@runhalo/engine 0.6.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/rules/rules.json +695 -1
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@runhalo/engine",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.7.0",
|
|
4
4
|
"description": "Halo rule engine — child online safety compliance detection. 130 rules across 10 packs covering COPPA, UK AADC, EU DSA, EU AI Act, and more.",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|
package/rules/rules.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"version": "1.0.0",
|
|
3
|
-
"generated_at": "2026-03-
|
|
3
|
+
"generated_at": "2026-03-13T00:00:00Z",
|
|
4
4
|
"packs": {
|
|
5
5
|
"coppa": {
|
|
6
6
|
"id": "coppa",
|
|
@@ -101,6 +101,66 @@
|
|
|
101
101
|
"is_free": false,
|
|
102
102
|
"effective_date": "2026-08-01",
|
|
103
103
|
"source_url": "https://artificialintelligenceact.eu/"
|
|
104
|
+
},
|
|
105
|
+
"gdpr-art8": {
|
|
106
|
+
"id": "gdpr-art8",
|
|
107
|
+
"name": "EU GDPR Article 8 (Child Consent)",
|
|
108
|
+
"description": "5 rules for GDPR Article 8 compliance — child consent age fragmentation across EU member states, legitimate interest restrictions, and data minimization for minors.",
|
|
109
|
+
"jurisdiction": "EU",
|
|
110
|
+
"jurisdiction_level": "supranational",
|
|
111
|
+
"is_free": false,
|
|
112
|
+
"effective_date": "2018-05-25",
|
|
113
|
+
"source_url": "https://gdpr-info.eu/art-8-gdpr/"
|
|
114
|
+
},
|
|
115
|
+
"india-dpdp": {
|
|
116
|
+
"id": "india-dpdp",
|
|
117
|
+
"name": "India DPDP Act 2023 (Section 9)",
|
|
118
|
+
"description": "5 rules for India's Digital Personal Data Protection Act — strictest global framework. Under-18 tracking ban, parental consent for all processing, blanket prohibition on behavioral monitoring.",
|
|
119
|
+
"jurisdiction": "IN",
|
|
120
|
+
"jurisdiction_level": "national",
|
|
121
|
+
"is_free": false,
|
|
122
|
+
"effective_date": "2023-08-11",
|
|
123
|
+
"source_url": "https://dpdpa.com/dpdpa2023/chapter-2/section9.html"
|
|
124
|
+
},
|
|
125
|
+
"brazil-lgpd": {
|
|
126
|
+
"id": "brazil-lgpd",
|
|
127
|
+
"name": "Brazil LGPD Article 14 (Children's Data)",
|
|
128
|
+
"description": "4 rules for Brazil's LGPD Article 14 — best interest standard for children under 12, data minimization, and age-appropriate notices.",
|
|
129
|
+
"jurisdiction": "BR",
|
|
130
|
+
"jurisdiction_level": "national",
|
|
131
|
+
"is_free": false,
|
|
132
|
+
"effective_date": "2020-09-18",
|
|
133
|
+
"source_url": "https://lgpd-brazil.info/chapter_02/article_14"
|
|
134
|
+
},
|
|
135
|
+
"canada-pipeda": {
|
|
136
|
+
"id": "canada-pipeda",
|
|
137
|
+
"name": "Canada PIPEDA (Children's Consent)",
|
|
138
|
+
"description": "4 rules for Canada's PIPEDA — meaningful consent for minors, OPC reasonable purpose test, behavioral advertising restrictions for children.",
|
|
139
|
+
"jurisdiction": "CA",
|
|
140
|
+
"jurisdiction_level": "national",
|
|
141
|
+
"is_free": false,
|
|
142
|
+
"effective_date": "2000-01-01",
|
|
143
|
+
"source_url": "https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/"
|
|
144
|
+
},
|
|
145
|
+
"south-korea-pipa": {
|
|
146
|
+
"id": "south-korea-pipa",
|
|
147
|
+
"name": "South Korea PIPA (Under-14 Protection)",
|
|
148
|
+
"description": "3 rules for South Korea's Personal Information Protection Act — parental consent for under-14, clear child-appropriate language, and fines up to 3% global revenue.",
|
|
149
|
+
"jurisdiction": "KR",
|
|
150
|
+
"jurisdiction_level": "national",
|
|
151
|
+
"is_free": false,
|
|
152
|
+
"effective_date": "2011-09-30",
|
|
153
|
+
"source_url": "https://iclg.com/practice-areas/data-protection-laws-and-regulations/korea"
|
|
154
|
+
},
|
|
155
|
+
"behavioral-design": {
|
|
156
|
+
"id": "behavioral-design",
|
|
157
|
+
"name": "Behavioral Design Patterns",
|
|
158
|
+
"description": "4 rules detecting harmful behavioral design patterns and rewarding positive design in children's products. Framework-agnostic, based on AAP/WHO guidelines.",
|
|
159
|
+
"jurisdiction": "international",
|
|
160
|
+
"jurisdiction_level": "advisory",
|
|
161
|
+
"is_free": false,
|
|
162
|
+
"effective_date": null,
|
|
163
|
+
"source_url": "https://runhalo.dev/behavioral-design"
|
|
104
164
|
}
|
|
105
165
|
},
|
|
106
166
|
"rules": [
|
|
@@ -1559,6 +1619,89 @@
|
|
|
1559
1619
|
"guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/15-online-tools/"
|
|
1560
1620
|
},
|
|
1561
1621
|
|
|
1622
|
+
{
|
|
1623
|
+
"id": "aadc-best-interest-016",
|
|
1624
|
+
"name": "Monetization Override Without Child Safety Check",
|
|
1625
|
+
"severity": "high",
|
|
1626
|
+
"confidence": "medium",
|
|
1627
|
+
"category": "safety",
|
|
1628
|
+
"description": "AADC Standard 1 requires the best interests of the child to be a primary consideration. In-app purchase prompts, subscription upsells, or premium feature gates in child-facing flows without age-gated suppression prioritize revenue over child wellbeing.",
|
|
1629
|
+
"patterns": [
|
|
1630
|
+
{ "pattern": "(?:inAppPurchase|in_app_purchase|purchaseProduct|buyItem|makePurchase|requestPayment)(?![\\s\\S]{0,500}(?:isChild|isMinor|age_check|under18|parental))", "flags": "gi" },
|
|
1631
|
+
{ "pattern": "(?:upsell|upgrade_prompt|premium_gate|paywall).*(?:show|display|render|present)(?![\\s\\S]{0,500}(?:isChild|isMinor|age_gate|child_safe))", "flags": "gi" },
|
|
1632
|
+
{ "pattern": "(?:lootBox|mysteryBox|gacha|virtualCurrency|coinPurchase)(?![\\s\\S]{0,500}(?:isChild|isMinor|age|parental))", "flags": "gi" }
|
|
1633
|
+
],
|
|
1634
|
+
"fix_suggestion": "Before showing monetization prompts (in-app purchases, upsells, premium gates), check if the user is a child and suppress or gate these flows accordingly. The best interests of the child must take priority over commercial interests. See ICO AADC Standard 1.",
|
|
1635
|
+
"penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
|
|
1636
|
+
"languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
|
|
1637
|
+
"packs": ["uk-aadc"],
|
|
1638
|
+
"fixability": "guided",
|
|
1639
|
+
"transform_type": null,
|
|
1640
|
+
"scaffold_id": null,
|
|
1641
|
+
"guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/1-best-interests-of-the-child/"
|
|
1642
|
+
},
|
|
1643
|
+
{
|
|
1644
|
+
"id": "aadc-dpia-017",
|
|
1645
|
+
"name": "Child Data Processing Without DPIA Reference",
|
|
1646
|
+
"severity": "medium",
|
|
1647
|
+
"confidence": "low",
|
|
1648
|
+
"category": "compliance",
|
|
1649
|
+
"description": "AADC Standard 2 requires a Data Protection Impact Assessment (DPIA) for services likely to be accessed by children. Code that processes child data (user profiles with age, student records, child accounts) should reference or link to DPIA documentation.",
|
|
1650
|
+
"patterns": [
