Personal Identifiers Collection Not Disclosed in Privacy Policy

Personal Identifiers Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects personal identifiers (such as User IDs, Device IDs, IP addresses, or Advertising IDs), but the privacy policy fails to adequately disclose the collection of these specific identifiers. This lack of transparency can prevent users from understanding how they are being tracked or identified, and may violate requirements under privacy regulations like GDPR and CCPA.

Recommendation

Update your application's privacy policy to explicitly list all types of personal identifiers collected (e.g., User ID, Device ID, IP Address, Advertising ID). For each identifier, clearly describe the specific purposes for its collection, how it is used, processed, stored, and its retention period. Ensure that all disclosures are transparent and comply with applicable data protection laws.

Links

• Android Privacy Guidelines
• Apple Developer - User Privacy and Data Use
• GDPR Article 4 - Definitions (Online Identifiers)
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_12
  • ART_13
  • ART_25
  • ART_32
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
• CNIL_FOR_EDITORS:
  • EDITORS_3_1_1
  • EDITORS_3_1_2