Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer’s view in any way.

Why do we need all of this data? OWASP Privacy Risks - P-10

posted on October 20, 2021 by Mark Roxberry
Trawler with illegal catch
Do not trust your memory; it is a net full of holes; the most beautiful prizes slip through it. - Georges Duhamel

P-10 Collection of data not required for the user-consented purpose

The OWASP Top 10 Privacy Risks Project identifies the top 10 privacy risks in web applications, the cloud and the global online ecosystem. In September of 2021, version 2 of the project was released. I'm going to work through the list and discuss each risk, with references and mitigation countermeasures, if they exist.

The P-10 risk, "Collection of data not required for the user-consented purpose" on the list is the collection of too much data from users.

Companies are collecting more data than they need

“Most companies are collecting data these days on all the interactions, on all the places that they touch customers in the normal course of doing business,” says Elea Feit, senior fellow at Wharton Customer Analytics and a Drexel marketing professor. (from Your Data Is Shared and Sold…What’s Being Done About It? - [email protected])

From Security.org, a review of privacy policies reveals that they have granted themselves liberal access to user data. From The Data Big Tech Companies Have On You. Reviewing companies and their grades from that article:

  • Google gets an F

    In addition to data they collect from user interactions, their policy allows for data collection on users from local newspapers, third party marketing partners, or advertisers.

  • Facebook's Grade: C

    By design, Facebook operates off of user data. But how do they make money? "Facebook makes the majority of its money through its advertisers"

  • Amazon Grade: B-

    Amazon collects a ton of data from users and shares data with millions of Marketplace sellers, it does not by default send PII to those sellers. Additionally, Amazon provides opt-out for any information sent to 3rd parties.

What to do to mitigate P-10

I recommend that you look into making a "Lean Data Commitment", following Mozilla's "Lean Data Practices" guide to help define your organization's privacy best practices. "Lean Data Practices" can be found here. Particulary note the 3 tenets of lean data practices:

  • "Stay Lean" - review your data collection
  • "Build Security" - protect customer data
  • "Engage Your Users" - inform your users, keep your practices transparent.

Scan your site for Privacy issues at PRIVACYSCORE


  1. OWASP Top 10 Privacy Risks Project
  2. Your Data Is Shared and Sold…What’s Being Done About It? - [email protected]
  3. The Data Big Tech Companies Have On You - Security.org
  4. Your mass consumer data collection is destroying consumer trust - Tech Crunch
  5. The Rising Concern Around Consumer Data And Privacy - Forbes

Quote credit