|
|
1651
|
+
{ "pattern": "(?:childProfile|studentRecord|minorData|childAccount|kidUser|child_data).*(?:create|save|store|process|collect)(?![\\s\\S]{0,1000}(?:dpia|impact_assessment|risk_assessment|data_protection_impact))", "flags": "gi" },
|
|
1652
|
+
{ "pattern": "(?:isChild|isMinor|age\\s*<\\s*18|under18|is_underage).*(?:userData|personalData|profile|account).*(?:create|save|insert)(?![\\s\\S]{0,1000}(?:dpia|impact_assessment))", "flags": "gi" }
|
|
1653
|
+
],
|
|
1654
|
+
"fix_suggestion": "Conduct a DPIA before processing children's data and reference it in your codebase. Add DPIA completion checks or documentation links where child data is processed. See ICO AADC Standard 2 and ICO DPIA guidance.",
|
|
1655
|
+
"penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
|
|
1656
|
+
"languages": ["typescript", "javascript", "python", "java", "kotlin", "swift", "go"],
|
|
1657
|
+
"packs": ["uk-aadc"],
|
|
1658
|
+
"fixability": "manual",
|
|
1659
|
+
"transform_type": null,
|
|
1660
|
+
"scaffold_id": null,
|
|
1661
|
+
"guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/2-data-protection-impact-assessments/"
|
|
1662
|
+
},
|
|
1663
|
+
{
|
|
1664
|
+
"id": "aadc-transparency-018",
|
|
1665
|
+
"name": "Privacy Notice Without Child-Friendly Version",
|
|
1666
|
+
"severity": "high",
|
|
1667
|
+
"confidence": "medium",
|
|
1668
|
+
"category": "transparency",
|
|
1669
|
+
"description": "AADC Standard 4 requires privacy information to be concise, prominent, and in clear language suited to the age of the child. Services must provide 'bite-sized' explanations at the point of data use, not just adult-facing legal privacy policies.",
|
|
1670
|
+
"patterns": [
|
|
1671
|
+
{ "pattern": "(?:privacyPolicy|privacy_policy|termsOfService|terms_of_service|cookiePolicy|cookie_policy)(?:Url|Link|Page|Modal|Component)(?![\\s\\S]{0,800}(?:childFriendly|child_friendly|kidVersion|simplified|biteSized|bite_sized|ageAppropriate|age_appropriate))", "flags": "gi" },
|
|
1672
|
+
{ "pattern": "(?:showPrivacy|displayTerms|openConsent|renderPolicy)(?![\\s\\S]{0,500}(?:simplified|childFriendly|child_friendly|kidMode|age_appropriate))", "flags": "gi" }
|
|
1673
|
+
],
|
|
1674
|
+
"fix_suggestion": "Provide age-appropriate, bite-sized privacy notices alongside standard privacy policies. At the point of data collection, show concise explanations a child can understand. Consider using icons, animations, or short sentences instead of legal language. See ICO AADC Standard 4.",
|
|
1675
|
+
"penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
|
|
1676
|
+
"languages": ["typescript", "javascript", "python", "html"],
|
|
1677
|
+
"packs": ["uk-aadc"],
|
|
1678
|
+
"fixability": "guided",
|
|
1679
|
+
"transform_type": null,
|
|
1680
|
+
"scaffold_id": null,
|
|
1681
|
+
"guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/4-transparency/"
|
|
1682
|
+
},
|
|
1683
|
+
{
|
|
1684
|
+
"id": "aadc-iot-019",
|
|
1685
|
+
"name": "Connected Toy/Device Without Privacy Mode",
|
|
1686
|
+
"severity": "high",
|
|
1687
|
+
"confidence": "medium",
|
|
1688
|
+
"category": "safety",
|
|
1689
|
+
"description": "AADC Standard 14 requires connected toys and devices to include effective tools to enable conformance with the Code. IoT devices that communicate with children's data must have hardware/software privacy modes, mute capabilities, and clear data collection indicators.",
|
|
1690
|
+
"patterns": [
|
|
1691
|
+
{ "pattern": "(?:bluetooth|BLE|BluetoothLE|CoreBluetooth|CBCentralManager|BluetoothAdapter)\\s*\\.\\s*(?:connect|pair|scan|discover)(?![\\s\\S]{0,800}(?:privacyMode|privacy_mode|childSafe|child_safe|mute|dataOff))", "flags": "gi" },
|
|
1692
|
+
{ "pattern": "(?:MQTT|mqtt|mqttClient|IoTHub|deviceTwin|smartToy|connectedDevice).*(?:publish|send|subscribe|telemetry)(?![\\s\\S]{0,800}(?:privacyMode|privacy_mode|childSafe|child_safe|parentalControl|parental_control))", "flags": "gi" },
|
|
1693
|
+
{ "pattern": "(?:voiceAssistant|smartSpeaker|alexaSkill|googleAction|siriIntent).*(?:child|kid|minor|family)(?![\\s\\S]{0,500}(?:privacyMode|privacy_mode|mute|childLock|child_lock))", "flags": "gi" }
|
|
1694
|
+
],
|
|
1695
|
+
"fix_suggestion": "Connected toys and IoT devices must include privacy modes that limit data collection, hardware mute capabilities for microphones/cameras, and clear indicators when data is being collected. Ensure parental controls are built into the device software. See ICO AADC Standard 14.",
|
|
1696
|
+
"penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
|
|
1697
|
+
"languages": ["typescript", "javascript", "python", "java", "kotlin", "swift", "go"],
|
|
1698
|
+
"packs": ["uk-aadc"],
|
|
1699
|
+
"fixability": "guided",
|
|
1700
|
+
"transform_type": null,
|
|
1701
|
+
"scaffold_id": null,
|
|
1702
|
+
"guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/14-connected-toys-and-devices/"
|
|
1703
|
+
},
|
|
1704
|
+
|
|
1562
1705
|
{
|
|
1563
1706
|
"id": "dsa-ad-profiling-001",
|
|
1564
1707
|
"name": "Profiling-Based Ad Targeting Without Minor Exclusion",
|
|
@@ -2995,6 +3138,557 @@
|
|
|
2995
3138
|
"transform_type": null,
|
|
2996
3139
|
"scaffold_id": null,
|
|
2997
3140
|
"guidance_url": null
|
|
3141
|
+
},
|
|
3142
|
+
{
|
|
3143
|
+
"id": "gdpr-art8-age-gate-001",
|
|
3144
|
+
"name": "Hardcoded Age Threshold Without EU Geo-Routing",
|
|
3145
|
+
"severity": "high",
|
|
3146
|
+
"confidence": "medium",
|
|
3147
|
+
"category": "age-gating",
|
|
3148
|
+
"description": "GDPR Article 8 allows EU member states to set consent age between 13-16. A hardcoded age threshold (e.g., age < 13) without geo-routing fails to comply with member states that set the threshold at 14, 15, or 16. Ireland/Spain/UK = 13, France = 15, Germany/Netherlands = 16.",
|
|
3149
|
+
"patterns": [
|
|
3150
|
+
{ "pattern": "(?:age|userAge|childAge|minimumAge)\\s*(?:<|<=|===?|==)\\s*13(?!\\d)", "flags": "gi" },
|
|
3151
|
+
{ "pattern": "(?:MIN_AGE|MINIMUM_AGE|AGE_LIMIT|AGE_THRESHOLD|COPPA_AGE)\\s*(?:=|:)\\s*13(?!\\d)", "flags": "gi" },
|
|
3152
|
+
{ "pattern": "isChild\\s*=.*(?:age|years?)\\s*<\\s*13(?!\\d)", "flags": "gi" },
|
|
3153
|
+
{ "pattern": "(?:ageLimit|age_limit|min_age|minimum_age)\\s*(?:=|:)\\s*13(?!\\d)", "flags": "gi" }
|
|
3154
|
+
],
|
|
3155
|
+
"fix_suggestion": "Implement geo-aware age gating that adjusts the consent threshold based on the user's EU member state. Use IP geolocation or user-declared country to route: DE/NL=16, FR=15, IE/ES/UK/DK/SE/PL/LV=13. Consider defaulting to 16 (strictest) for unknown EU origins.",
|
|
3156
|
+
"penalty": "Up to 4% of global annual turnover (GDPR Art. 83)",
|
|
3157
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift", "go"],
|
|
3158
|
+
"packs": ["gdpr-art8"],
|
|
3159
|
+
"fixability": "guided",
