GDPR Art. 13(1)(e) requires explicit disclosure of any recipients or categories of recipients of personal data before collection. CCPA §1798.115 gives users the right to know whether their data is sold or shared. An extension that sends user data to Google Analytics, Sentry, or a custom analytics backend without disclosing this in its privacy policy is in direct violation of both regulations — and of Chrome Web Store policy, which requires accurate data sharing disclosures in the store listing. Users who install an extension believing it processes data locally have a reasonable expectation that has been violated if data is silently leaving their device.
High because undisclosed third-party data sharing is a standalone GDPR and CCPA violation — regulators treat silent data transmission to unnamed third parties as evidence of bad faith, warranting investigation and fines independent of any data breach.
Add a "Third-Party Services" section to your PRIVACY.md or hosted privacy policy, naming every external service your extension contacts:
## Third-Party Services
This extension sends anonymized usage data to:
- **Sentry** (error tracking): https://sentry.io/privacy/
- **Google Analytics** (usage statistics): https://policies.google.com/privacy
We do NOT sell user data to any third party.
Also update the Chrome Web Store listing's "Privacy practices" section to reflect each third party named above. If a service is used only during development (e.g., a local error logger), confirm it is disabled in production builds before shipping.
ID: extension-data-privacy.privacy-disclosures.data-sharing-disclosed
Severity: high
What to look for: Read the privacy policy file or text (if provided in codebase, e.g., PRIVACY.md). Search for sections covering third-party sharing, data sales, or external API calls. Check what data flows to external services — analytics, error tracking, cloud sync, etc.
Pass criteria: Count all third-party services detected in the codebase (analytics, error tracking, CDN, APIs). Privacy policy explicitly states whether data is shared with third parties. If third-party services are used, 100% of them must be named and their privacy policies linked. If no data is shared, the policy clearly states this.
Fail criteria: Privacy policy is silent on data sharing. No disclosure of third-party tools. Privacy policy exists but does not address whether data is sold, shared, or transmitted externally.
Skip (N/A) when: Never — disclosure is required by app store policies and regulations (GDPR, CCPA).
Detail on fail: Describe the gap. Example: "Privacy policy does not mention that user data is sent to Google Analytics and Sentry for error tracking" or "Policy is generic and does not disclose any data sharing practices. Does not clarify whether user data remains on-device or is sent to servers."
Remediation: Add a "Third-Party Services" section to your privacy policy:
## Third-Party Services
This extension uses the following third-party services:
- **Google Analytics**: For anonymized usage statistics.
See Google's privacy policy: https://policies.google.com/privacy
We do NOT sell user data to any third party.
Update your manifest and store listing to reference the policy.