Identity Verification Information Collection Not Disclosed in Privacy Policy
Identity Verification Information Collection Not Disclosed in Privacy Policy
Description
The application collects information for identity verification, such as images of government-issued IDs or verification selfies, but the privacy policy does not clearly disclose this. This type of data is highly sensitive and directly linked to an individual's legal identity. Failure to inform users about this collection can be misleading and may violate privacy regulations requiring explicit consent and stringent safeguards.
Recommendation
Update your application's privacy policy to explicitly state that information for identity verification is collected. Clearly describe the types of information collected, the specific purposes for its collection, how it is securely processed and store, how long it is retained, and user rights regarding this data. Ensure explicit user consent is obtained and that all practices comply with applicable data protection laws.
Links
- GDPR Article 9 - Processing of Special Categories of Personal Data (if biometrics involved in ID)
- GDPR Article 32 - Security of Processing
- NIST Special Publication 800-63A - Digital Identity Guidelines: Enrollment and Identity Proofing
- CWE-359: Exposure of Private Information ("Privacy Violation")
Standards
- GDPR:
- ART_5
- ART_6
- ART_7
- ART_9
- ART_12
- ART_13
- ART_25
- ART_32
- ART_35
- CCPA:
- CCPA_1798_100
- CCPA_1798_110
- CCPA_1798_150
- OWASP_MASVS_v2_1:
- MASVS_PRIVACY_1
- MASVS_PRIVACY_2
- SOC2_CONTROLS:
- CC_2_3
- CC_5_3
- CC_6_1
- CNIL_FOR_EDITORS:
- EDITORS_1_2_5
- EDITORS_3_1_1
- EDITORS_3_1_2
- EDITORS_4_1_1