310 – Request user consent

Summary

The system must request the users consent whenever it will collect any information about them or their actions. This consent should not be requested before informing the user about the types of data that will be collected and the purpose for which they will be processed.

Description

Systems usually request information from their users or collect it based on their interactions with the application. Regulations demand that none of these collections occur without the users consent, that this consent be demonstrable afterwards and that it only be requested after having informed the user of the types and purposes of data collection. Therefore, consent must always be requested in a clear manner and using easily understandable language before collecting any personal information.

Supported In

Advanced: True

References

• EPRIVACY-6_4. Traffic data
• EPRIVACY-9_1. Location data other than traffic data
• GDPR-7_1. Conditions for consent (1)
• SOC2-P2_1. Additional criteria for privacy (related to choice and consent)
• SOC2-P3_2. Additional criteria for privacy (related to collection)
• SOC2-P4_1. Additional criteria for privacy (related to use, retention, and disposal)
• SOC2-P6_1. Additional criteria for privacy (related to disclosure and notification)
• CCPA-1798_100. General duties of businesses that collect personal information
• GLBA-502_A. Obligations with respect to disclosures of personal information – Notice requirements
• PDPA-4_13. Consent required
• POPIA-3A_11. Processing of personal information in general – Consent, justification and objection
• PDPO-S1_1. Purpose and manner of collection of personal data
• PDPO-S1_3. Use of personal data
• HITRUST-13_d. Consent required
• HITRUST-13_m. Accuracy and quality
• LGPD-7_I. Requirements for the Processing of Personal Data
• LGPD-9_VII-2. Requirements for the Processing of Personal Data
• LGPD-11_I. Processing of Sensitive Personal Data
• LGPD-14-1. Processing of Children and Adolescents Personal Data
• LGPD-18_VI. Data Subjects Rights
• OWASPRISKS-P4. Consent on everything
• OWASPRISKS-P10. Collection of data not required for the user-consented purpose
• SIGLITE-SL_154. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?
• SIG-P_3_1. Privacy
• OWASPMASVS-PRIVACY-3. The app is transparent about data collection and usage
• OWASPMASVS-PRIVACY-4. The app offers user control over their data

Weaknesses

• 088 – Privacy violation

Last updated

2024/01/18