|
|
3160
|
+
"transform_type": null,
|
|
3161
|
+
"scaffold_id": "age-gate-auth",
|
|
3162
|
+
"guidance_url": "https://gdpr-info.eu/art-8-gdpr/"
|
|
3163
|
+
},
|
|
3164
|
+
{
|
|
3165
|
+
"id": "gdpr-art8-legit-interest-002",
|
|
3166
|
+
"name": "Legitimate Interest Basis for Minor's Data Processing",
|
|
3167
|
+
"severity": "critical",
|
|
3168
|
+
"confidence": "low",
|
|
3169
|
+
"category": "legal-basis",
|
|
3170
|
+
"description": "GDPR Article 6(1)(f) legitimate interest cannot generally be used as a legal basis for processing children's data. The EDPB states that controllers should not rely on legitimate interest for children's data without a strict balancing test that heavily favors child rights.",
|
|
3171
|
+
"patterns": [
|
|
3172
|
+
{ "pattern": "(?:legalBasis|legal_basis|lawful_basis|processing_basis)\\s*(?:=|:)\\s*['\"](?:legitimate[_\\s-]?interest|f\\)|6\\.1\\.f)['\"]", "flags": "gi" },
|
|
3173
|
+
{ "pattern": "(?:LEGAL_BASIS|LAWFUL_BASIS|PROCESSING_GROUND)\\s*(?:=|:)\\s*['\"](?:LEGITIMATE_INTEREST|LI)['\"]", "flags": "gi" },
|
|
3174
|
+
{ "pattern": "legitimateInterest\\s*:\\s*true", "flags": "gi" }
|
|
3175
|
+
],
|
|
3176
|
+
"fix_suggestion": "For children's data, use consent (GDPR Art. 6(1)(a)) or contract performance as the legal basis. Legitimate interest is generally inappropriate for processing children's data under EDPB guidelines.",
|
|
3177
|
+
"penalty": "Up to 4% of global annual turnover (GDPR Art. 83)",
|
|
3178
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin"],
|
|
3179
|
+
"packs": ["gdpr-art8"],
|
|
3180
|
+
"fixability": "flag-only",
|
|
3181
|
+
"transform_type": null,
|
|
3182
|
+
"scaffold_id": null,
|
|
3183
|
+
"guidance_url": "https://gdpr-info.eu/art-6-gdpr/"
|
|
3184
|
+
},
|
|
3185
|
+
{
|
|
3186
|
+
"id": "gdpr-art8-child-profiling-003",
|
|
3187
|
+
"name": "Automated Decision-Making or Profiling of Minors",
|
|
3188
|
+
"severity": "critical",
|
|
3189
|
+
"confidence": "medium",
|
|
3190
|
+
"category": "profiling",
|
|
3191
|
+
"description": "GDPR Article 22 restricts automated individual decision-making, including profiling, that produces legal or similarly significant effects. For children, the EDPB recommends that profiling should not be permitted except where it is in the child's interest.",
|
|
3192
|
+
"patterns": [
|
|
3193
|
+
{ "pattern": "(?:profileChild|profile_child|childProfile|child_profile|minorProfile|minor_profile)\\s*(?:=|:)", "flags": "gi" },
|
|
3194
|
+
{ "pattern": "(?:userSegment|user_segment|audienceSegment|audience_segment|cohort)\\s*(?:=|:).*(?:child|minor|kid|teen|youth|under.?1[3-8])", "flags": "gi" },
|
|
3195
|
+
{ "pattern": "(?:behaviorScore|behavior_score|engagementScore|engagement_score|riskScore|risk_score)\\s*(?:=|:).*(?:child|minor|student|kid)", "flags": "gi" }
|
|
3196
|
+
],
|
|
3197
|
+
"fix_suggestion": "Do not profile children or use their data for automated decision-making unless it is demonstrably in the child's best interest. Provide meaningful human oversight for any automated processing that affects children.",
|
|
3198
|
+
"penalty": "Up to 4% of global annual turnover (GDPR Art. 83)",
|
|
3199
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin"],
|
|
3200
|
+
"packs": ["gdpr-art8"],
|
|
3201
|
+
"fixability": "flag-only",
|
|
3202
|
+
"transform_type": null,
|
|
3203
|
+
"scaffold_id": null,
|
|
3204
|
+
"guidance_url": "https://gdpr-info.eu/art-22-gdpr/"
|
|
3205
|
+
},
|
|
3206
|
+
{
|
|
3207
|
+
"id": "gdpr-art8-data-minimization-004",
|
|
3208
|
+
"name": "Excessive Data Collection from Minors",
|
|
3209
|
+
"severity": "high",
|
|
3210
|
+
"confidence": "medium",
|
|
3211
|
+
"category": "data-minimization",
|
|
3212
|
+
"description": "GDPR Article 5(1)(c) requires data minimization — only collecting data that is adequate, relevant, and limited to what is necessary. For children's services, this standard is applied more strictly.",
|
|
3213
|
+
"patterns": [
|
|
3214
|
+
{ "pattern": "(?:collectAll|collect_all|gatherAll|gather_all|fetchAll|fetch_all)(?:Data|Info|UserData|Profile)", "flags": "gi" },
|
|
3215
|
+
{ "pattern": "required\\s*:\\s*true.*(?:phone|address|school|birthday|gender|ethnicity|income|ssn|social.?security)", "flags": "gi" },
|
|
3216
|
+
{ "pattern": "(?:optionalFields|optional_fields)\\s*(?:=|:)\\s*\\[\\]", "flags": "gi" }
|
|
3217
|
+
],
|
|
3218
|
+
"fix_suggestion": "Only collect data that is strictly necessary for the service. Make non-essential fields optional. Conduct a data minimization assessment for all fields collected from users who may be children.",
|
|
3219
|
+
"penalty": "Up to 4% of global annual turnover (GDPR Art. 83)",
|
|
3220
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin"],
|
|
3221
|
+
"packs": ["gdpr-art8"],
|
|
3222
|
+
"fixability": "flag-only",
|
|
3223
|
+
"transform_type": null,
|
|
3224
|
+
"scaffold_id": null,
|
|
3225
|
+
"guidance_url": "https://gdpr-info.eu/art-5-gdpr/"
|
|
3226
|
+
},
|
|
3227
|
+
{
|
|
3228
|
+
"id": "gdpr-art8-erasure-005",
|
|
3229
|
+
"name": "Missing Right to Erasure Implementation for Children",
|
|
3230
|
+
"severity": "high",
|
|
3231
|
+
"confidence": "low",
|
|
3232
|
+
"category": "erasure",
|
|
3233
|
+
"description": "GDPR Article 17(1)(f) specifically strengthens the right to erasure when data was collected from a child. Services must provide clear mechanisms for children (or their parents) to request deletion of all personal data.",
|
|
3234
|
+
"patterns": [
|
|
3235
|
+
{ "pattern": "(?:deleteAccount|delete_account|removeUser|remove_user|purgeUser|purge_user)\\s*(?:=|\\()", "flags": "gi" },
|
|
3236
|
+
{ "pattern": "(?:softDelete|soft_delete|isDeleted|is_deleted|deletedAt|deleted_at)\\s*(?:=|:)(?!.*(?:where|scope|filter|query|find|nil|null|false|!=|<>))", "flags": "gi" },
|
|
3237
|
+
{ "pattern": "(?:retainAfterDelete|retain_after_delete|keepAfterDeletion|archiveDeleted|archive_deleted)", "flags": "gi" }
|
|
3238
|
+
],
|
|
3239
|
+
"fix_suggestion": "Implement a complete data erasure endpoint that deletes all personal data when requested, with special priority for data collected from children. Do not soft-delete or archive — GDPR Article 17 requires actual erasure unless a legal retention obligation applies.",
|
|
3240
|
+
"penalty": "Up to 4% of global annual turnover (GDPR Art. 83)",
|
|
3241
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin"],
|
|
3242
|
+
"packs": ["gdpr-art8"],
|
|
3243
|
+
"fixability": "guided",
|
|
3244
|
+
"transform_type": null,
|
|
3245
|
+
"scaffold_id": null,
|
|
3246
|
+
"guidance_url": "https://gdpr-info.eu/art-17-gdpr/"
|
|
3247
|
+
},
|
|
3248
|
+
{
|
|
3249
|
+
"id": "dpdp-tracking-ban-001",
|
|
3250
|
+
"name": "Tracking SDK Active for Under-18 Users",
|
|
3251
|
+
