App Usage Data Collection Not Disclosed in Privacy Policy

App Usage Data Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects data about how users interact with it, such as features used, session duration, crash reports, or performance metrics, but the privacy policy does not clearly disclose this. If this usage data can be linked to an individual, it is considered personal information. Failure to inform users can be misleading and may violate privacy regulations.

Recommendation

Update your application's privacy policy to explicitly state that app usage data is collected. Clearly describe the types of usage data collected, the purposes for its collection, how the data is used, stored, its retention period, and whether it is anonymized or aggregated.

Links

• GDPR - Personal Data Definition (can include usage data linked to an identifier)
• Apple Developer - User Privacy and Data Use (Diagnostics)
• Android Developer - App Usage Data
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_12
  • ART_13
  • ART_25
  • ART_32
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
• CNIL_FOR_EDITORS:
  • EDITORS_3_1_1
  • EDITORS_3_1_2