From OWASP on P-8: Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.

I presented the OWASP Top 10 Privacy Risks project to DAMA Philadelphia for their Cyber Security Month event.

P-10 Collection of data not required for the user-consented purpose and the "Lean Data Commitment".

P-9 "Inability of users to access and modify data" identifies data lockin by organizations as a privacy risk.