"severity": "critical",
|
|
3252
|
+
"confidence": "high",
|
|
3253
|
+
"category": "tracking",
|
|
3254
|
+
"description": "India DPDP Act Section 9(3) imposes a BLANKET BAN on tracking, behavioral monitoring, AND targeted advertising for anyone under 18. No consent override permitted. This is the strictest framework globally.",
|
|
3255
|
+
"patterns": [
|
|
3256
|
+
{ "pattern": "(?:import|require|from)\\s+.*(?:google-analytics|@google-analytics|react-ga|ga4|gtag|GoogleAnalytics)", "flags": "gi" },
|
|
3257
|
+
{ "pattern": "(?:import|require|from)\\s+.*(?:mixpanel|@mixpanel|amplitude|segment|heap|fullstory|hotjar)", "flags": "gi" },
|
|
3258
|
+
{ "pattern": "(?:import|require|from)\\s+.*(?:@facebook\\/pixel|fbq|facebook-pixel|fb-pixel)", "flags": "gi" },
|
|
3259
|
+
{ "pattern": "FirebaseAnalytics\\.(?:getInstance|logEvent|setUserId|setUserProperty)", "flags": "gi" },
|
|
3260
|
+
{ "pattern": "(?:gtag|ga|_gaq|dataLayer)\\.(?:push|send|event|config)\\s*\\(", "flags": "gi" },
|
|
3261
|
+
{ "pattern": "(?:mixpanel|amplitude|analytics|segment)\\.(?:track|identify|init|page|screen)\\s*\\(", "flags": "gi" },
|
|
3262
|
+
{ "pattern": "(?:Adjust|AppsFlyer|Branch|Kochava|Singular)\\.(?:trackEvent|logEvent|init|start)", "flags": "gi" }
|
|
3263
|
+
],
|
|
3264
|
+
"fix_suggestion": "Under India's DPDP Act Section 9(3), ANY tracking or behavioral monitoring for users under 18 is prohibited regardless of consent. Implement age-gating that completely disables all analytics, tracking, and ad SDKs for users under 18 in India.",
|
|
3265
|
+
"penalty": "Up to \u20b9250 crore (~$30M USD)",
|
|
3266
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3267
|
+
"packs": ["india-dpdp"],
|
|
3268
|
+
"fixability": "guided",
|
|
3269
|
+
"transform_type": null,
|
|
3270
|
+
"scaffold_id": null,
|
|
3271
|
+
"guidance_url": "https://dpdpa.com/dpdpa2023/chapter-2/section9.html"
|
|
3272
|
+
},
|
|
3273
|
+
{
|
|
3274
|
+
"id": "dpdp-parental-consent-002",
|
|
3275
|
+
"name": "Data Processing Without Parental Consent for Under-18",
|
|
3276
|
+
"severity": "critical",
|
|
3277
|
+
"confidence": "medium",
|
|
3278
|
+
"category": "consent",
|
|
3279
|
+
"description": "India DPDP Act Section 9(1) requires verifiable parental consent for ALL personal data processing of anyone under 18. Unlike COPPA (under 13), this extends to teenagers.",
|
|
3280
|
+
"patterns": [
|
|
3281
|
+
{ "pattern": "(?:age|userAge|childAge)\\s*(?:<|<=|>=|>|===?|==)\\s*1[3-7](?!\\d)", "flags": "gi" },
|
|
3282
|
+
{ "pattern": "(?:isMinor|is_minor|isChild|is_child|isAdult|is_adult)\\s*(?:=|:).*(?:age|years?)\\s*(?:<|>=)\\s*1[3-7](?!\\d)", "flags": "gi" },
|
|
3283
|
+
{ "pattern": "(?:MINOR_AGE|CHILD_AGE|CONSENT_AGE)\\s*(?:=|:)\\s*1[3-7](?!\\d)", "flags": "gi" }
|
|
3284
|
+
],
|
|
3285
|
+
"fix_suggestion": "Under India's DPDP Act, the age of majority for data processing is 18 (not 13). Implement verifiable parental consent for ALL users under 18 when processing personal data for Indian users.",
|
|
3286
|
+
"penalty": "Up to \u20b9250 crore (~$30M USD)",
|
|
3287
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3288
|
+
"packs": ["india-dpdp"],
|
|
3289
|
+
"fixability": "guided",
|
|
3290
|
+
"transform_type": null,
|
|
3291
|
+
"scaffold_id": "age-gate-auth",
|
|
3292
|
+
"guidance_url": "https://dpdpa.com/dpdpa2023/chapter-2/section9.html"
|
|
3293
|
+
},
|
|
3294
|
+
{
|
|
3295
|
+
"id": "dpdp-ad-targeting-003",
|
|
3296
|
+
"name": "Targeted Advertising to Under-18 Users",
|
|
3297
|
+
"severity": "critical",
|
|
3298
|
+
"confidence": "high",
|
|
3299
|
+
"category": "advertising",
|
|
3300
|
+
"description": "India DPDP Act Section 9(3) imposes an absolute ban on targeted advertising directed at anyone under 18. This cannot be overridden by parental consent.",
|
|
3301
|
+
"patterns": [
|
|
3302
|
+
{ "pattern": "(?:AdMob|adMob|admob|GoogleAds|google_ads)\\.(?:loadAd|showAd|requestAd|initialize)", "flags": "gi" },
|
|
3303
|
+
{ "pattern": "(?:import|require|from)\\s+.*(?:react-native-admob|@react-native-google-ads|expo-ads-admob)", "flags": "gi" },
|
|
3304
|
+
{ "pattern": "(?:personalized|targeted|behavioral)(?:Ad|_ad|Advertisement|_advertisement)\\s*(?:=|:)\\s*true", "flags": "gi" },
|
|
3305
|
+
{ "pattern": "(?:targetAudience|target_audience|adTarget|ad_target)\\s*(?:=|:).*(?:child|minor|kid|teen|youth|student)", "flags": "gi" }
|
|
3306
|
+
],
|
|
3307
|
+
"fix_suggestion": "Completely disable all targeted/personalized advertising for users under 18 in India. Only contextual (non-personalized) ads are permissible.",
|
|
3308
|
+
"penalty": "Up to \u20b9250 crore (~$30M USD)",
|
|
3309
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3310
|
+
"packs": ["india-dpdp"],
|
|
3311
|
+
"fixability": "guided",
|
|
3312
|
+
"transform_type": null,
|
|
3313
|
+
"scaffold_id": null,
|
|
3314
|
+
"guidance_url": "https://dpdpa.com/dpdpa2023/chapter-2/section9.html"
|
|
3315
|
+
},
|
|
3316
|
+
{
|
|
3317
|
+
"id": "dpdp-behavioral-monitoring-004",
|
|
3318
|
+
"name": "Behavioral Monitoring of Under-18 Users",
|
|
3319
|
+
"severity": "critical",
|
|
3320
|
+
"confidence": "medium",
|
|
3321
|
+
"category": "monitoring",
|
|
3322
|
+
"description": "India DPDP Act Section 9(3) prohibits behavioral monitoring of children under 18. This includes session recording, heatmaps, scroll tracking, and engagement analytics.",
|
|
3323
|
+
"patterns": [
|
|
3324
|
+
{ "pattern": "(?:import|require|from)\\s+.*(?:hotjar|fullstory|logrocket|smartlook|mouseflow|clarity)", "flags": "gi" },
|
|
3325
|
+
{ "pattern": "(?:sessionReplay|session_replay|sessionRecording|session_recording|recordSession|record_session)", "flags": "gi" },
|
|
3326
|
+
{ "pattern": "(?:heatmap|heat_map|scrollMap|scroll_map|clickMap|click_map)\\.(?:init|start|track|enable)", "flags": "gi" },
|
|
3327
|
+
{ "pattern": "(?:dwellTime|dwell_time|timeOnPage|time_on_page|scrollDepth|scroll_depth)\\s*(?:=|:)", "flags": "gi" }
|
|
3328
|
+
],
|
|
3329
|
+
"fix_suggestion": "Under India's DPDP Act, behavioral monitoring of anyone under 18 is prohibited. Disable session recording, heatmaps, and engagement analytics for users under 18 in India.",
|
|
3330
|
+
"penalty": "Up to \u20b9250 crore (~$30M USD)",
|
|
3331
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3332
|
+
"packs": ["india-dpdp"],
|
|
3333
|
+
"fixability": "guided",
|
|
3334
|
+
"transform_type": null,
|
|
3335
|
+
"scaffold_id": null,
|
|
3336
|
+
"guidance_url": "https://dpdpa.com/dpdpa2023/chapter-2/section9.html"
|
|
3337
|
+
},
|
|
3338
|
+
{
|
|
3339
|
+
"id": "dpdp-wellbeing-detriment-005",
|
|
3340
|
+
"name": "Processing Detrimental to Child's Well-Being",
|
|
3341
|
+
"severity": "high",
|
|
3342
|
+
"confidence": "low",
|
|
3343
|
+
"category": "wellbeing",
|
|
3344
