PII Data Type Declaration Mismatch
PII Data Type Declaration Mismatch
Description
Failure to accurately declare the types of personally identifiable information (PII) collected and used in your privacy policy can lead to potential legal and regulatory issues, as well as erode trust with users who may feel their privacy is not being adequately protected. It is crucial to ensure that the information declared in the policy aligns with the actual data being collected and processed to maintain transparency and compliance.
Recommendation
To mitigate the vulnerability of mismatched PII data type declarations in your privacy policy, regularly review and update your policy to ensure that it accurately reflects how PII data is being collected, stored, and used within your organization. Additionally, conduct regular audits and assessments to ensure compliance with privacy regulations and best practices.
Links
- Android Privacy Guidelines
- Privacy Policies for Mobile Apps
- Apple Privacy Manifest
- CWE-359: Exposure of Private Information ("Privacy Violation")
Standards
- OWASP_MASVS_L1:
- OWASP_MASVS_L2:
- OWASP_MASVS_RESILIENCE:
- CWE_TOP_25:
- GDPR:
- ART_5
- ART_6
- ART_7
- ART_9
- ART_11
- ART_13
- ART_15
- ART_16
- ART_17
- ART_32
- CCPA:
- CCPA_1798_100
- CCPA_1798_105
- CCPA_1798_110
- CCPA_1798_115
- CCPA_1798_120
- CCPA_1798_125
- CCPA_1798_130
- CCPA_1798_135
- CCPA_1798_140
- CCPA_1798_150
- PCI_STANDARDS:
- OWASP_MASVS_v2_1:
- MASVS_PRIVACY_1
- MASVS_PRIVACY_2
- MASVS_PRIVACY_3
- MASVS_PRIVACY_4
- OWASP_ASVS_L1:
- OWASP_ASVS_L2:
- OWASP_ASVS_L3:
- SOC2_CONTROLS:
- CC_2_3
- CC_5_3