Biometric Data Collection Not Disclosed in Privacy Policy

Biometric Data Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects biometric data, such as fingerprints or facial recognition data, but the privacy policy fails to disclose this. Biometric data used for unique identification is typically considered a special category of personal information under privacy regulations like GDPR due to its sensitive and unchangeable nature. Not informing users about this collection can be misleading and may violate legal requirements for explicit consent and transparency.

Recommendation

Update your application's privacy policy to explicitly state that biometric data is collected. Clearly define the types of biometric data collected, the specific purposes for its collection (e.g., authentication), how it is securely processed and stored (including security measures like encryption and template protection), user consent mechanisms (which often must be explicit), and data retention periods. A Data Protection Impact Assessment (DPIA) should be considered for this type of data processing.

Links

• GDPR Article 9 - Processing of Special Categories of Personal Data
• GDPR Article 35 - Data Protection Impact Assessment
• ISO/IEC 24745 - Biometric Information Protection
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_9
  • ART_12
  • ART_13
  • ART_25
  • ART_32
  • ART_35
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
• CNIL_FOR_EDITORS:
  • EDITORS_1_2_5
  • EDITORS_3_1_1
  • EDITORS_3_1_2
  • EDITORS_4_1_1