Religious Beliefs Collection Not Disclosed in Privacy Policy

Religious Beliefs Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects information about users' religious beliefs, but the privacy policy does not disclose this. Religious beliefs are considered a special category of personal data under regulations like GDPR. Failure to inform users about this collection is a significant issue and likely violates legal requirements for explicit consent and stringent data protection measures.

Recommendation

Update your application's privacy policy immediately to explicitly state that information on religious beliefs is collected. Clearly detail the specific purposes for this collection, how the data is used, processed, stored with enhanced security, and the data retention period. Ensure that explicit user consent is obtained before collecting this sensitive information and that all practices comply with applicable data protection laws for special categories of data.

Links

• GDPR Article 9 - Processing of Special Categories of Personal Data
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_9
  • ART_12
  • ART_13
  • ART_25
  • ART_32
  • ART_35
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
• CNIL_FOR_EDITORS:
  • EDITORS_1_2_5
  • EDITORS_3_1_1
  • EDITORS_3_1_2