering operators to carry out online ordering service consumer personal information protection compliance management.
Article 3 Basic Concepts
The catering operators referred to in this guideline refer to those engaged in the processing, cooking, and consumption service operations of food, including but not limited to restaurants, restaurants, hotels, fast food restaurants, snack shops, beverage shops, hotels, resorts, and other units.
The online ordering referred to in this guideline refers to catering operators providing online self-service ordering services to consumers through QR code scanning, redirecting to mini programs, or directly using mini programs.
The "small programs" mentioned in the Guidelines refer to the applications that catering operators provide consumers with direct access to restaurant information, menus, online ordering, checkout and other functions, including but not limited to via WeChat/Alipay small programs, WeChat official account, h5 pages, etc.
Article 4 Basic Principles
Catering operators conducting online ordering services should consciously abide by laws and regulations, business ethics, and public order and good customs. The collection and use of consumer personal information should follow the principles of legality, legitimacy, necessity, and integrity.
Chapter II Protection of Consumers' Personal Information
Article 5 Catering operators shall remind consumers of their privacy policies in pop-up windows or other prominent ways when consumers use online ordering services for the first time. The pop-up window information is clearly described, the text size is appropriate, and the content of the terms is concise and clear. The specific rules for collecting, using, and storing consumer personal information should be clearly and accurately stated, which is convenient for consumers to read and understand, and the consumer's explicit consent must not be checked by default. Agree to privacy policy or only provide consent options.
Article 6 Catering operators shall collect and use consumers' personal information in strict accordance with their declaration rules, and the collected personal information or the authority of the collected personal information shall not exceed the scope of the consumer's authorization.
Article 7 The personal information collected by catering operators shall be closely related to the current catering consumption scene, and the appropriate authority and information shall be obtained according to the consumption scenes such as offline food, self-collection at the store, take-out delivery, etc., and shall not be induced to obtain personal information unrelated to catering service in the links of consumer login, ordering, number picking, adding dishes, checkout, etc, including but not limited to name, birthday, gender, mobile phone number, home address, ID number, bank account number, etc.
Article 8 If a small program uses WeChat one-click login to obtain information such as WeChat nickname, WeChat avatar or mobile phone number, or needs to obtain a precise location to provide services in nearby stores, it shall obtain the explicit consent of the consumer, and shall not stop providing services or restrict the use of functions on the grounds that the consumer refuses to authorize, and shall provide other service methods to the consumer.
Article 9 Catering operators shall not force or induce consumers to pay attention to the WeChat official account of the operator in any form or reason, and shall not force or induce consumers to agree to the collection of personal information unrelated to catering services by catering operators in any form or reason.
Article 10 During the online ordering service, small programs shall not frequently pop up windows to apply for consumer consent and interfere with the normal use of consumers.
Article 11 Without the consent or request of consumers, or if consumers explicitly refuse, catering operators shall not share consumer personal information with third parties for use or push commercial marketing information. Push commercial marketing messages should provide an option to unsubscribe or decline.
Article 12 Catering operators shall ensure that consumers can cancel their accounts and delete personal information according to their wishes, and shall not set unnecessary or unreasonable conditions.
Chapter III Responsibility and Supervision
Article 13 Where catering operators provide offline online ordering services, they shall prepare paper menus at the same time, and the service products supplied by paper menus shall be consistent with online products.
Article 14 Catering operators shall establish and improve the compliance management mechanism for the protection of consumers' personal information, improve the management procedures and operational requirements for the collection, use, storage, processing, transmission and deletion of personal information, and enhance the standardization of personal information management.
Article 15 Catering operators shall bear the main responsibility for the protection of personal information, ensure the safety of their small programs or entrust third parties in the design, development, operation, maintenance and other links, and take corresponding technical measures and other necessary measures to ensure the safety of consumers' personal information storage and avoid potential safety hazards such as information leakage, data theft, abuse and loss.
Article 16 Catering operators shall regularly organize and carry out education and training on the protection of personal information of store consumers, and clarify the compliance responsibilities of personal information protection.
Article 17 The Shanghai Consumer Rights Protection Committee and the Shanghai Catering and Cooking Industry Association will conduct unannounced random visits and social supervision on the compliance of online ordering services in the catering industry from time to time.
Chapter 4 Supplementary Provisions
Article 18 These Guidelines shall be implemented as of July 18, 2023.