|
+
"description": "India DPDP Act Section 9(2) prohibits any processing of children's data that is 'likely to cause any detrimental effect on the well-being of a child.' This broad provision covers addictive design, manipulative interfaces, and harmful content personalization.",
|
|
3345
|
+
"patterns": [
|
|
3346
|
+
{ "pattern": "(?:addictive|gamification|engagement[_-]?loop|retention[_-]?hook)\\s*(?:=|:)\\s*true", "flags": "gi" },
|
|
3347
|
+
{ "pattern": "(?:compulsionLoop|compulsion_loop|habitLoop|habit_loop|rewardLoop|reward_loop)", "flags": "gi" },
|
|
3348
|
+
{ "pattern": "(?:notificationFrequency|notification_frequency|pushInterval|push_interval)\\s*(?:=|:)\\s*(?:[0-9]+)", "flags": "gi" }
|
|
3349
|
+
],
|
|
3350
|
+
"fix_suggestion": "Review all data processing that involves children for potential detrimental effects on well-being. This includes addictive design patterns, engagement loops, and excessive notifications.",
|
|
3351
|
+
"penalty": "Up to \u20b9250 crore (~$30M USD)",
|
|
3352
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3353
|
+
"packs": ["india-dpdp"],
|
|
3354
|
+
"fixability": "flag-only",
|
|
3355
|
+
"transform_type": null,
|
|
3356
|
+
"scaffold_id": null,
|
|
3357
|
+
"guidance_url": "https://dpdpa.com/dpdpa2023/chapter-2/section9.html"
|
|
3358
|
+
},
|
|
3359
|
+
{
|
|
3360
|
+
"id": "lgpd-best-interest-001",
|
|
3361
|
+
"name": "Non-Essential Data Collection from Children (Under 12)",
|
|
3362
|
+
"severity": "high",
|
|
3363
|
+
"confidence": "medium",
|
|
3364
|
+
"category": "data-minimization",
|
|
3365
|
+
"description": "LGPD Article 14 requires processing of children's (under 12) data to be in their 'best interest.' Collecting non-essential data (location, behavioral tracking, device identifiers) even with consent violates this standard.",
|
|
3366
|
+
"patterns": [
|
|
3367
|
+
{ "pattern": "(?:import|require|from)\\s+.*(?:@react-native-community\\/geolocation|expo-location|react-native-geolocation)", "flags": "gi" },
|
|
3368
|
+
{ "pattern": "navigator\\.geolocation\\.(?:getCurrentPosition|watchPosition)", "flags": "gi" },
|
|
3369
|
+
{ "pattern": "(?:advertisingId|advertising_id|IDFA|GAID|AAID|adId|ad_id)\\s*(?:=|:)", "flags": "gi" }
|
|
3370
|
+
],
|
|
3371
|
+
"fix_suggestion": "Under LGPD Article 14, only collect data that is strictly necessary and in the child's best interest. Location data, device identifiers, and behavioral tracking are generally not in a child's best interest unless directly required for the service.",
|
|
3372
|
+
"penalty": "Up to 2% of revenue, capped at R$50 million per violation",
|
|
3373
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3374
|
+
"packs": ["brazil-lgpd"],
|
|
3375
|
+
"fixability": "flag-only",
|
|
3376
|
+
"transform_type": null,
|
|
3377
|
+
"scaffold_id": null,
|
|
3378
|
+
"guidance_url": "https://lgpd-brazil.info/chapter_02/article_14"
|
|
3379
|
+
},
|
|
3380
|
+
{
|
|
3381
|
+
"id": "lgpd-data-gated-gameplay-002",
|
|
3382
|
+
"name": "Data Collection Gated Behind Gameplay",
|
|
3383
|
+
"severity": "high",
|
|
3384
|
+
"confidence": "medium",
|
|
3385
|
+
"category": "consent",
|
|
3386
|
+
"description": "LGPD Article 14 \u00a74 prohibits conditioning game/app participation on providing excess personal data. Children must not be required to share data beyond what is necessary to participate.",
|
|
3387
|
+
"patterns": [
|
|
3388
|
+
{ "pattern": "(?:requiredToPlay|required_to_play|mustProvide|must_provide|gateContent|gate_content).*(?:email|phone|name|address|school)", "flags": "gi" },
|
|
3389
|
+
{ "pattern": "(?:levelLocked|level_locked|contentLocked|content_locked|featureLocked|feature_locked).*(?:register|signup|sign_up|provide|share)", "flags": "gi" },
|
|
3390
|
+
{ "pattern": "(?:unlockWithData|unlock_with_data|dataWall|data_wall|registrationWall|registration_wall)", "flags": "gi" }
|
|
3391
|
+
],
|
|
3392
|
+
"fix_suggestion": "Do not gate game features, levels, or content behind data collection requirements. Under LGPD Article 14 \u00a74, children's participation cannot be conditioned on providing excess personal data.",
|
|
3393
|
+
"penalty": "Up to 2% of revenue, capped at R$50 million per violation",
|
|
3394
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3395
|
+
"packs": ["brazil-lgpd"],
|
|
3396
|
+
"fixability": "flag-only",
|
|
3397
|
+
"transform_type": null,
|
|
3398
|
+
"scaffold_id": null,
|
|
3399
|
+
"guidance_url": "https://lgpd-brazil.info/chapter_02/article_14"
|
|
3400
|
+
},
|
|
3401
|
+
{
|
|
3402
|
+
"id": "lgpd-parental-consent-003",
|
|
3403
|
+
"name": "Missing Parental Consent for Under-12 Data Processing",
|
|
3404
|
+
"severity": "critical",
|
|
3405
|
+
"confidence": "medium",
|
|
3406
|
+
"category": "consent",
|
|
3407
|
+
"description": "LGPD Article 14 \u00a71 requires at least one parent or legal guardian to provide specific and highlighted consent for processing children's (under 12) personal data.",
|
|
3408
|
+
"patterns": [
|
|
3409
|
+
{ "pattern": "(?:age|userAge|childAge)\\s*(?:<|<=|===?|==)\\s*1[2-3](?!\\d)(?!.*(?:parent|guardian|responsavel))", "flags": "gi" },
|
|
3410
|
+
{ "pattern": "(?:childConsent|child_consent|minorConsent|minor_consent)\\s*(?:=|:)\\s*(?:true|false)", "flags": "gi" }
|
|
3411
|
+
],
|
|
3412
|
+
"fix_suggestion": "For Brazilian users under 12, implement verifiable parental or guardian consent before processing any personal data. LGPD requires this consent to be 'specific and highlighted.'",
|
|
3413
|
+
"penalty": "Up to 2% of revenue, capped at R$50 million per violation",
|
|
3414
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3415
|
+
"packs": ["brazil-lgpd"],
|
|
3416
|
+
"fixability": "guided",
|
|
3417
|
+
"transform_type": null,
|
|
3418
|
+
"scaffold_id": "age-gate-auth",
|
|
3419
|
+
"guidance_url": "https://lgpd-brazil.info/chapter_02/article_14"
|
|
3420
|
+
},
|
|
3421
|
+
{
|
|
3422
|
+
"id": "lgpd-adolescent-rights-004",
|
|
3423
|
+
"name": "Adolescent Data Processing Without Rights Safeguards",
|
|
3424
|
+
"severity": "medium",
|
|
3425
|
+
"confidence": "low",
|
|
3426
|
+
"category": "consent",
|
|
3427
|
+
"description": "Brazil's LGPD and supplementary regulations distinguish between children (under 12) and adolescents (12-18). Adolescents have additional rights including being consulted about data processing and receiving age-appropriate explanations.",
|
|
3428
|
+
"patterns": [
|
|
3429
|
+
{ "pattern": "(?:teenConsent|teen_consent|adolescentConsent|adolescent_consent)\\s*(?:=|:)\\s*(?:true|false)", "flags": "gi" },
|
|
3430
|
+
{ "pattern": "(?:age|userAge)\\s*>=\\s*12\\s*&&\\s*(?:age|userAge)\\s*<\\s*18", "flags": "gi" }
|
|
3431
|
+
],
|
|
3432
|
+
