User Photos and Media Collection Not Disclosed in Privacy Policy

User Photos and Media Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application accesses or collects user photos, videos, or other media files, but the privacy policy does not clearly disclose this. User media can be highly personal and sensitive. Failure to inform users about how their media files are accessed or collected can be misleading and may violate privacy regulations that require transparency and user consent for such processing.

Recommendation

Update your application's privacy policy to explicitly state if and how user photos, videos, or other media files are accessed or collected. Clearly describe the purposes for this access or collection, how the media is used, processed, stored, and its retention period. Ensure that clear user consent is obtained before accessing user media and that users have control over these permissions.

Links

• GDPR - Personal Data Definition (includes images)
• Apple Developer - Accessing Protected Resources (Photo Library)
• Android Developer - Storage Access Framework
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_12
  • ART_13
  • ART_25
  • ART_32
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
• CNIL_FOR_EDITORS:
  • EDITORS_3_1_1
  • EDITORS_3_1_2
  • EDITORS_5_1_1