Browsing Activity Collection Not Disclosed in Privacy Policy

Browsing Activity Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects information about users' browsing activity, such as websites visited or content viewed, but the privacy policy does not clearly disclose this. Browsing activity can reveal personal interests and habits, and if linked to an individual, is considered personal information. Failure to inform users can be misleading and may violate privacy regulations.

Recommendation

Update your application's privacy policy to explicitly state that browsing activity is collected. Clearly describe the types of browsing data collected, the purposes for its collection, how the data is used, stored, its retention period, and any use of cookies or similar tracking technologies. Ensure users are provided with transparent information and appropriate consent mechanisms.

Links

• GDPR - Personal Data Definition
• CCPA - Definition of Personal Information
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_12
  • ART_13
  • ART_25
  • ART_32
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
• CNIL_FOR_EDITORS:
  • EDITORS_3_1_1
  • EDITORS_3_1_2