Gender Identity Collection Not Disclosed in Privacy Policy

Gender Identity Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects gender identity information, but the privacy policy fails to disclose this. Gender identity can be sensitive personal information. Not informing users about this collection can be misleading and may violate privacy regulations that often require specific consent and safeguards for such data.

Recommendation

Update your application's privacy policy to explicitly state that gender identity information is collected. Clearly describe the purposes for its collection, how it is used, processed, stored, and the data retention period. Ensure users are provided with transparent information, appropriate consent mechanisms are in place if required, and that collection practices comply with applicable data protection laws for sensitive information.

Links

• GDPR Article 9 - Processing of Special Categories of Personal Data
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_9
  • ART_12
  • ART_13
  • ART_25
  • ART_32
  • ART_35
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
• CNIL_FOR_EDITORS:
  • EDITORS_1_2_5
  • EDITORS_3_1_1
  • EDITORS_3_1_2