Sexual Orientation Information Collection Not Disclosed in Privacy Policy

Sexual Orientation Information Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects information about users' sexual orientation, but the privacy policy does not disclose this. Sexual orientation is a special category of personal information under regulations like GDPR and is highly sensitive. Failure to inform users about this collection is a very serious issue and likely violates legal requirements for explicit consent and the most stringent data protection measures.

Recommendation

Update your application's privacy policy immediately to explicitly state that information on sexual orientation is collected. Clearly detail the specific types of data collected, the precise purposes for this collection, how the data is used, processed, stored with the highest level of security, and the data retention period. Ensure that explicit, unambiguous user consent is obtained before collecting this highly sensitive information and that all practices comply with applicable data protection laws for special categories of data.

Links

• GDPR Article 9 - Processing of Special Categories of Personal Data
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_9
  • ART_12
  • ART_13
  • ART_25
  • ART_32
  • ART_35
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
• CNIL_FOR_EDITORS:
  • EDITORS_1_2_5
  • EDITORS_3_1_1
  • EDITORS_3_1_2