Careful as this is US-specific.
https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-apps-interactive-tool
OWASP Application Security Verification Standard Project
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
ICO: Cookies
Enforcement actions by ICO on cookies
https://ico.org.uk/action-weve-taken/cookies/
ICO guidance on use of cookies and similar technologies
https://ico.org.uk/media/for-organisations/documents/1545/cookies_guidance.pdf
CNIL: Cookie best practices
Whitepaper on Pseudonymisation (in German)
German white paper on pseudonymisation
Whitepaper zur Pseudonymisierung
der Fokusgruppe Datenschutz
der Plattform Sicherheit, Schutz und
Vertrauen für Gesellschaft und Wirtschaft
im Rahmen des Digital-Gipfels 2017
– Leitlinien für die rechtssichere Nutzung von Pseudonymisierungslösungen
unter Berücksichtigung der Datenschutz-Grundverordnung –
https://www.gdd.de/downloads/whitepaper-zur-pseudonymisierung
FTC: analysis of 47 enforcement cases since 2002
IAPP white paper looking at security best practices based on FTC enforcement actions.
https://iapp.org/media/pdf/resource_center/FTC-WhitePaper_V4.pdf
CNIL: Recommendations on Passwords
The “Deliberation no. 2017-012 of 19 January 2017 on the adoption of a recommendation relating to passwords” covers e.g.
- the need for protecting passwords by salts or keys
- automatic lockouts after subsequent login failures
- detailled guidance on password renewals on request
- etc..
https://www.cnil.fr/sites/default/files/atoms/files/recommandation_passwords_en.pdf
CNIL guide 2018 – “Security of Personal Data”
in English, incl.
- Raising user awareness
- Authenticating users
- Access Management
- Logging access and managing incidents
- Securing workstations
- Securing mobile data processing
- Protecting the internal network
- Securing servers
- Securing websites
- Ensuring continuity
- Archiving securely
- Supervising maintenance and data destruction
- Managing data processors
- Securing exchanges with other organisations
- Physical security
- Supervising software development
- Encrypting, guaranteeing integrity and signing
- Assess the security level of the personal data in your organisation
https://www.cnil.fr/sites/default/files/atoms/files/cnil_guide_securite_personnelle_gb_web.pdf
Norwegian DPA files complaint against Grindr mobile app data sharing (HIV status, ..)
https://fil.forbrukerradet.no/wp-content/uploads/2018/04/2018-04-03-complaint-grindr.pdf
Quote:
[..] “Insufficient consent
According to the SINTEF report, Grindr shares personal data with different of third parties.
When a user registers a user account in Grindr, the app asks for consent to the terms of service in whole, without individual elements being emphasized or singled out (see attached picture).
In the view of the Consumer Council, information about sensitive personal data being shared with third parties should not be hidden away in long terms of service and privacy policies. The Consumer Council cannot see that Grindr fulfill the conditions for gathering an informed and explicitly given consent.
During the process of registration and inside the app, there is no further description of how data may be shared, other than what is hidden away in the terms of service and privacy policy. There is also no separate consent for sharing sensitive personal data with third parties.
The app does not provide an opportunity to not share personal data with third parties.”
[..]
Paper “Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps”
Paper “Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps”
by Jinyan Zang, Krysta Dummit, James Graves, Paul Lisker, and Latanya Sweeney