"fix_suggestion": "For Brazilian adolescents (12-18), ensure data processing includes age-appropriate explanations and respects their right to be consulted. LGPD Article 14 \u00a76 requires notices understandable by the child themselves.",
|
|
3433
|
+
"penalty": "Up to 2% of revenue, capped at R$50 million per violation",
|
|
3434
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3435
|
+
"packs": ["brazil-lgpd"],
|
|
3436
|
+
"fixability": "flag-only",
|
|
3437
|
+
"transform_type": null,
|
|
3438
|
+
"scaffold_id": null,
|
|
3439
|
+
"guidance_url": "https://lgpd-brazil.info/chapter_02/article_14"
|
|
3440
|
+
},
|
|
3441
|
+
{
|
|
3442
|
+
"id": "pipeda-behavioral-ads-001",
|
|
3443
|
+
"name": "Behavioral Advertising Tracker in Minor-Facing Code",
|
|
3444
|
+
"severity": "high",
|
|
3445
|
+
"confidence": "high",
|
|
3446
|
+
"category": "advertising",
|
|
3447
|
+
"description": "OPC position: behavioral advertising to children may be deemed inherently inappropriate under PIPEDA Section 5(3) 'reasonable person' test, regardless of consent obtained.",
|
|
3448
|
+
"patterns": [
|
|
3449
|
+
{ "pattern": "(?:import|require|from)\\s+.*(?:facebook-pixel|fbq|@facebook|fb-sdk)", "flags": "gi" },
|
|
3450
|
+
{ "pattern": "(?:import|require|from)\\s+.*(?:google-ads|@google-ads|doubleclick|dv360)", "flags": "gi" },
|
|
3451
|
+
{ "pattern": "(?:import|require|from)\\s+.*(?:amplitude|mixpanel|segment\\/analytics)", "flags": "gi" },
|
|
3452
|
+
{ "pattern": "(?:retargeting|remarketing|lookalike|custom[_-]?audience)\\s*(?:=|:)\\s*true", "flags": "gi" }
|
|
3453
|
+
],
|
|
3454
|
+
"fix_suggestion": "The OPC considers behavioral advertising to children inherently inappropriate. Remove behavioral ad trackers from code paths serving users under 13, and review for users 13-17.",
|
|
3455
|
+
"penalty": "OPC compliance orders; Federal Court orders up to $100K CAD per violation",
|
|
3456
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3457
|
+
"packs": ["canada-pipeda"],
|
|
3458
|
+
"fixability": "guided",
|
|
3459
|
+
"transform_type": null,
|
|
3460
|
+
"scaffold_id": null,
|
|
3461
|
+
"guidance_url": "https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/"
|
|
3462
|
+
},
|
|
3463
|
+
{
|
|
3464
|
+
"id": "pipeda-meaningful-consent-002",
|
|
3465
|
+
"name": "Consent Flow Without Simplified Explanation for Teens",
|
|
3466
|
+
"severity": "medium",
|
|
3467
|
+
"confidence": "low",
|
|
3468
|
+
"category": "consent",
|
|
3469
|
+
"description": "PIPEDA meaningful consent guidelines require that teens (13-17) can understand the consequences of consent. Complex multi-step consent flows with dense legal text may fail the meaningful consent test.",
|
|
3470
|
+
"patterns": [
|
|
3471
|
+
{ "pattern": "(?:termsOfService|terms_of_service|privacyPolicy|privacy_policy|legalDisclosure|legal_disclosure)\\.(?:length|wordCount|readingLevel)", "flags": "gi" },
|
|
3472
|
+
{ "pattern": "(?:consentStep|consent_step|consentFlow|consent_flow|consentWizard|consent_wizard)\\s*(?:=|:)\\s*(?:[3-9]|\\d{2,})", "flags": "gi" },
|
|
3473
|
+
{ "pattern": "(?:simplifiedConsent|simplified_consent|easyRead|easy_read|childFriendly|child_friendly)\\s*(?:=|:)\\s*false", "flags": "gi" }
|
|
3474
|
+
],
|
|
3475
|
+
"fix_suggestion": "Ensure consent flows for teen users include simplified, age-appropriate explanations. The OPC requires that the individual can understand what they are consenting to — complex legal language fails this test for teens.",
|
|
3476
|
+
"penalty": "OPC compliance orders; Federal Court orders up to $100K CAD per violation",
|
|
3477
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3478
|
+
"packs": ["canada-pipeda"],
|
|
3479
|
+
"fixability": "flag-only",
|
|
3480
|
+
"transform_type": null,
|
|
3481
|
+
"scaffold_id": null,
|
|
3482
|
+
"guidance_url": "https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/"
|
|
3483
|
+
},
|
|
3484
|
+
{
|
|
3485
|
+
"id": "pipeda-under13-consent-003",
|
|
3486
|
+
"name": "Missing Parental Consent for Under-13 Data Collection",
|
|
3487
|
+
"severity": "critical",
|
|
3488
|
+
"confidence": "medium",
|
|
3489
|
+
"category": "consent",
|
|
3490
|
+
"description": "OPC position: children under 13 cannot provide meaningful consent. Parental consent is required for all personal data collection from users under 13.",
|
|
3491
|
+
"patterns": [
|
|
3492
|
+
{ "pattern": "(?:createAccount|create_account|signUp|sign_up|registerUser|register_user|userRegistration|user_registration)\\s*\\((?!.*(?:parent|guardian|verif))", "flags": "gi" },
|
|
3493
|
+
{ "pattern": "(?:collectData|collect_data|saveProfile|save_profile|storeUser|store_user)\\s*\\((?!.*(?:consent|parent|guardian))", "flags": "gi" }
|
|
3494
|
+
],
|
|
3495
|
+
"fix_suggestion": "Implement verifiable parental consent before collecting any personal data from users under 13 in Canada.",
|
|
3496
|
+
"penalty": "OPC compliance orders; Federal Court orders up to $100K CAD per violation",
|
|
3497
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3498
|
+
"packs": ["canada-pipeda"],
|
|
3499
|
+
"fixability": "guided",
|
|
3500
|
+
"transform_type": null,
|
|
3501
|
+
"scaffold_id": "age-gate-auth",
|
|
3502
|
+
"guidance_url": "https://www.priv.gc.ca/en/privacy-topics/business-privacy/bus_kids/02_05_d_62_tips/"
|
|
3503
|
+
},
|
|
3504
|
+
{
|
|
3505
|
+
"id": "pipeda-reasonable-purpose-004",
|
|
3506
|
+
"name": "Data Collection Beyond Reasonable Purpose for Minors",
|
|
3507
|
+
"severity": "medium",
|
|
3508
|
+
"confidence": "low",
|
|
3509
|
+
"category": "purpose-limitation",
|
|
3510
|
+
"description": "PIPEDA Section 5(3) requires that data collection serve purposes a 'reasonable person' would consider appropriate. For minors, the OPC applies a higher standard — marketing, profiling, and engagement optimization may fail this test.",
|
|
3511
|
+
"patterns": [
|
|
3512
|
+
{ "pattern": "(?:marketingConsent|marketing_consent|promotionalEmails|promotional_emails)\\s*(?:=|:)\\s*true.*(?:child|minor|kid|teen|student|youth)", "flags": "gi" },
|
|
3513
|
+
{ "pattern": "(?:engagementOptimization|engagement_optimization|retentionOptimization|retention_optimization).*(?:child|minor|kid|teen|student)", "flags": "gi" }
|
|
3514
|
+
],
|
|
3515
|
+
"fix_suggestion": "Review all data collection purposes for minors against the 'reasonable person' test. Marketing, profiling, and engagement optimization for children may be deemed inappropriate under PIPEDA.",
|
|
3516
|
+
"penalty": "OPC compliance orders; Federal Court orders up to $100K CAD per violation",
|
|
3517
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3518
|
+
"packs": ["canada-pipeda"],
|
|
3519
|
+
"fixability": "flag-only",
|
|
3520
|
+
"transform_type": null,
|
|
3521
|
+
"scaffold_id": null,
|
|
3522
|
+
"guidance_url": "https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/"
