保護DataHogo
Security Encyclopedia/Privacy Best Practices
lowCWE-16

No Privacy Policy

Operating without a privacy policy violates GDPR, CCPA, and similar regulations — and makes users rightfully distrust your handling of their data.

How It Works

GDPR requires a privacy policy for any service processing EU residents' data. CCPA requires it for California residents. Without one, you're operating in violation of the law in most jurisdictions where you likely have users. Regulators have fined companies millions for this omission.

Vulnerable Code
// BAD: application collecting user data with no privacy policy
// No /privacy-policy route
// No link to privacy policy in signup form
// No disclosure of what data is collected or how it's used
Secure Code
// GOOD: privacy policy linked from footer, signup, and settings
// pages/privacy-policy.tsx — required for legal compliance
// Content must cover:
// - What data you collect
// - How you use it
// - Who you share it with
// - How long you retain it
// - How users can request deletion

Real-World Example

The FTC has levied millions in fines against companies that collected user data without a privacy policy. Google was fined $170 million for COPPA violations partly due to inadequate privacy disclosures on YouTube.

How to Prevent It

  • Create a privacy policy that covers data collection, usage, storage, and deletion
  • Link the privacy policy from your footer, signup page, and account settings
  • Keep the privacy policy updated when you add new data collection or third-party services
  • Use a privacy policy generator as a starting point, but have a lawyer review it for your jurisdiction

Affected Technologies

javascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Terms of Service

low

Without terms of service, you have no legal basis to restrict abuse, terminate accounts, or limit your liability for user-generated content.

CWE-16

No Account Deletion

medium

Not offering account deletion violates GDPR's right to erasure and CCPA's right to delete — and is a significant privacy red flag for users.

CWE-16

No Cookie Banner

low

Setting non-essential cookies without user consent violates GDPR and ePrivacy Directive requirements for EU users.

CWE-16

Payment Data Stored Locally

critical

Storing full card numbers, CVVs, or PANs in localStorage, sessionStorage, or your own database violates PCI DSS and creates massive liability.

CWE-312A02:2021