Privacy Policy for Browser Extensions

If you are developing an extension or plugin for a web browser, in many cases this extension will collect data from users. To make sure that your extension or plugin is compliant with the law, you'll need to provide a Privacy Policy for your users.

Each browser also has its own requirements for Privacy Policies for extensions.

Usually, you will have to notify users directly that you are collecting data, and give them an opportunity to consent (or decline).

In addition, you need to comply with the specific requirements of whatever browser you have chosen to develop the extension for, whether Google Chrome, Apple Safari, Mozilla Firefox, or Microsoft Edge.

First, we'll look briefly at what a Privacy Policy is. Then, we'll go through a few different browsers and their requirements for Privacy Policies, as well as how to comply.

What is a Privacy Policy and Why Do You Need One for Extensions and Plugins?

A Privacy Policy is a legal document that explains to users what data you collect, what you use it for, who you share it with, where it is transferred, and how users can delete their data.

When you collect personal information, a Privacy Policy is required by laws such as the General Data Protection Regulation (GDPR) in Europe, and the California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA/CPRA) in the United States.

Essentially, anything that alone or combined can identify an individual, is personal information.

Personal information includes data such as:

• Name and email address
• IP address
• Health data
• Financial information
• Location

If the information is particularly unique and identifying, or relates to categories such as health and finance, it may also be considered to be "sensitive" data.

When you make extensions and plugins for web browsers, these often collect personal information from users. This could be through a user login, a web form, or the collection of data such as an IP address, email address, browsing data, or other information.

Each browser has its own rules about what is required for you to be able to list or offer a browser extension through their stores.

Let's take a look at a few different browsers now.

Privacy Policies for Chrome Extensions

If you are developing a Google Chrome extension or plugin that handles personal data, you'll need to follow the Developer Program Policies for the Chrome Web Store. Google provides more detailed instructions in its Privacy Policy & Secure Handling Requirements.

Google defines "handling" personal data as "collecting, transmitting, using, or sharing user data." It also includes some examples of what it considers to be "handling" personal data:

This includes, for instance:

• Login functionality
• Forms that collect personal data
• Clipping or scraping content from websites
• Collecting data from web requests
• Collecting web browsing activity

What Does Google Require?

If your browser extension or plugin is collecting user data, you must:

• Post an accurate and up-to-date Privacy Policy
• Disclose how your extension collects, users, and shares user data, as well as all parties you will share the data with
• Make the Privacy Policy accessible in the Chrome Web Store
• Encrypt all personal and sensitive information
• Provide a "Prominent Disclosure" if you are collecting personal data for purposes other than the functionality of the extension or plugin

In addition, most browsers, including Chrome, include a data minimization requirement when it comes to user privacy. This means you should only collect the data that you need for your extension to function, and no more than this.

For Google, this section is called "Limited Use":

How Do You Meet Google Chrome's Requirements?

This section will examine the requirements outlined above in more detail.

Have and Display a Privacy Policy

Google has some specific requirements for what you need to include in your Privacy Policy in section 6 of its "Privacy Policy & Secure Handling Requirements".

These requirements are to:

• Include in your Privacy Policy how you collect use, and disclose or share data
• Provide a "Prominent Disclosure" (such as a pop-up or banner) to users if you will collect information not related to functionality

Here's what Google says about what your Privacy Policy specifically needs to address:

For example, you have to include the following in your Privacy Policy:

• How you collect, use, and disclose data
• What information your extension collects
• How you share information with other parties

Here's one example from the Sapling extension for Google Chrome, explaining what data it collects:

Encrypt Data When Required

Google requires that you encrypt all personal and sensitive information that is collected from your users through your extension:

You can do this by using HTTPS or WSS, and using appropriate encryption methods.

Include a Prominent Disclosure When Required

Google requires that you provide what it calls a "Prominent Disclosure" to users, if your extension will collect data that is not related to its functionality. This is particularly the case if you are collecting "sensitive data."

In its "Privacy Policy & Secure Handling Requirements," Google provides a table to determine whether your extension is likely to require a prominent disclosure. You can compare your own extension against this table:

To meet this prominent disclosure requirement if you believe you may need to do so, you will need to take a number of steps.

You must:

• Describe the types of personal or sensitive user data that are being collected and how they will be used
• Obtain the user's consent to collection and use
• Present the disclosure prominently, so that the user sees it before agreeing
• Provide the user with the opportunity to take a specific action to clearly agree
• Provide the prominent disclosure within the interface of the extension or plugin (not only within the Privacy Policy)

Here's what Google says about it:

The "prominent disclosure" would usually be a pop-up or banner that contains "Accept" or "Deny" types of buttons for the collection of data.

Here's an example created and shared by WUltra to demonstrate what a compliant prominent disclosure could look like:

Now let's take a look at Safari.

Privacy Policies for Safari Extensions

The Apple App Review Guidelines contain a set of requirements for apps to be listed on the App Store. Some of the Guidelines cover what your Privacy Policy needs to comply with Apple's rules. Apps include Safari extensions and plugins.

The Apple Developer UI Kit also provides additional privacy guidelines to help make sure that your extension or plugin is designed correctly.

In addition, like other browsers, Safari includes a "data minimization" requirement.

This data minimization requirement focuses on the functionality of the app, and data that is necessary to "accomplish the relevant task". Let's take a look at some of the more specific requirements for Safari.

What Does Safari Require?