|
|
3523
|
+
},
|
|
3524
|
+
{
|
|
3525
|
+
"id": "pipa-parental-consent-001",
|
|
3526
|
+
"name": "Missing Parental Consent for Under-14 Data Collection",
|
|
3527
|
+
"severity": "critical",
|
|
3528
|
+
"confidence": "medium",
|
|
3529
|
+
"category": "consent",
|
|
3530
|
+
"description": "South Korea PIPA Article 22-2 requires parental/guardian consent for processing personal data of children under 14. This extends COPPA's threshold by one year — children aged 13 need parental consent in South Korea.",
|
|
3531
|
+
"patterns": [
|
|
3532
|
+
{ "pattern": "(?:age|userAge|childAge)\\s*(?:<|<=|===?|==)\\s*13(?!\\d)(?!.*(?:parent|guardian|legal))", "flags": "gi" },
|
|
3533
|
+
{ "pattern": "(?:CONSENT_AGE|MINOR_AGE|CHILD_AGE)\\s*(?:=|:)\\s*13(?!\\d)", "flags": "gi" },
|
|
3534
|
+
{ "pattern": "(?:isMinor|is_minor|isChild|is_child)\\s*(?:=|:).*age\\s*<\\s*13(?!\\d)", "flags": "gi" }
|
|
3535
|
+
],
|
|
3536
|
+
"fix_suggestion": "For South Korean users, parental consent is required for children under 14 (not under 13 as in COPPA). Update age thresholds to 14 for Korean deployments.",
|
|
3537
|
+
"penalty": "Up to 3% of global revenue",
|
|
3538
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3539
|
+
"packs": ["south-korea-pipa"],
|
|
3540
|
+
"fixability": "guided",
|
|
3541
|
+
"transform_type": null,
|
|
3542
|
+
"scaffold_id": "age-gate-auth",
|
|
3543
|
+
"guidance_url": "https://iclg.com/practice-areas/data-protection-laws-and-regulations/korea"
|
|
3544
|
+
},
|
|
3545
|
+
{
|
|
3546
|
+
"id": "pipa-child-notice-002",
|
|
3547
|
+
"name": "Privacy Notice Without Child-Appropriate Language (Under 14)",
|
|
3548
|
+
"severity": "high",
|
|
3549
|
+
"confidence": "low",
|
|
3550
|
+
"category": "transparency",
|
|
3551
|
+
"description": "South Korea PIPA Article 39-3 \u00a75 requires privacy information to be presented in clear, understandable language for children under 14. Generic adult privacy policies fail this requirement.",
|
|
3552
|
+
"patterns": [
|
|
3553
|
+
{ "pattern": "(?:privacyPolicy|privacy_policy|termsUrl|terms_url|privacyUrl|privacy_url)\\s*(?:=|:)\\s*['\"](?:https?:\\/\\/|\\/)(?!.*(?:child|kid|minor|simple|easy))", "flags": "gi" },
|
|
3554
|
+
{ "pattern": "(?:showPrivacyPolicy|show_privacy_policy|displayTerms|display_terms)\\s*\\((?!.*(?:simplified|childFriendly|child_friendly|easyRead))", "flags": "gi" }
|
|
3555
|
+
],
|
|
3556
|
+
"fix_suggestion": "Provide a separate, simplified privacy notice written in clear language understandable by children under 14. Do not present adult legal text as the sole privacy information.",
|
|
3557
|
+
"penalty": "Up to 3% of global revenue",
|
|
3558
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3559
|
+
"packs": ["south-korea-pipa"],
|
|
3560
|
+
"fixability": "flag-only",
|
|
3561
|
+
"transform_type": null,
|
|
3562
|
+
"scaffold_id": null,
|
|
3563
|
+
"guidance_url": "https://www.kimchang.com/en/insights/detail.kc?sch_section=4&idx=25476"
|
|
3564
|
+
},
|
|
3565
|
+
{
|
|
3566
|
+
"id": "pipa-data-retention-003",
|
|
3567
|
+
"name": "Data Retained Beyond Service Period for Minors",
|
|
3568
|
+
"severity": "medium",
|
|
3569
|
+
"confidence": "low",
|
|
3570
|
+
"category": "retention",
|
|
3571
|
+
"description": "South Korea PIPA requires that personal information of children be deleted without delay when the purpose of collection has been achieved. Extended retention of children's data requires justification.",
|
|
3572
|
+
"patterns": [
|
|
3573
|
+
{ "pattern": "(?:retentionPeriod|retention_period|dataRetention|data_retention|keepFor|keep_for)\\s*(?:=|:)\\s*(?:['\"](?:forever|indefinite|unlimited)['\"]|(?:365|730|1095|\\d{4,}))", "flags": "gi" },
|
|
3574
|
+
{ "pattern": "(?:neverDelete|never_delete|permanentStore|permanent_store|archiveForever|archive_forever)", "flags": "gi" }
|
|
3575
|
+
],
|
|
3576
|
+
"fix_suggestion": "Delete children's personal data promptly when the purpose of collection is achieved. Do not retain children's data indefinitely. Implement automatic retention limits.",
|
|
3577
|
+
"penalty": "Up to 3% of global revenue",
|
|
3578
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3579
|
+
"packs": ["south-korea-pipa"],
|
|
3580
|
+
"fixability": "flag-only",
|
|
3581
|
+
"transform_type": null,
|
|
3582
|
+
"scaffold_id": null,
|
|
3583
|
+
"guidance_url": "https://practiceguides.chambers.com/practice-guides/data-protection-privacy-2026/south-korea/trends-and-developments"
|
|
3584
|
+
},
|
|
3585
|
+
{
|
|
3586
|
+
"id": "behavioral-social-metrics-001",
|
|
3587
|
+
"name": "Social Comparison Metrics Visible to Minors",
|
|
3588
|
+
"severity": "high",
|
|
3589
|
+
"confidence": "medium",
|
|
3590
|
+
"category": "social-comparison",
|
|
3591
|
+
"description": "Displaying like counts, follower counts, or leaderboard rankings to children enables social comparison, which the AAP and WHO link to anxiety, depression, and self-esteem issues in minors.",
|
|
3592
|
+
"patterns": [
|
|
3593
|
+
{ "pattern": "(?<![a-zA-Z_])(?:likeCount|like_count|likesCount|likes_count|numLikes|num_likes|totalLikes|total_likes)\\s*(?:=|:)", "flags": "gi" },
|
|
3594
|
+
{ "pattern": "(?<![a-zA-Z_])(?:followerCount|follower_count|followersCount|followers_count|numFollowers|num_followers)\\s*(?:=|:)", "flags": "gi" },
|
|
3595
|
+
{ "pattern": "(?<![a-zA-Z_])(?:leaderboard|leader_board|leaderboardRank|leaderboard_rank|globalRank|global_rank)\\s*(?:=|:)", "flags": "gi" },
|
|
3596
|
+
{ "pattern": "(?<![a-zA-Z_])(?:viewCount|view_count|viewsCount|views_count|numViews|num_views|totalViews|total_views)\\s*(?:=|:)", "flags": "gi" },
|
|
3597
|
+
{ "pattern": "(?<![a-zA-Z_])(?:shareCount|share_count|repostCount|repost_count|retweetCount|retweet_count)\\s*(?:=|:)", "flags": "gi" }
|
|
3598
|
+
],
|
|
3599
|
+
"fix_suggestion": "Hide or disable social comparison metrics (likes, followers, view counts, leaderboards) for users under 18. Consider removing public metrics entirely or showing them only to the content creator.",
|
|
3600
|
+
"penalty": "Ethical design advisory \u2014 correlates with AADC Standard 5 (detrimental use), DSA Article 28, CAADCA dark pattern provisions",
|
|
3601
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3602
|
+
"packs": ["behavioral-design"],
|
|
3603
|
+
"fixability": "guided",
|
|
3604
|
+
"transform_type": null,
|
|
3605
|
+
"scaffold_id": null,
|
|
3606
|
+
"guidance_url": null
|
|
3607
|
+
},
|
|
3608
|
+
{
|
|
3609
|
+
"id": "behavioral-stopping-cues-002",
|
|
3610
|
+
"name": "Missing Natural Stopping Cues in Content Feed",
|
|
3611
|
+
"severity": "medium",
|
|
3612
|
+
"confidence": "low",
|
|
3613
|
+
"category": "stopping-cues",
|
|
3614
|
+
