The system must request the user’s consent whenever it will collect any information about them or their actions. This consent should not be requested before informing the user about the types of data that will be collected and the purpose for which they will be processed.
Systems usually request information from their users or collect it based on their interactions with the application. Regulations demand that none of these collections occur without the user’s consent, that this consent be demonstrable afterwards and that it only be requested after having informed the user of the types and purposes of data collection. Therefore, consent must always be requested in a clear manner and using easily understandable language before collecting any personal information.
Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 6: Traffic data.(4) The service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of such processing for the purposes mentioned in paragraph 2 and, prior to obtaining consent, for the purposes mentioned in paragraph 3.
Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 9: Location data other than traffic data.(1) The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data other than traffic data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service.
GDPR. Art. 7: Conditions for consent.(1). Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
ISO 27001:2013. Annex A - 18.1.4 When applicable, guarantee the privacy and security of personal information, as required by the relevant legislation and regulations.
OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.3) Verify that users are provided clear language regarding collection and use of supplied personal information and that users have provided opt-in consent for the use of that data before it is used in any way.
OWASP-ASVS v4.0.1 V10.2 Malicious Code Search.(10.2.1) Verify that the application source code and third party libraries do not contain unauthorized phone home or data collection capabilities. Where such functionality exists, obtain the user’s permission for it to operate before collecting any data.