Device and Network Information Collection Not Disclosed in Privacy Policy
Device and Network Information Collection Not Disclosed in Privacy Policy
Description
The application collects device or network information, such as IP addresses, device identifiers, operating system versions, or network details, but the privacy policy does not clearly disclose this. While some of this data is essential for app functionality or security, users should be informed about what is collected and why. Failure to disclose can be misleading and may violate privacy regulations if identifiers are linked to individuals.
Recommendation
Update your application's privacy policy to explicitly state the types of device and network information collected. Clearly describe the purposes for this collection (e.g., app functionality, security, analytics, personalization), how the data is used, stored, and its retention period. Ensure transparency with users regarding this data collection.
Links
- GDPR Article 4 - Definitions (Online Identifiers)
- Apple Developer - User Privacy and Data Use
- Android Developer - Privacy
- CWE-359: Exposure of Private Information ("Privacy Violation")
Standards
- GDPR:
- ART_5
- ART_6
- ART_7
- ART_12
- ART_13
- ART_25
- ART_32
- CCPA:
- CCPA_1798_100
- CCPA_1798_110
- CCPA_1798_150
- OWASP_MASVS_v2_1:
- MASVS_PRIVACY_1
- MASVS_PRIVACY_2
- SOC2_CONTROLS:
- CC_2_3
- CC_5_3
- CC_6_1
- CNIL_FOR_EDITORS:
- EDITORS_3_1_1
- EDITORS_3_1_2