Developer Compliance Guide for APM Data Collection SDKs
After the Personal Information Protection Law of the People's Republic of China came into force on November 1, 2021, regulators, industry stakeholders, and end consumers are increasingly concerned about user privacy protection. To crack down on the unauthorized collection and use of personal information by apps and SDKs, regulators have released related standards and specifications.
When providing services for end users, developers (hereinafter referred to as "you") must comply with applicable laws and regulations (including but are not limited to the Personal Information Protection Law of the People's Republic of China, Cybersecurity Law of the People's Republic of China, and Data Security Law of the People's Republic of China) as well as relevant standards and specifications, fulfill personal information protection obligations, and process users' personal information in compliance with the principles of lawfulness, fairness, necessity, and integrity.
This document helps you better understand APM data collection SDKs and use them in compliance with applicable laws and regulations. It applies only to developers in Chinese mainland.
Basic Requirements
Your products and services shall respect user privacy and comply with data protection laws and regulations in countries or regions where your products and services are sold. Do not participate in any activities that interfere with, damage, or access any terminal device, server, or network without authorization.
- (1) Privacy Policy Requirements
You need to release a privacy policy in your own name according to laws, and obtain user consent or other legal bases for personal information processing. The requirements of the privacy policy include but are not limited to:
- There is a document independent from the user agreement.
- Before apps run for the first time to collect and process personal information, the apps need to clearly prompt users to read the privacy policy. The privacy policy must be easy to view. For example, a user can read the privacy policy with fewer than four touches or slides on the main function screen of an app.
- The description must be clear and plain, comply with the general language habits, and avoid ambiguity.
- The privacy policy must include the purposes, methods, and scope of personal information collection for products and services, and the names and contact information of the personal information processors.
- If your products and services need to share personal information with third parties or integrate third-party SDKs, disclose and explain the situation to users in the privacy policy to obtain users' authorization or consent.
- (2) Requirements for processing personal information
When processing users' personal information, your products and services must comply with the following requirements:
- Process personal information necessary for stated purposes and in compliance with the data minimization principle.
- The scope and purposes of personal information collected and processed must be the same as those specified in the privacy policy.
- The frequency of personal information collection must be the same as that specified in the privacy policy. Personal information collection beyond the stated frequency is not allowed.
- There is a clear mechanism for deleting personal information upon expiration. The retention period of personal information is the same as that in the privacy policy. Personal information is deleted or anonymized upon expiration.
- Before processing personal information about minors under the age of 14, consent shall be obtained from the minors' parents or other guardians.
- If personal information is processed for personalized recommendation or big data analysis, end users shall be notified and authorization from end users shall be obtained before related service functions are implemented.
- If sensitive personal information needs to be processed, obtain the consent from end users.
- If cross-border transfer of personal information is required, security assessment must be conducted according to the methods and standards formulated by the Cyberspace Administration of China and relevant departments under the State Council, and the transfer must comply with relevant requirements. In addition, the consent from end users shall be obtained.
- Users can smoothly exercise rights as a personal data subject, such as checking, copying, modifying, and deleting personal information.
Personal Information Entrusted for Processing
Before connecting to or using an APM data collection SDK, you are required to inform users of the SDK name, SDK provider name, categories of personal information to be collected, purposes for using the information, and privacy policy link, and obtain the users' consent or other legal bases. You can provide the terms in the following ways:
- In text
Third-party SDK: APM data collection SDK (iOS/Android/HarmonyOS/web/WeChat/Baidu/DingTalk/Alipay/quick apps)
Third-party company name: Huawei Cloud Computing Technologies Co., Ltd.
Personal information to be collected: device model/name/disk/memory/brand/CPU, OS name/version, app version/name/process/thread, and Wi-Fi status
Purpose: To collect app performance data and report the data to APM.
Privacy policy link: Privacy Statement of APM Data Collection SDKs
In a table
Third-Party SDK |
Third-Party Company |
Personal Data to Be Collected |
Purpose |
Link to Privacy Statement |
APM data collection SDK (iOS/Android/HarmonyOS/web/WeChat/Baidu/DingTalk/Alipay/quick apps) |
Huawei Cloud Computing Technologies Co., Ltd. |
Device model/name/disk/memory/brand/CPU, OS name/version, app version/name/process/thread, and Wi-Fi status |
To collect app performance data and report the data to APM. |
Permission Requirements
When providing services, the SDK complies with the principle of least permission. You need to apply for system permissions as required and obtain users' consent.
Permission |
Description |
Purpose |
---|---|---|
Obtaining the network status |
Obtains the network status. |
To check whether the current network connection is valid. |
Obtaining the Wi-Fi status |
Obtains the Wi-Fi status. |
To obtain the Wi-Fi access status. |
Requirements of Delayed Initialization
To prevent apps from processing users' personal information before obtaining users' consent, Huawei provides the APMSDK.start() API for SDK initialization. Your app can call this API to initialize the SDK only when users agree that.
Requirements of Minimum Functions
Huawei SDK provides configuration capabilities for extended functions and optional personal information processing. You can enable or disable related functions based on your service requirements by compiling files.
Protecting Personal Information Subjects' Rights
To ensure that users can easily access, copy, modify, and delete their personal information, Huawei provides related APIs in the SDK. You can then call these APIs to execute users' requests for accessing, copying, modifying, and deleting personal information.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot