Feat: new analytics data regulation controller (#7643)

## Explanation

This PR introduces a new
`@metamask/analytics-data-regulation-controller` package that provides
GDPR/CCPA data deletion functionality for analytics data. The package
allows to extract the logic from the mobile app (and will be compatible
with extension too)

**Current state:** MetaMask mobile app currently has a dedicated
mechanism to handle user data deletion requests for analytics data in
compliance with GDPR and CCPA regulations.

**Solution:** This package introduces:
- **AnalyticsDataRegulationController**: A controller that manages the
lifecycle of data deletion requests, tracks whether new data has been
recorded since the last deletion request, and stores deletion regulation
metadata (ID and timestamp)
- **AnalyticsDataRegulationService**: A service that communicates with
Segment's Regulations API via a proxy endpoint to create deletion tasks
and check their status
- **State management**: Tracks `hasCollectedDataSinceDeletionRequest`
flag, `deleteRegulationId`, and `deleteRegulationTimestamp` to support
compliance workflows
- **Selectors**: Provides reusable selectors for accessing controller
state

**Implementation details:**
- The controller takes `analyticsId` as a constructor parameter
(provided by the consumer)
- It delegates to `AnalyticsDataRegulationService` via messenger actions
to make HTTP requests to Segment's Regulations API
- The service uses `createServicePolicy` from
`@metamask/controller-utils` for retry logic and error handling
- State is persisted and can be used to determine if new analytics
events have been recorded since the last deletion request
- The package includes comprehensive test coverage (100% branch,
function, line, and statement coverage)

## References

see also MetaMask/metamask-mobile#22016

Fixes #7618

## Checklist

- [x] I've updated the test suite for new or updated code as appropriate
- [x] I've updated documentation (JSDoc, Markdown, etc.) for new or
updated code as appropriate
- [x] I've communicated my changes to consumers by [updating changelogs
for packages I've
changed](https://github.com/MetaMask/core/tree/main/docs/processes/updating-changelogs.md)
- [x] I've introduced [breaking
changes](https://github.com/MetaMask/core/tree/main/docs/processes/breaking-changes.md)
in this PR and have prepared draft pull requests for clients and
consumer packages to resolve them

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> <sup>[Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) is
generating a summary for commit
52f4a2c. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: NicolasMassart

.github/CODEOWNERS

@@ -62,6 +62,7 @@
 ## Mobile Platform Team
 /packages/app-metadata-controller @MetaMask/mobile-platform
 /packages/analytics-controller    @MetaMask/mobile-platform @MetaMask/extension-platform
+/packages/analytics-data-regulation-controller @MetaMask/mobile-platform @MetaMask/extension-platform
 
 ## Wallet Integrations Team
 /packages/chain-agnostic-permission        @MetaMask/wallet-integrations
@@ -115,6 +116,8 @@
 /packages/accounts-controller/package.json        @MetaMask/accounts-engineers @MetaMask/core-platform
 /packages/analytics-controller/package.json       @MetaMask/mobile-platform @MetaMask/extension-platform @MetaMask/core-platform
 /packages/analytics-controller/CHANGELOG.md       @MetaMask/mobile-platform @MetaMask/extension-platform @MetaMask/core-platform
+/packages/analytics-data-regulation-controller/package.json @MetaMask/mobile-platform @MetaMask/extension-platform @MetaMask/core-platform
+/packages/analytics-data-regulation-controller/CHANGELOG.md @MetaMask/mobile-platform @MetaMask/extension-platform @MetaMask/core-platform
 /packages/accounts-controller/CHANGELOG.md        @MetaMask/accounts-engineers @MetaMask/core-platform
 /packages/address-book-controller/package.json    @MetaMask/confirmations @MetaMask/core-platform
 /packages/address-book-controller/CHANGELOG.md    @MetaMask/confirmations @MetaMask/core-platform

