GDPR Art. 13 requires that users be informed at collection time which third parties receive their data and for what purpose. A privacy policy that says 'we use analytics partners' without naming Google Analytics, Amplitude, or Stripe does not meet this standard. GDPR Art. 28 requires a data processing agreement with each processor — you cannot have a DPA with a vendor you haven't disclosed. CCPA §1798.100(a) requires disclosure of data categories and recipients. A gap between disclosed and actually-integrated services is the most common finding in regulatory audits.
Medium because the harm is indirect — undisclosed sharing doesn't cause immediate data loss — but a single regulator request for the third-party list turns the omission into a documented compliance failure.
Add a named third-party processor table to your privacy policy that lists every integrated vendor, the data categories they receive, and the processing purpose. Keep it synchronized with your actual integrations — a stale list is worse than no list. Example table for src/app/privacy/page.mdx or equivalent:
## Third-Party Data Processors
| Service | Data Received | Purpose | DPA |
|---------|---------------|---------|-----|
| Google Analytics | Page views, events, user ID | Usage analytics | [Link] |
| Stripe | Payment details, billing address | Payment processing | [Link] |
| SendGrid | Email address, engagement events | Transactional email | [Link] |
| AWS S3 | User-uploaded media | File storage | [Link] |
| Cloudflare | IP address, request headers | CDN, DDoS protection | [Link] |
Add a review step to your deployment checklist: 'Are all new third-party integrations reflected in the privacy policy processor table?'
ID: community-privacy-controls.consent.third-party-disclosure
Severity: medium
What to look for: Enumerate every relevant item. Check the privacy policy document for a section listing third-party services that collect user data. Look for names of analytics providers (Google Analytics, Amplitude, Mixpanel), ad networks (Google Ads, Facebook, TikTok), and what data each receives. Verify the list matches what's actually integrated.
Pass criteria: At least 1 of the following conditions is met. Privacy policy includes a dedicated section disclosing all third-party data processors, including: name of service, data categories collected, and data processing purpose. The list is accurate and matches installed SDKs.
Fail criteria: Privacy policy omits third-party services. Disclosure is vague ("we use analytics partners" without naming them). List doesn't match actual integrations. No data category information provided.
Skip (N/A) when: Never — third-party disclosure is a compliance requirement.
Detail on fail: Describe the disclosure gap. Example: "Privacy policy mentions 'analytics' generically but doesn't name Google Analytics or Mixpanel that are actually integrated." or "No mention of Stripe, AWS, or Cloudflare data processors."
Remediation: Add transparent third-party disclosure:
## Third-Party Data Processors
We work with the following services that may collect and process your data:
| Service | Data Collected | Purpose |
|---------|----------------|---------|
| Google Analytics | Page views, user ID, events, custom dimensions | Usage analytics |
| Stripe | Payment details, billing address | Payment processing |
| SendGrid | Email address, email engagement | Transactional email |
| AWS S3 | User-uploaded media | File storage |
| Cloudflare | IP address, request logs | CDN and DDoS protection |
Each service is bound by our data processing agreement (DPA) to handle data securely.