Use of Google Analytics will be prohibited? New Policy Questions.

[Chris Zalcman]

In the privacy tab of the developer dashboard we have found the following:

What personal and sensitive data do you plan to collect from users now or in the future?

Location: for example region, IP address, ...

Why country/region or anonymized IP address classified as personally or sensitive user information? In the Google Analytics help stated, that region and masked IP classified as anonymous information https://support.google.com/analytics/answer/2763052

We would want to collect an extension usage by country to our own analytics dashboard.

If we select the Location checkbox, then users will see that we collect personal information, which is not correct. Some users will decide not to install an extension due to incorrect privacy information.

What about cid parameter required by Google Analytics Measurement protocol? Or Google Analytics will be prohibited into extensions? 

 

We think CWS need some additional tweaks to these settings, because country and IP address are not the same. 

[Simeon Vincent]

Hey Chris,

Quickly, I want to clearly state that I am not a lawyer and my comments should not be taken as legal advice. I'm just a developer doing my best to help other developers.

Why country/region or anonymized IP address classified as personally or sensitive user information?

I'm not sure at the moment. As I mentioned in another thread, I'll need to bring these and other similar questions back to the appropriate folks in Google to get clarification. 

What about cid parameter required by Google Analytics Measurement protocol?

In my personal opinion, GA CID is not "Personally identifiable information" but may constitute "User activity" As that information would not be logged without the user's direct interaction with the extension. 

Or Google Analytics will be prohibited into extensions? 

I don't believe the use of Google Analytics or other analytics services are prohibited. Rather, they're perfectly fine to use so long as the data collected via analytics is in direct support of the extension's purpose and data collection is disclosed to the end user. 

Cheers,

Simeon - @dotproto

Developer Advocate for Chrome Extensions

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/1328f7ef-91a2-43a5-8ca4-17ba67a47a0an%40chromium.org.

[Charlie Sheleg]

Follow up question if I may.

So basically you are saying Google Analytics is fine but what about other analytics suppliers that are not Google (MixPanel, Hotjar, etc...)?

Say I use them "in direct support of the extension's purpose" but they use the data generated from my extension to enhance and improve their service, is that ok according to the new policy or isn't it?

Thank you

[Vasco Gomes]

Hi think that this Question is important since everyone is using Google analytics. 

It also doesn't look like User activity is valid for Google Analytics, at least not aggressive user activity as is explained in the WebStore examples: 

User activity

For example: network monitoring, clicks, mouse position, scroll or keystroke logging

Google analytics don't do any of this. Only very basic information.

But I think it's important to know if Google Analytics is "User activity" or not. For me it's not.

Greetings.

[Simeon Vincent]

So basically you are saying Google Analytics is fine but what about other analytics suppliers that are not Google (MixPanel, Hotjar, etc...)?

Say I use them "in direct support of the extension's purpose" but they use the data generated from my extension to enhance and improve their service, is that ok according to the new policy or isn't it? - Charlie

My last comment was not exclusive to Google Analytics. As I said, my understanding is that analytics services in general are okay for extensions to use so long as the analytics data supports the extension's purpose, data collection is disclosed to the user, and data use complies with the Developer Program Policies. 

You specifically asked about an analytics company using "the data generated from my extension to enhance and improve their service"; I don't see any language in the Limited Use of User Data section that implies this is a violation. Is there a specific provision of the policy that you're concerned about?

It also doesn't look like User activity is valid for Google Analytics, at least not aggressive user activity as is explained in the WebStore examples:

User activity

For example: network monitoring, clicks, mouse position, scroll or keystroke logging - Vasco

I think we can improve our examples on that form. As I understand the intent of the "user data" classification, it basically means any information collected as a result of a user's interaction with your extension. By and large I believe most if not all analytics falls into this category. Thinking out loud, maybe we should just add "analytics" to the examples list.

Perhaps it would help to be a bit more concrete. What kind of information are you gathering with analytics?

Cheers,

Simeon - @dotproto

Chrome Extensions DevRel

[Mārtiņš Balodis]

I don't think using Google Analytics is that simple.

1. In GA you can enable demographics and Interest reports which would show the age and gender of the users. This would mean that you have to check "Personally identifiable information For example: name, address, email address, age, or identification number"

2. By default GA is showing location and language information. I don't think this can be disabled. That should mean that anyone using GA has to check. "Location For example: region, IP address, GPS coordinates, or information about things near the user’s device"

3. When you create a new GA tag for the first time Google asks nicely to share your website data. If you allow that you cannot check this option "I do not use or transfer user data for purposes that are unrelated to my item's single purpose"

4. I don't know the insides of GA, but almost all tracking software is creating a unique id for each visitor based on his browser fingerprint. The browser fingerprint could include browsers timezone which includes location data.

There should be a detailed guide on how to use GA so that there is no unintentional or intentional user data abuse.