Missing Legal Basis in Privacy Policy

Missing Legal Basis in Privacy Policy

Risk: medium

Description

The vulnerability exists in the privacy policy of the system as it fails to mention the legal basis relied upon for processing users' data, which could lead to potential legal and compliance issues.

Recommendation

To mitigate the vulnerability of not mentioning the legal basis for processing user data in your privacy policy, ensure that you clearly outline the legal basis, such as consent, legitimate interest, or contractual necessity, to provide transparency and compliance with data protection regulations. Regularly review and update your privacy policy to reflect any changes in the legal basis for processing user data.

Links

• Android Privacy Guidelines
• Privacy Policies for Mobile Apps
• Apple Privacy Manifest
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• OWASP_MASVS_L1:
• OWASP_MASVS_L2:
• OWASP_MASVS_RESILIENCE:
• CWE_TOP_25:
• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_9
  • ART_11
  • ART_13
  • ART_15
  • ART_16
  • ART_17
  • ART_32
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_105
  • CCPA_1798_110
  • CCPA_1798_115
  • CCPA_1798_120
  • CCPA_1798_125
  • CCPA_1798_130
  • CCPA_1798_135
  • CCPA_1798_140
  • CCPA_1798_150
• PCI_STANDARDS:
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
  • MASVS_PRIVACY_3
  • MASVS_PRIVACY_4
• OWASP_ASVS_L1:
• OWASP_ASVS_L2:
• OWASP_ASVS_L3:
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3