Genetic Data Collection Not Disclosed in Privacy Policy
Genetic Data Collection Not Disclosed in Privacy Policy
Description
The application collects genetic data, which relates to the inherited or acquired genetic characteristics of an individual, but the privacy policy does not disclose this. Genetic data is a special category of personal information under regulations like GDPR and is exceptionally sensitive. Failure to inform users about this collection is a very serious issue and likely violates legal requirements for explicit consent and the most stringent data protection measures.
Recommendation
Update your application's privacy policy to explicitly state that genetic data is collected. Clearly detail the specific types of genetic data collected, the precise purposes for this collection, how the data is used, processed, stored with the highest level of security, and the data retention period. Ensure that explicit, unambiguous user consent is obtained before collecting this highly sensitive information and that all practices comply with applicable data protection laws for special categories of data, often requiring a Data Protection Impact Assessment.
Links
- GDPR Article 9 - Processing of Special Categories of Personal Data
- GDPR Article 4 - Definitions (Genetic Data)
- CWE-359: Exposure of Private Information ("Privacy Violation")
Standards
- GDPR:
- ART_5
- ART_6
- ART_7
- ART_9
- ART_12
- ART_13
- ART_25
- ART_32
- ART_35
- CCPA:
- CCPA_1798_100
- CCPA_1798_110
- CCPA_1798_150
- OWASP_MASVS_v2_1:
- MASVS_PRIVACY_1
- MASVS_PRIVACY_2
- SOC2_CONTROLS:
- CC_2_3
- CC_5_3
- CC_6_1
- CNIL_FOR_EDITORS:
- EDITORS_1_2_5
- EDITORS_3_1_1
- EDITORS_3_1_2
- EDITORS_4_1_1