README.md

@@ -25,6 +25,7 @@ Each package in this repository has its own README where you can find installati
 - [`@metamask/address-book-controller`](packages/address-book-controller)
 - [`@metamask/ai-controllers`](packages/ai-controllers)
 - [`@metamask/analytics-controller`](packages/analytics-controller)
+- [`@metamask/analytics-data-regulation-controller`](packages/analytics-data-regulation-controller)
 - [`@metamask/announcement-controller`](packages/announcement-controller)
 - [`@metamask/app-metadata-controller`](packages/app-metadata-controller)
 - [`@metamask/approval-controller`](packages/approval-controller)
@@ -103,6 +104,7 @@ linkStyle default opacity:0.5
   address_book_controller(["@metamask/address-book-controller"]);
   ai_controllers(["@metamask/ai-controllers"]);
   analytics_controller(["@metamask/analytics-controller"]);
+  analytics_data_regulation_controller(["@metamask/analytics-data-regulation-controller"]);
   announcement_controller(["@metamask/announcement-controller"]);
   app_metadata_controller(["@metamask/app-metadata-controller"]);
   approval_controller(["@metamask/approval-controller"]);

packages/analytics-data-regulation-controller/CHANGELOG.md

@@ -0,0 +1,10 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+[Unreleased]: https://github.com/MetaMask/core/

packages/analytics-data-regulation-controller/LICENSE

@@ -0,0 +1,20 @@
+MIT License
+
+Copyright (c) 2026 MetaMask
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

packages/analytics-data-regulation-controller/README.md

@@ -0,0 +1,15 @@
+# `@metamask/analytics-data-regulation-controller`
+
+Controller for managing analytics privacy and GDPR/CCPA data deletion functionality
+
+## Installation
+
+`yarn add @metamask/analytics-data-regulation-controller`
+
+or
+
+`npm install @metamask/analytics-data-regulation-controller`
+
+## Contributing
+
+This package is part of a monorepo. Instructions for contributing can be found in the [monorepo README](https://github.com/MetaMask/core#readme).

packages/analytics-data-regulation-controller/jest.config.js

@@ -0,0 +1,26 @@
+/*
+ * For a detailed explanation regarding each configuration property and type check, visit:
+ * https://jestjs.io/docs/configuration
+ */
+
+const merge = require('deepmerge');
+const path = require('path');
+
+const baseConfig = require('../../jest.config.packages');
+
+const displayName = path.basename(__dirname);
+
+module.exports = merge(baseConfig, {
+  // The display name when running multiple projects
+  displayName,
+
+  // An object that configures minimum threshold enforcement for coverage results
+  coverageThreshold: {
+    global: {
+      branches: 100,
+      functions: 100,
+      lines: 100,
+      statements: 100,
+    },
+  },
+});

