PII Categories Data Type Declaration Mismatch

PII Categories Data Type Declaration Mismatch

Risk: medium

Description

The vulnerability exists when the PII Categories data type declaration in the privacy policy does not accurately reflect the actual usage of personal identifiable information within the system, potentially leading to discrepancies in data handling and privacy compliance.

Recommendation

To mitigate the vulnerability of mismatched data type declarations in the privacy policy, it is important to regularly review and update the policy to ensure that the PII Categories data type declaration accurately reflects how the data is being used and stored. This can help to maintain transparency and compliance with privacy regulations, as well as protect the sensitive information of users.

Links

• Android Privacy Guidelines
• Privacy Policies for Mobile Apps
• Apple Privacy Manifest
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• OWASP_MASVS_L1:
• OWASP_MASVS_L2:
• OWASP_MASVS_RESILIENCE:
• CWE_TOP_25:
• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_9
  • ART_11
  • ART_13
  • ART_15
  • ART_16
  • ART_17
  • ART_32
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_105
  • CCPA_1798_110
  • CCPA_1798_115
  • CCPA_1798_120
  • CCPA_1798_125
  • CCPA_1798_130
  • CCPA_1798_135
  • CCPA_1798_140
  • CCPA_1798_150
• PCI_STANDARDS:
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
  • MASVS_PRIVACY_3
  • MASVS_PRIVACY_4
• OWASP_ASVS_L1:
• OWASP_ASVS_L2:
• OWASP_ASVS_L3:
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3