Third-party analytics services disclosed to the user

ab-001318 · extension-data-privacy.third-party-sharing.analytics-disclosed

Severity: lowactive

Why it matters

GDPR Art. 13(1)(e) requires naming every recipient category of personal data at the time of collection. CCPA §1798.115 gives users the right to know specifically which third parties receive their data. An extension that integrates Google Analytics, Mixpanel, or Segment without disclosing this in its privacy policy is transmitting user data to unnamed third parties — a standalone GDPR violation and a Chrome Web Store policy breach. The ePrivacy Directive Art. 5(3) requires prior consent for non-essential tracking; undisclosed analytics satisfies neither the consent nor the transparency requirement. Users who would object to data sharing with specific analytics providers are denied the ability to make that choice.

Severity rationale

Low because undisclosed analytics is a transparency violation rather than a direct data breach — but it is a GDPR Art. 13 and Chrome Web Store policy violation that regulators and store reviewers treat as evidence of broader privacy non-compliance.

Remediation

Enumerate every analytics SDK in your package.json dependencies and manifest.json, then name each one explicitly in your privacy policy and options page:

<!-- In options.html -->
<p>
  This extension uses <strong>Google Analytics</strong> to understand usage patterns.
  <a href="https://policies.google.com/privacy" target="_blank" rel="noopener">
    Google Privacy Policy
  </a>
</p>

In PRIVACY.md:

## Analytics

We use **Google Analytics** to collect anonymized usage data (page views, feature clicks).
No personally identifiable information is sent. See Google's policy:
https://policies.google.com/privacy

Cross-reference telemetry-opt-out: if the analytics service is optional, users must be able to disable it in extension settings.

Detection

ID: extension-data-privacy.third-party-sharing.analytics-disclosed
Severity: low
What to look for: Search the codebase for analytics or telemetry SDKs (Google Analytics, Mixpanel, Segment, custom analytics). Check whether these are disclosed in the privacy policy and to the user (via options page or store listing).
Pass criteria: Enumerate all analytics and telemetry SDKs found in package.json dependencies and code imports. Any analytics service is clearly disclosed (by name) in the privacy policy and/or options UI. User understands that data may be sent to Google, Mixpanel, etc.
Fail criteria: Analytics SDK integrated but not disclosed. Privacy policy makes no mention of third-party analytics services.
Skip (N/A) when: The extension does not use any third-party analytics or telemetry services.
Detail on fail: Example: "Google Analytics integrated but not mentioned in privacy policy or options page" or "Mixpanel tracking calls sent without user disclosure or consent."

Remediation: Disclose analytics in privacy policy and options UI:

<!-- In options.html -->
<p>
  This extension uses <strong>Google Analytics</strong> to understand how the extension is used.
  You can disable analytics in settings above.
  <a href="https://policies.google.com/privacy" target="_blank">Learn more</a>
</p>

And in privacy policy:

## Analytics

We use Google Analytics to collect anonymized usage data.
See Google's privacy policy: https://policies.google.com/privacy

External references

gdpr · Art. 13(1)(e) — Recipients or categories of recipients
ccpa · §1798.115 — Right to know third-party disclosures
eprivacy · Art. 5(3) — Consent for third-party tracking/analytics cookies
external · chrome-web-store-user-data-policy — Chrome Web Store User Data Privacy Policy — Third-party services must be disclosed

Taxons

privacy-consent

History

2026-04-18·v1.0.0·Initial import from extension-data-privacy·automated