The Law on Personal Data Protection will take effect from January 1, 2026. One of the notable contents of the law is that social networks are not required to provide images or videos containing content about personal papers as authentication factors.
According to Article 29, organizations and individuals providing social network services and online communication services must be responsible for clearly notifying the content of personal data (DLCN) collected when the DLCN subject installs and uses social networks and online communication services; not illegally collecting DLCN and outside the scope agreed upon with customers.
It is not required to provide images or videos containing full content or part of personal papers as an authentication factor for the account.
Responsible for providing options allowing users to refuse to collect and share data files (called cookies). Providing "no tracking" options or only being able to track the use of social networks and online media services with the user's consent.
Do not eavesdrop, eavesdrop on or record calls and read text messages without the consent of the DLCN subject, unless otherwise provided by law.
Publicize security policies, clearly explain how to collect, use and share DLCN; provide users with a mechanism to access, edit, delete data and establish privacy for DLCN, report security and privacy violations; protect DLCN of Vietnamese citizens when transferring data across borders; build a process to handle violations of DLCN protection quickly and effectively.
Clause 2, Article 25 stipulates the responsibility for protecting DLCN of agencies, organizations, and individuals in managing and using employees. Accordingly, businesses after terminating contracts must be responsible for complying with the provisions of this law, labor law, employment law, data law and other relevant legal regulations.
Employee DLCN must be stored for a period of time according to the provisions of law or according to agreement. Employee DLCN must be deleted or cancelled when terminating the contract, unless agreed upon or otherwise prescribed by law.
According to Clause 4, Article 8 of the Law, the maximum fine in administrative violation handling for organizations that violate regulations on transborder DLCN transfer is 5% of the revenue of the immediately preceding year of that organization.
According to Article 7 of the Law on DLCN Protection, there are 7 prohibited acts related to DLCN, including handling DLCN against the provisions of law.
Strictly prohibit the purchase and sale of DLCN, except for cases where the law has other regulations; appropriation, intentional leakage, loss of DLCN.
Previously, right before the Law on DLCN Protection officially took effect, the Zalo application suddenly requested millions of Vietnamese users to accept the new service terms.
This includes a clause expanding the scope of user data collection, including basic information such as: phone number, full name, gender, family relationship and sensitive data such as ID card/CCCD, geographical location, usage behavior, interactive content.
If users want to continue using, they only have the option "Agree with all" but cannot select each part. If they refuse, the account will be deleted after 45 days. This move is sparking a strong wave of comments on social networks and online forums.
