The system must request the users consent whenever it will collect any information about them or their actions. This consent should not be requested before informing the user about the types of data that will be collected and the purpose for which they will be processed.
Systems usually request information from their users or collect it based on their interactions with the application. Regulations demand that none of these collections occur without the users consent, that this consent be demonstrable afterwards and that it only be requested after having informed the user of the types and purposes of data collection. Therefore, consent must always be requested in a clear manner and using easily understandable language before collecting any personal information.
This requirement is verified in following services
- ePrivacy Directive-6_4. Traffic data
- ePrivacy Directive-9_1. Location data other than traffic data
- GDPR-7_1. Conditions for consent (1)
- SOC2®-P2_1. Additional criteria for privacy (related to choice and consent)
- SOC2®-P3_2. Additional criteria for privacy (related to collection)
- SOC2®-P4_1. Additional criteria for privacy (related to use, retention, and disposal)
- SOC2®-P6_1. Additional criteria for privacy (related to disclosure and notification)
- CCPA-1798_100. General duties of businesses that collect personal information
- GLBA-502_A. Obligations with respect to disclosures of personal information – Notice requirements
- PDPA-4_13. Consent required
- POPIA-3A_11. Processing of personal information in general – Consent, justification and objection
- PDPO-S1_1. Purpose and manner of collection of personal data
- PDPO-S1_3. Use of personal data
- HITRUST CSF-13_d. Consent required
- HITRUST CSF-13_m. Accuracy and quality
- LGPD-7_I. Requirements for the Processing of Personal Data
- LGPD-9_VII-2. Requirements for the Processing of Personal Data
- LGPD-11_I. Processing of Sensitive Personal Data
- LGPD-14-1. Processing of Children and Adolescents Personal Data
- LGPD-18_VI. Data Subjects Rights
- OWASP Top 10 Privacy Risks-P4. Consent on everything
- OWASP Top 10 Privacy Risks-P10. Collection of data not required for the user-consented purpose
- SIG Lite-SL_154. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?
- SIG Core-P_3_1. Privacy
- OWASP MASVS-PRIVACY-3. The app is transparent about data collection and usage
- OWASP MASVS-PRIVACY-4. The app offers user control over their data
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.