Current Precise Location Data Collection Not Disclosed in Privacy Policy

Current Precise Location Data Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects users' current precise location data, but the privacy policy does not clearly disclose this practice. Precise location data can reveal sensitive details about an individual's movements and habits. Failure to inform users about this collection can be misleading and may violate privacy regulations that often require specific user consent for accessing and processing such data.

Recommendation

Update your application's privacy policy to explicitly state that current precise location data is collected. Clearly describe the purposes for this collection, how the data is used, processed, stored, and its retention period. Ensure that clear user consent is obtained before accessing precise location, and provide users with easy-to-understand controls to manage this permission.

Links

• GDPR - Recital 49 (Location Data)
• Apple Developer - Accessing Protected Resources (Location)
• Android Developer - Location and SENSORS
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_12
  • ART_13
  • ART_25
  • ART_32
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
• CNIL_FOR_EDITORS:
  • EDITORS_3_1_1
  • EDITORS_3_1_2
  • EDITORS_5_1_1
  • EDITORS_5_1_5