Voice Data Collection Not Disclosed in Privacy Policy

Voice Data Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects voice data or audio recordings from users, but the privacy policy does not clearly disclose this. Voice data can be personal and, if used for unique identification, may be considered biometric data. Failure to inform users about this collection can be misleading and may violate privacy regulations that require transparency and consent.

Recommendation

Update your application's privacy policy to explicitly state that voice data or audio recordings are collected. Clearly describe the purposes for this collection, how the data is used, processed, stored, its retention period, and any security measures in place. Ensure that clear user consent is obtained before accessing the microphone or collecting voice data, especially if used for sensitive purposes like identification.

Links

• GDPR Article 9 - Processing of Special Categories of Personal Data (if used for biometric identification)
• GDPR Article 4 - Definitions (Personal Data - can include voice)
• Apple Developer - Speech Recognition
• Android Developer - Speech To Text
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_9
  • ART_12
  • ART_13
  • ART_25
  • ART_32
  • ART_35
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
• CNIL_FOR_EDITORS:
  • EDITORS_1_2_5
  • EDITORS_3_1_1
  • EDITORS_3_1_2