In a troubling incident that has raised alarms about privacy in the delivery industry, a woman in Chengdu, Sichuan, received a harassing text message from a delivery person after ordering 12 items. The message, which read, "12 items, take care of your health, beautiful," left the recipient, identified as Ms. Wang, both angry and confused. She was perplexed as the platform she used had promised to encrypt users' phone numbers, prompting questions about how the delivery person had obtained her real number and knowledge of her purchase, which included personal health products.
This incident has sparked widespread concern among the public regarding privacy breaches in the food delivery and express delivery sectors. A recent investigation by the Legal Daily revealed that privacy leaks have become a persistent issue within the delivery industry, with reports of delivery personnel secretly photographing users' home environments and selling package information on the black market surfacing frequently.
In a notable case from Longli County, Guizhou Province, four defendants were convicted for illegally obtaining and selling citizens' personal information. These individuals, who worked for a local express delivery company, were caught after they uploaded thousands of pieces of sensitive information—including names, phone numbers, addresses, and purchased items—to a cloud storage service for sale. They were reportedly incentivized by a payment of 0.8 yuan per piece of information, ultimately profiting nearly 30,000 yuan through the illegal sale of this data.
Another victim, Ms. Zhang from Tianjin, recounted her distress after receiving multiple delivery notifications that displayed her phone number and surname. Despite the information being accurate, she was informed that the packages had already been picked up by someone else. "I contacted the delivery company, and they claimed they had never leaked customer information. But why am I receiving these notifications? Is it possible that the merchants or delivery companies are using my information for fraudulent orders?" she wondered.
In addition, Ms. Wang, who frequently shops online, noted that some individuals collect discarded delivery packaging to obtain user information. She pointed out that many delivery apps automatically link virtual numbers to real numbers during calls, and the SMS channels remain unencrypted, exposing user privacy during the delivery process.
According to the Personal Information Protection Law, processing personal information must adhere to the 'minimum necessity principle.' This principle dictates that any handling of personal information should be based on clear and reasonable purposes and conducted in ways that minimally impact individual rights. Cheng Ke, Deputy Director of the Cultural Rule of Law Research Center at the Communication University of China, emphasized that delivery personnel should only require the recipient's name, address, virtual number, and order number to fulfill their duties. Any additional information, including product details, could constitute an invasion of consumer privacy.
Beijing Jiayue Law Firm's Zhao Zhanling pointed out that merchants and platforms providing riders with information beyond what is necessary for delivery may be violating the law. He stated, "Delivery personnel should only know the address and virtual number. Product details and actual phone numbers are unnecessary information and are considered personal privacy that delivery personnel should not access." However, the reality is that technological vulnerabilities and lax permission management have made it difficult to enforce the 'minimum necessity principle.'
In the case involving Ms. Wang, her phone number was supposedly encrypted through the platform's virtual number system, yet the rider was still able to access her real number and send a harassing message. Reports indicate that some platforms compromise on technological deployment to enhance delivery efficiency, resulting in virtual numbers being used only for calls while SMS messages still reveal actual numbers. Furthermore, certain delivery apps automatically decrypt real numbers during virtual number calls, leaving sensitive information exposed on order detail pages.
Experts agree that privacy rights are not only a fundamental legal entitlement for citizens but also an ethical foundation for the sustainability of digital civilization. A single harassing message from a delivery person or a sensitive item on a package label may seem trivial, but these issues can erode public trust in digital services.
To combat the phenomenon of privacy exposure, experts suggest a combination of stringent regulation and technical safeguards. This includes blacklisting non-compliant companies and imposing severe penalties for information leakage. They advocate for all platforms to utilize virtual numbers comprehensively, restricting riders' access to sensitive information and limiting permissions for platforms, merchants, and third-party data interfaces to prevent cross-platform leaks.
Cheng Ke further recommended that platforms enhance their order systems to restrict delivery personnel from accessing sensitive product information. He proposed that companies implement virtual number technology to ensure that real phone numbers are never disclosed to delivery personnel in any form. Zhang Jianwu, a lawyer at Beijing Yingke Law Firm, emphasized the necessity of technical desensitization and access controls to prevent personal information from leaking from platforms. He also highlighted the importance of clearly defining legal responsibilities in cases of information leakage.
Yin Yujian, a senior partner at Guanghe Law Firm, called on regulatory agencies to conduct special inspections and randomly check platforms for personal information protection compliance, adding that companies that repeatedly violate privacy regulations should be blacklisted and publicly disclosed. He also urged for increased fines against non-compliant businesses and prompt responses to consumer complaints regarding privacy violations.
In light of these incidents, government entities are encouraged to establish relevant regulations that clarify the responsibilities of platforms, merchants, and delivery service providers. Suggestions include adding a dedicated chapter on personal privacy and data protection in the Interim Regulations on Express Delivery, stipulating that merchants must not disclose product information to delivery service providers and that delivery services should not have access to consumers' real phone numbers or sensitive item details. If technical conditions allow, a mandatory implementation of virtual numbers across all platforms is recommended.