packages/analytics-data-regulation-controller/package.json

@@ -0,0 +1,76 @@
+{
+  "name": "@metamask/analytics-data-regulation-controller",
+  "version": "0.0.0",
+  "description": "Controller for managing analytics privacy and GDPR/CCPA data deletion functionality",
+  "keywords": [
+    "MetaMask",
+    "Ethereum"
+  ],
+  "homepage": "https://github.com/MetaMask/core/tree/main/packages/analytics-data-regulation-controller#readme",
+  "bugs": {
+    "url": "https://github.com/MetaMask/core/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/MetaMask/core.git"
+  },
+  "license": "MIT",
+  "sideEffects": false,
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.mts",
+        "default": "./dist/index.mjs"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    },
+    "./package.json": "./package.json"
+  },
+  "main": "./dist/index.cjs",
+  "types": "./dist/index.d.cts",
+  "files": [
+    "dist/"
+  ],
+  "scripts": {
+    "build": "ts-bridge --project tsconfig.build.json --verbose --clean --no-references",
+    "build:all": "ts-bridge --project tsconfig.build.json --verbose --clean",
+    "build:docs": "typedoc",
+    "changelog:update": "../../scripts/update-changelog.sh @metamask/analytics-data-regulation-controller",
+    "changelog:validate": "../../scripts/validate-changelog.sh @metamask/analytics-data-regulation-controller",
+    "publish:preview": "yarn npm publish --tag preview",
+    "since-latest-release": "../../scripts/since-latest-release.sh",
+    "test": "NODE_OPTIONS=--experimental-vm-modules jest --reporters=jest-silent-reporter",
+    "test:clean": "NODE_OPTIONS=--experimental-vm-modules jest --clearCache",
+    "test:verbose": "NODE_OPTIONS=--experimental-vm-modules jest --verbose",
+    "test:watch": "NODE_OPTIONS=--experimental-vm-modules jest --watch"
+  },
+  "dependencies": {
+    "@metamask/base-controller": "^9.0.0",
+    "@metamask/controller-utils": "^11.18.0",
+    "@metamask/messenger": "^0.3.0",
+    "@metamask/utils": "^11.9.0"
+  },
+  "devDependencies": {
+    "@metamask/auto-changelog": "^3.4.4",
+    "@ts-bridge/cli": "^0.6.4",
+    "@types/jest": "^27.4.1",
+    "deepmerge": "^4.2.2",
+    "jest": "^27.5.1",
+    "nock": "^13.3.1",
+    "sinon": "^9.2.4",
+    "ts-jest": "^27.1.4",
+    "typedoc": "^0.24.8",
+    "typedoc-plugin-missing-exports": "^2.0.0",
+    "typescript": "~5.3.3"
+  },
+  "engines": {
+    "node": "^18.18 || >=20"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  }
+}

packages/analytics-data-regulation-controller/src/AnalyticsDataRegulationController-method-action-types.ts

@@ -0,0 +1,51 @@
+/**
+ * This file is auto generated by `scripts/generate-method-action-types.ts`.
+ * Do not edit manually.
+ */
+
+import type { AnalyticsDataRegulationController } from './AnalyticsDataRegulationController';
+
+/**
+ * Creates a new delete regulation for the user.
+ * This is necessary to respect the GDPR and CCPA regulations.
+ *
+ * @returns Promise containing the status of the request with regulateId
+ * @throws Error if analytics ID is missing or if the service call fails
+ */
+export type AnalyticsDataRegulationControllerCreateDataDeletionTaskAction = {
+  type: `AnalyticsDataRegulationController:createDataDeletionTask`;
+  handler: AnalyticsDataRegulationController['createDataDeletionTask'];
+};
+
+/**
+ * Check the latest delete regulation status.
+ *
+ * @returns Promise containing the timestamp, delete status and collected data flag
+ */
+export type AnalyticsDataRegulationControllerCheckDataDeleteStatusAction = {
+  type: `AnalyticsDataRegulationController:checkDataDeleteStatus`;
+  handler: AnalyticsDataRegulationController['checkDataDeleteStatus'];
+};
+
+/**
+ * Update the data recording flag if needed.
+ * This method should be called after tracking events to ensure
+ * the data recording flag is properly updated for data deletion workflows.
+ *
+ * The flag can only be set to `true` (indicating data has been collected).
+ * It cannot be explicitly set to `false` - it is only reset to `false` when
+ * a new deletion task is created via `createDataDeletionTask`.
+ *
+ */
+export type AnalyticsDataRegulationControllerUpdateDataRecordingFlagAction = {
+  type: `AnalyticsDataRegulationController:updateDataRecordingFlag`;
+  handler: AnalyticsDataRegulationController['updateDataRecordingFlag'];
+};
+
+/**
+ * Union of all AnalyticsDataRegulationController action types.
+ */
+export type AnalyticsDataRegulationControllerMethodActions =
+  | AnalyticsDataRegulationControllerCreateDataDeletionTaskAction
+  | AnalyticsDataRegulationControllerCheckDataDeleteStatusAction
+  | AnalyticsDataRegulationControllerUpdateDataRecordingFlagAction;