Email Address Collection Not Disclosed in Privacy Policy

Email Address Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects email addresses, but the privacy policy fails to mention this data collection. This lack of disclosure can mislead users about how their personal information is handled and may violate transparency requirements under various privacy regulations like GDPR and CCPA.

Recommendation

Update your application's privacy policy to explicitly state that email addresses are collected. Clearly describe the purposes for which email addresses are collected, how they are used, processed, stored, and for how long they are retained. Ensure users are provided with transparent information and that the collection complies with applicable data protection laws.

Links

• Android Privacy Guidelines
• Privacy Policies for Mobile Apps
• Apple Privacy Manifest
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_12
  • ART_13
  • ART_25
  • ART_32
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
• CNIL_FOR_EDITORS:
  • EDITORS_3_1_1
  • EDITORS_3_1_2