Location History Collection Not Disclosed in Privacy Policy

Location History Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects and stores users' location history over time, but the privacy policy does not clearly disclose this. Collection of location history can create a detailed profile of users' movements, activities, and routines, making it highly sensitive. Failure to inform users about this practice can be misleading and may violate privacy regulations.

Recommendation

Update your application's privacy policy to explicitly state that location history is collected and stored. Clearly describe the purposes for this collection, how the data is used, how long it is retained, and the security measures in place to protect it. Ensure users are provided with transparent information and appropriate controls regarding their location history.

Links

• GDPR - Recital 49 (Location Data)
• Apple Developer - User Privacy and Data Use
• Android Developer - Location and SENSORS
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_12
  • ART_13
  • ART_25
  • ART_32
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
• CNIL_FOR_EDITORS:
  • EDITORS_1_2_4
  • EDITORS_3_1_1
  • EDITORS_3_1_2
  • EDITORS_5_1_1