On May 25, the Shanghai Cyberspace Administration released Notice on Issues Concerning Personal Information Collection and Usage by Local Apps (Second Batch of 2026 – Special Focus on Consumer Retail), publicly calling out consumer retail-related apps and mini-programs operating within the city for unlawful collection and usage of personal information. This special inspection was conducted in accordance with the Cybersecurity Law, Personal Information Protection Law, Regulations on Cyber Data Security Management, and Guidelines for Identifying Unlawful Acts of Collecting and Using Personal Information via Apps. It serves to implement requirements outlined in the joint announcement issued by the Cyberspace Administration of China, Ministry of Industry and Information Technology, and Ministry of Public Security regarding a series of special actions on personal information protection in 2026. Operators named in the notice must complete corrective measures within 15 working days of publication and submit reports detailing such efforts to the Shanghai Cyberspace Administration; regulators will subsequently verify compliance and impose penalties as warranted by law. The full list of offending apps appears as images attached to the original official notice.
This represents the second batch of local app-focused notices issued by Shanghai this year, with emphasis placed squarely on consumer retail contexts. Nationwide, regulatory activity has accelerated notably: the Cyberspace Administration of China has since January identified over 33 apps across sectors such as finance and education in multiple rounds of announcements; meanwhile, the Ministry of Industry and Information Technology published its second and third batches of noncompliant apps (and SDKs) in April and May respectively, resulting in a cumulative tally exceeding 50 products cited for violations. Common infractions include unauthorized gathering of personal data, excessive permission requests beyond functional necessity, acquisition of contacts/location details without explicit user consent, and mandatory automatic subscription renewals. In 2025 alone, a total of 3,852 apps received regulatory reprimands nationwide—marking a surge of roughly 152% compared to prior years—with oversight now extending to enterprises owned by foreign capital or state entities.