PII sent directly to a client-side analytics call
Part of Documentation, UX & Accessibility, which counts for 15% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A gtag/fbq/mixpanel/analytics tracking call carries an SSN, password, card number, DOB, or government-ID field directly in its event payload, handing special-category data to a third-party vendor.
Why it matters
Sending a Social Security Number, password, or full credit card number to a third-party analytics or tracking tool hands that data to a vendor whose systems, retention policy, and staff access were never designed for it, and who may further share it with their own sub-processors. Most privacy regulations require a documented legal basis before this kind of special-category data reaches a third party, and analytics platforms are rarely covered by one. Once the event is sent, the data typically cannot be deleted from the vendor systems on request, which complicates the right-to-erasure obligations most privacy laws require.
How to fix it
Remove the sensitive field from the event payload before it is sent to the analytics or tracking call. If the event genuinely needs to reference the record, send a non-sensitive identifier such as a user id or plan tier instead of the raw value. Review what other fields are sent alongside it, since the same event may carry other personal data worth trimming.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo