Social networks are not required to provide identification documents as a verification factor
From January 1, 2026, social networks are not allowed to request personal documents to authenticate accounts and are not allowed to secretly listen, read messages, or record without consent.
The Law on Personal Data Protection will take effect from January 1, 2026. One of the notable contents of the law is that social networks are not required to provide images and videos containing content about identification documents as a verification factor.
According to Article 29, organizations and individuals providing social networking services and online communication services must be responsible for clearly notifying the content of personal data (DLCN) collected when the DLCN installation and use social networks and online communication services; not illegally collecting DLCN and outside the scope agreed upon with customers.
No need to provide images or videos containing complete or partial identification documents as an account authentication factor.
Responsible for providing an option that allows users to refuse to collect and share data files (called cookies). Providing the option of "no tracking" or only being able to track social network and online communication services when the user has the consent.
Do not secretly listen, steal or record calls and read text messages without the consent of the DLCN subject, unless otherwise provided by law.
Publicly publicize security policies, clearly explain how to collect, use and share DLCN; provide users with mechanisms to access, edit, delete data and establish privacy for DLCN, report violations of security and privacy; protect DLCN of Vietnamese citizens when transferring data across borders; build a process to handle violations of DLCN protection quickly and effectively.
Clause 2, Article 25 stipulates the responsibility to protect DLCN of agencies, organizations and individuals in managing and using employees. Accordingly, after terminating the contract, the enterprise must be responsible for complying with the provisions of this law, the law on labor, employment, the law on data and other relevant legal provisions.
Employees' DLCN must be stored within the prescribed time limit by law or by agreement. The employee's DLCN must be deleted or canceled upon termination of the contract, except in cases where otherwise agreed or regulated by law.
According to Clause 4, Article 8 of the Law, the maximum penalty for administrative sanctions for organizations that violate the regulation on cross-border DLCN transfers is 5% of the organization's previous year's revenue.
According to Article 7 of the Law on DLCN Protection, there are 7 prohibited acts related to DLCN, including handling DLCN in violation of the law.
It is strictly forbidden to buy and sell DLCN, except where otherwise provided by law; appropriate, intentionally expose, or destroy DLCN.
Previously, right before the DLCN Protection Law officially took effect, the Zalob application unexpectedly required millions of Vietnamese users to accept new service terms.
Including a provision to expand the scope of user data collection, including basic information such as: phone number, full name, gender, family relationships and sensitive data such as CMND/CCCD, geographical location, usage behavior, interactive content.
If you want to continue using, users only have the " Agree All" option without being able to select each part. If he refuses, his account will be deleted after 45 days. This move is fueling a wave of strong comments on social media and online forums.
Read the original here
