A regulation on personal information security was published online in late January and will take effect in May.
The regulation, drafted by the National Information Security Standardization Technical Committee and General Administration of Quality Supervision, Inspection and Quarantine, has for the first time given a clear definition of "sensitive personal information."
According to the regulation, if the leaking or misuse of the data can endanger the safety of the person or his/her property, or hurt the reputation, physical or mental health of the person, it should be regarded as "sensitive" and protected. Such data ranges from property information, health records, online and offline ID to mobile numbers, browser history and movement tracking.
The regulation came amid growing concern in China over the security of personal data.
Previous reports have revealed that some websites such as online shopping or food delivery companies have been collecting "cookies," which keeps records of a user's browing history and ID, and sharing them with third parties.
"After I bought a pair of earphones online, I kept receiving ads of the same product for several days from another app," said Liu Shuo, a Xiamen resident. "In addition, ads push the eateries and restaurants I once ordered from, or tourist destinations I once visited. It's scary."
Earlier this month, Alipay, China's largest third-party mobile payment app, sparked a nation-wide outcry over its tricking users into authorizing its service clauses by default. Alipay later apologized and conceded that the move was "stupid."
In response, the new regulation demands business entities to inform the person and gain approval before any sensitive information is collected. It also stipulates that refusal to provide such information should not be a reason for the user to be banned from accessing the company's core business.
But a report by Southern Metropolis Daily showed only 11 percent of mobile apps strictly followed the rules.
There were more than half a billion Internet users in China by the middle of 2017, according to a report by the China Internet Network Information Center. Many of them feel "powerless" in safeguarding their personal information.
"We care about our private data, but had no other choice but to agree," said a man surnamed Guan in Xiamen. "The agreements are often written in jargons and are too long, it's hard for ordinary users to understand what they will take away from us."
The regulation therefore also demands businesses to give a specific, simple explanation on the clauses and avoid using ambiguous words.
"Information has become a valuable resource in the digital era," said Zuo Xiaodong, vice-president of the China Information Security Research Institute. "Companies are inclined to induce users to provide their data for their own benefit, so they tend to use ambiguous descriptions. Therefore, effective law enforcement is of vital importance."
He said a similar regulation published in the European Union defined a heavy penalty of up to 4 percent of the company's global revenue if it violated the rules, which he believed would spur the company to have better self-discipline.
"Although China's information security authorities have a mechanism to rectify irregularities, we still lack of mandatory punishment for violators," he added.