"description": "Content feeds, playlists, or game sessions without natural stopping points (end screens, session limits, break prompts) encourage compulsive use. AAP guidelines recommend built-in stopping cues for children's products.",
|
|
3615
|
+
"patterns": [
|
|
3616
|
+
{ "pattern": "(?:fetchNextPage|fetch_next_page|loadNextPage|load_next_page|getNextBatch|get_next_batch)\\s*\\((?!.*(?:limit|max|stop|break|pause|endOf|pagination|paginated|pageSize|page_size|LoadMore|loadMore|onClick|button))", "flags": "gi" },
|
|
3617
|
+
{ "pattern": "(?:hasNextPage|has_next_page|hasMore|has_more|canLoadMore|can_load_more)\\s*(?:&&|\\|\\||\\?)(?!.*(?:sessionLimit|session_limit|maxPages|max_pages|breakTime|break_time|pagination|paginated|pageSize|page_size|LoadMore|loadMore|button))", "flags": "gi" }
|
|
3618
|
+
],
|
|
3619
|
+
"fix_suggestion": "Implement natural stopping cues: end-of-content screens, session time limits, break prompts ('You've been watching for 30 minutes'), or 'Good Night' modes. Do not allow infinite content consumption without intervention.",
|
|
3620
|
+
"penalty": "Ethical design advisory \u2014 correlates with DSA Article 28 (addictive design), AADC Standard 5",
|
|
3621
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3622
|
+
"packs": ["behavioral-design"],
|
|
3623
|
+
"fixability": "flag-only",
|
|
3624
|
+
"transform_type": null,
|
|
3625
|
+
"scaffold_id": null,
|
|
3626
|
+
"guidance_url": null
|
|
3627
|
+
},
|
|
3628
|
+
{
|
|
3629
|
+
"id": "behavioral-parent-dashboard-003",
|
|
3630
|
+
"name": "Missing Parent Usage Dashboard",
|
|
3631
|
+
"severity": "low",
|
|
3632
|
+
"confidence": "low",
|
|
3633
|
+
"category": "parental-oversight",
|
|
3634
|
+
"description": "Children's products should include a parent-facing dashboard showing usage statistics, time spent, and content accessed. This dashboard should be PIN-protected and not invasively profile the child.",
|
|
3635
|
+
"patterns": [
|
|
3636
|
+
{ "pattern": "(?:parentDashboard|parent_dashboard|parentalDashboard|parental_dashboard|parentPortal|parent_portal|familyDashboard|family_dashboard)", "flags": "gi" },
|
|
3637
|
+
{ "pattern": "(?:parentalControls|parental_controls|parentalSettings|parental_settings|familySettings|family_settings)\\s*(?:=|:)", "flags": "gi" },
|
|
3638
|
+
{ "pattern": "(?:usageReport|usage_report|screenTime|screen_time|activityLog|activity_log)\\s*(?:=|:).*(?:parent|guardian|family)", "flags": "gi" }
|
|
3639
|
+
],
|
|
3640
|
+
"fix_suggestion": "Implement a PIN-protected parent dashboard showing usage time, content accessed, and activity summaries. Ensure the dashboard provides oversight without invasive psychometric profiling of the child.",
|
|
3641
|
+
"penalty": "Positive design advisory \u2014 correlates with AADC Standard 11 (parental controls), AADCA parental tools requirement",
|
|
3642
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3643
|
+
"packs": ["behavioral-design"],
|
|
3644
|
+
"fixability": "flag-only",
|
|
3645
|
+
"transform_type": null,
|
|
3646
|
+
"scaffold_id": null,
|
|
3647
|
+
"guidance_url": null
|
|
3648
|
+
},
|
|
3649
|
+
{
|
|
3650
|
+
"id": "behavioral-loot-boxes-004",
|
|
3651
|
+
"name": "Randomized Reward with Real-Money Purchase",
|
|
3652
|
+
"severity": "critical",
|
|
3653
|
+
"confidence": "high",
|
|
3654
|
+
"category": "gambling-mechanics",
|
|
3655
|
+
"description": "Loot boxes and gacha mechanics that combine randomized rewards with real-money purchases exploit variable-ratio reinforcement schedules. Multiple jurisdictions (Belgium, Netherlands, Australia) have classified these as gambling when targeting children.",
|
|
3656
|
+
"patterns": [
|
|
3657
|
+
{ "pattern": "(?:lootBox|loot_box|lootCrate|loot_crate|mysteryBox|mystery_box|gachapon|gacha)", "flags": "gi" },
|
|
3658
|
+
{ "pattern": "Math\\.random\\s*\\(\\s*\\).*(?:reward|prize|loot|gem|coin|crystal|diamond)(?!.*(?:backdrop|background|color|theme|sample|shuffle|select|choose))", "flags": "gi" },
|
|
3659
|
+
{ "pattern": "(?:rarityTable|rarity_table|dropRate|drop_rate|lootTable|loot_table)\\s*(?:=|:)", "flags": "gi" },
|
|
3660
|
+
{ "pattern": "(?:spinWheel|spin_wheel|wheelOfFortune|wheel_of_fortune|slotMachine|slot_machine|luckyDraw|lucky_draw)", "flags": "gi" },
|
|
3661
|
+
{ "pattern": "(?:purchase|buy|spend|deduct).*(?:\\$|price|cost|gem|coin|crystal|diamond|currency).*(?:random|chance|luck|rare|legendary|epic)", "flags": "gi" }
|
|
3662
|
+
],
|
|
3663
|
+
"fix_suggestion": "Do not combine randomized rewards with real-money purchases in children's products. Show exact contents before purchase, or use fixed reward systems. Multiple jurisdictions classify loot boxes as gambling when targeting children.",
|
|
3664
|
+
"penalty": "Varies by jurisdiction \u2014 Belgium banned (criminal sanctions), Netherlands fined (up to \u20ac10M), Australia under review",
|
|
3665
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3666
|
+
"packs": ["behavioral-design"],
|
|
3667
|
+
"fixability": "flag-only",
|
|
3668
|
+
"transform_type": null,
|
|
3669
|
+
"scaffold_id": null,
|
|
3670
|
+
"guidance_url": null
|
|
3671
|
+
},
|
|
3672
|
+
{
|
|
3673
|
+
"id": "AU-OSA-013",
|
|
3674
|
+
"name": "Social Media Account Allowing Under-16 Registration (Australia)",
|
|
3675
|
+
"severity": "critical",
|
|
3676
|
+
"confidence": "medium",
|
|
3677
|
+
"category": "age-gating",
|
|
3678
|
+
"description": "Australia's Social Media Minimum Age Act 2024 prohibits users under 16 from holding social media accounts, effective December 10, 2025. Parental consent CANNOT override this ban. Platforms must take 'reasonable steps' to prevent under-16 registration.",
|
|
3679
|
+
"patterns": [
|
|
3680
|
+
{ "pattern": "(?:minimumAge|minimum_age|minAge|min_age|ageLimit|age_limit)\\s*(?:=|:)\\s*(?:13|14|15)(?!\\d)", "flags": "gi" },
|
|
3681
|
+
{ "pattern": "(?:age|userAge)\\s*(?:>=|>)\\s*(?:13|14|15)(?!\\d).*(?:allow|register|create|signup|sign_up)", "flags": "gi" },
|
|
3682
|
+
{ "pattern": "(?:ageCheck|age_check|verifyAge|verify_age|ageGate|age_gate).*(?:13|14|15)(?!\\d)", "flags": "gi" }
|
|
3683
|
+
],
|
|
3684
|
+
"fix_suggestion": "For Australian deployments, set minimum registration age to 16. Parental consent cannot override this requirement. Implement robust age verification \u2014 simple self-declaration is insufficient under the Act.",
|
|
3685
|
+
"penalty": "Up to A$49.5 million (150,000 penalty units)",
|
|
3686
|
+
"languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
|
|
3687
|
+
"packs": ["au-osa"],
|
|
3688
|
+
"fixability": "guided",
|
|
3689
|
+
"transform_type": null,
|
|
3690
|
+
"scaffold_id": "age-gate-auth",
|
|
3691
|
+
"guidance_url": "https://www.esafety.gov.au/about-us/industry-regulation/social-media-age-restrictions"
|
|
2998
3692
|
}
|
|
2999
3693
|
]
|
|
3000
3694
|
}
|