Users can opt-out of optional telemetry or usage statistics
Why it matters
GDPR Art. 7(3) grants users the right to withdraw consent at any time; CCPA §1798.120 gives users the right to opt out of data collection. An extension that enables telemetry or analytics with no opt-out mechanism denies users these rights by design. The ePrivacy Directive Art. 5(3) specifically covers tracking mechanisms in software — non-essential analytics require prior consent in the EU. Chrome Web Store policy reinforces this: data collected beyond core functionality must be disclosed and controllable. Extensions with hidden or irremovable analytics are a frequent source of negative reviews and one-star ratings that permanently damage store placement.
Severity rationale
Medium because always-on telemetry without an opt-out violates GDPR Art. 7(3) and CCPA §1798.120 user control rights — the harm scales with user count, and a single store review complaint can trigger a policy audit.
Remediation
Add a clearly labeled telemetry toggle to your options.html, defaulting to disabled:
<label>
<input type="checkbox" id="optInTelemetry" />
Share anonymous usage data to help improve this extension
<a href="/privacy#analytics" target="_blank">(what we collect)</a>
</label>
Gate every analytics call behind the stored preference:
chrome.storage.local.get(['optInTelemetry'], ({ optInTelemetry }) => {
if (optInTelemetry === true) {
analytics.track('feature_used', eventData);
}
});
Never send analytics on the first run before the user has seen and set the toggle. Cross-reference analytics-disclosed to ensure whatever you do send is named in the privacy policy.
Detection
-
ID:
telemetry-opt-out -
Severity:
medium -
What to look for: Examine options page for a toggle or setting to disable optional telemetry, analytics, or usage statistics. Check whether the default is opt-in (user must enable) or opt-out (enabled by default with option to disable). Look for clear labeling of what data is collected if telemetry is enabled.
-
Pass criteria: Count all telemetry or analytics calls in the codebase. A toggle exists in options to enable/disable optional telemetry. Default is opt-in (disabled by default, user can enable if desired). At least 100% of optional telemetry calls must check the user preference before sending. If telemetry is enabled by default, a clear opt-out mechanism is prominent.
-
Fail criteria: Optional telemetry or analytics are always active with no way to disable. No settings provided. Required telemetry is not clearly separated from optional.
-
Skip (N/A) when: The extension does not collect any telemetry or analytics data beyond what is strictly necessary for core functionality.
-
Detail on fail: Describe the telemetry and opt-out issue. Example:
"Google Analytics enabled by default with no option to disable in settings"or"Usage statistics collected and sent to external service with no user control or notification." -
Remediation: Add an opt-out toggle to your options page:
<label> <input type="checkbox" id="optInTelemetry" /> Help improve this extension by sharing anonymous usage data </label>Then check the flag before sending:
chrome.storage.local.get(['optInTelemetry'], (result) => { if (result.optInTelemetry) { analytics.track('feature_used'); } });
External references
- gdpr · Art. 7(3) — Right to withdraw consent at any time
- ccpa · §1798.120 — Right to opt-out of sale of personal information
- eprivacy · Art. 5(3) — Consent required for storing/accessing terminal equipment (cookies/trackers)
- external · chrome-web-store-user-data-policy — Chrome Web Store User Data Privacy Policy — User control over optional data collection
Taxons
History
- 2026-04-18·v1.0.0·Initial import from extension-data-privacy·automated