Information Concerning Sex Life Collection Not Disclosed in Privacy Policy

Information Concerning Sex Life Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects information concerning users' sex life, but the privacy policy does not disclose this. This type of data is a special category of personal information under regulations like GDPR and is extremely sensitive. Failure to inform users about this collection is a very serious issue and likely violates legal requirements for explicit consent and the most stringent data protection measures.

Recommendation

Update your application's privacy policy to explicitly state that information concerning sex life is collected. Clearly detail the specific types of data collected, the precise purposes for this collection, how the data is used, processed, stored with the highest level of security, and the data retention period. Ensure that explicit, unambiguous user consent is obtained before collecting this highly sensitive information and that all practices comply with applicable data protection laws for special categories of data.

Links

• GDPR Article 9 - Processing of Special Categories of Personal Data
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_9
  • ART_12
  • ART_13
  • ART_25
  • ART_32
  • ART_35
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
• CNIL_FOR_EDITORS:
  • EDITORS_1_2_5
  • EDITORS_3_1_1
  • EDITORS_3_1_2