Background: Digital technologies, especially contact tracing apps, have been crucial in monitoring and tracing the transmission of COVID-19 worldwide. China has developed health code apps as an emergency response to the pandemic and are planned for broader public health services. However, potential problems within privacy policies may compromise personal information protection. Objective: We aimed to evaluate the compliance of 30 health code apps’ privacy policies in the mainland of China with the Personal Information Protection Law (PIPL) and related specifications. Methods: We reviewed and assessed the privacy policies of 30 health code apps between August 26 and September 6, 2023. We used a three-level indicator scale based on the information life cycle as provided in the PIPL and related specifications. The scale comprised 7 level-1 indicators, 26 level-2 indicators and 71 level-3 indicators. Results: The mean compliance score of the 30 health code apps was 59.9/100. While 43.3% of apps scored below this average, 20.0% scored below 40. Level-1 indicator scores included the following: general attributes (85.6%); personal information (PI) collection and usage (66.2%); PI storage and protection (63.3%); PI sharing, transfer, disclosure, and transmission (57.2%); PI deletion (52.2%); individual rights (59.3%); and PI processor duties (43.7%). Sensitive PI protection compliance (51.4%) lagged behind general PI protection (83.3%), with only one app requiring separate consent for sensitive PI processing. Additionally, 46.7% needed separate consent for subcontracting activities, while fewer disclosed PI recipient information (43.3%), safety precautions (36.7%), and rules of PI transfer during specific events (33.3%). Most privacy policies specified the PI retention period (76.7%) and post-period deletion or anonymization (73.3%), but only 6.7% committed to prompt third-party PI deletion. Most apps delineated various individual rights: the right to inquire (83.3%), correct (80.0%), and delete PI (80.0%); cancel their account (70.0%); withdraw consent (60.0%); and request privacy policy explanations (80.0%). Only a fraction addressed the rights to obtain copies (13.3%) or refuse advertisement of automated decision-making (3.3%). Only 43.7% of apps were compliant in PI processor duties, with significant deficiencies in impact assessments (5.0%), PI protection officer appointment (6.7%), regular compliance audits (6.7%), and complaint management (37.8%). Conclusions: Our analysis revealed both strengths and significant shortcomings in the compliance of health code apps’ privacy policies with the PIPL and related specifications, considering the information life cycle. As China contemplates the future extended use of health code apps, it should articulate the legitimacy of the normalization of such apps and ensure informed consent of users. Meanwhile, China should uplift the compliance level of relevant privacy policies and fortify its enforcement mechanisms.
