Health and Fitness Data Collection Not Disclosed in Privacy Policy
Health and Fitness Data Collection Not Disclosed in Privacy Policy
Description
The application collects health or fitness data, such as medical information, activity levels, or dietary habits, but the privacy policy does not disclose this. Health and fitness data is considered a special category of personal information under regulations like GDPR and is highly sensitive. Failure to inform users about this collection is a significant issue and likely violates legal requirements for explicit consent and stringent data protection measures.
Recommendation
Update your application's privacy policy immediately to explicitly state that health and fitness data is collected. Clearly detail the specific types of health data collected, the purposes for this collection, how the data is used, processed, stored with enhanced security, and the data retention period. Ensure that explicit user consent is obtained before collecting this sensitive information and that all practices comply with applicable data protection laws.
Links
- GDPR Article 9 - Processing of Special Categories of Personal Data
- HIPAA (Health Insurance Portability and Accountability Act - US context)
- Apple Developer - HealthKit
- Android Developer - Health Connect
- CWE-359: Exposure of Private Information ("Privacy Violation")
Standards
- GDPR:
- ART_5
- ART_6
- ART_7
- ART_9
- ART_12
- ART_13
- ART_25
- ART_32
- ART_35
- CCPA:
- CCPA_1798_100
- CCPA_1798_110
- CCPA_1798_150
- OWASP_MASVS_v2_1:
- MASVS_PRIVACY_1
- MASVS_PRIVACY_2
- SOC2_CONTROLS:
- CC_2_3
- CC_5_3
- CC_6_1
- CNIL_FOR_EDITORS:
- EDITORS_1_2_5
- EDITORS_3_1_1
- EDITORS_3_1_2
- EDITORS_4_1_1