Of the 130 sites the researchers checked:

In total, 107 sites leaked some kind of transaction information;
31 allowed third-party scripts to access users’ Bitcoin addresses;
104 shared the non-BTC denominated price of a transaction; and
30 shared the transaction price in Bitcoin.

It doesn’t help that even for someone running tracking protection, a substantial amount of personal information was passed around by the sites examined in the study.
Information type With tracking protection Without protection
E-mail 32 25
First name 27 20
Last name 25 19
User ID 15 12
Address 13 9
Full name 11 4
Phone 10 4
Company 5 4

A total of 49 merchants shared users’ identifying information, and 38 shared that even if the user tries to stop them with tracking protection.

Users have very little protection against all this, the paper says: the danger is created by pervasive tracking, and it’s down to merchants to give users better privacy.

Source: Bitcoin-accepting sites leave cookie trail that crumbles anonymity