Apple has quite strict requirements for your Privacy Policy, as well as how you protect the privacy of users. Safari requires that you:

• Include a link to your Privacy Policy in the App Store and in the extension itself
• Include in your Privacy Policy how you collect, use, and store data, as well as data retention and deletion policies
• Tell users how they can revoke consent
• Make sure that any third parties that collect data through your extension, also follow the same privacy practices
• Ask for consent before you collect data
• Not use logins unless you need to, and not requiring the sharing of information from users unless it's necessary
• Not include any marketing, advertising, or in-app purchases in your extension

Let's take a look at each of these in more detail.

How Do You Meet Safari's Requirements?

This section will examine the requirements outlined above in more detail.

Link to Your Privacy Policy

First, your extension will have to include a link to your Privacy Policy:

• In the App Store Connect metadata field
• Within the extension in an easily accessible manner

Here's an example of what the App Store information looks like for a browser extension such as the Wayback Machine Safari extension, made by Internet Archive:

Ensure Your Privacy Policy Includes Required Content

Your Privacy Policy needs to also include sections covering the following:

• What data your extension collects, how it collects it, and how the data will be used
• Data retention and deletion policies
• How users can revoke consent

This example from the Grammarly extension in the Apple App store shows how its Privacy Policy deals with data deletion policies, for instance:

Your Privacy Policy must also confirm that anyone your extension shares data with, is also following the same or equal user protection as you and your extension will provide.

Get Consent When Required

Apple Safari requires you to ask for consent if you collect user data:

Note, in Apple's case, this applies even if the data is considered to be anonymous when it is collected.

Allow Users to Withdraw Consent

Apple requires you to provide your users with an "easily accessible and understandable way to withdraw consent." This is often included in similar sections to the "Exercising Your Data Rights" section from Grammarly above.

Address Account Logins, Deletion and Advertising Restrictions

In addition, if there is sign-in functionality for the extension, there are specific rules. Apple explains that if your app or extension does not need a login, let people use it without one:

If your extension has a login, you have to allow users to delete their accounts from within it.

You also can't require users to provide personal information for the extension to function, unless it is directly necessary for core functionality.

Apple also includes additional rules specifically for extensions. This includes the App Extension Programming Guide, the Safari app extensions documentation, and the Safari web extensions documentation.

Mostly, these refer to programming requirements and other developer tools, rather than privacy issues. Nonetheless, you need to make sure that you comply with these requirements:

Finally, as you can see in the image for section 4.4 above, Apple states that "extensions may not include marketing, advertising, or in-app purchases."

Now let's take a look at Firefox.

Privacy Policies for Firefox Extensions

Firefox has a series of Add-on Policies that guide how extensions and plugins should be made and provided to users.

Like other browsers, Firefox has a "data minimization" policy requirement:

What Does Firefox Require?

Firefox has a list of requirements for how you deal with personal data. This includes:

• Including in your Privacy Policy what data you will collect, for what purposes, and which third parties you share it with
• Telling users whether you use cookies
• Not collecting any search terms, and not collecting any browser information unless necessary for the extension's primary function
• Ask for consent from your users to collect their data

Firefox also treats "technical" and "personal" data differently.

Let's take a look at each of these things in more detail.

How Do You Meet Firefox's Requirements?

This section will examine the requirements outlined above in more detail.

Include All Required Privacy Policy Information

Firefox requires that a Privacy Policy must:

• Specify the data that will be collected
• Disclose the collection of search terms in the Privacy Policy if this collection is necessary for the app to work
• Disclose the use of cookies
• Disclose how the extension collects, uses, stores, shares and discloses user data
• Disclose data-sharing with third parties and the identity of the third parties
• Explain the purpose of the data collection

The Privacy Policy must also be the full text of the policy provided within the extension: it cannot require going to another website to read it.

The Privacy Policy must be specific to your extension (i.e. it can't be vague and generic).

Here's what Firefox says:

Don't Collect Prohibited Information

Firefox prohibits the collection of certain types of information.

Your extension is not allowed to collect search terms, intercept searches, or collect non-necessary information for the extension's function. Browsing activity can only be collected if it is part of the extension's main function, in which case you would describe this to your users in the extension's description:

Get Consent When Required

Firefox requires you to ask your users for consent to collect their data:

To comply with this guideline you must:

• Provide a clear way to consent or decline data collection within the extension
• Provide any updated data collection information when any updates occur
• Tell users what type of data your extension collects
• Provide a link to your Privacy Policy within the extension
• Tell users what the consequences are if they accept or decline data collection
• Separate consent for personal and technical data

Handle Personal and Technical Data Appropriately

As noted above, Firefox distinguishes between personal data and technical data. Personal data is treated more strictly than technical data.

Firefox requires you to offer two different standards in your consent process.

Personal data can only be collected by an opt-in method, which must be done through the consent process when the user installs the add-on. If the user chooses not to provide personal data, and the personal data is necessary for the functioning of the extension, the user must be required to uninstall the app:

Unlike personal data, the collection of technical data can be opt-out for Firefox extensions:

This means that when you ask your users for consent, they must be able to select to disable the collection of technical or user information. This includes error information or other data that could be used to improve the extension's functioning.

Finally, let's take a look at Microsoft Edge.

Privacy Policies for Microsoft Edge Extensions

Many of the requirements from Microsoft are similar to those of Google, Apple, and Mozilla. For Microsoft, the requirements are contained in their Developer policies for the Microsoft Edge Add-ons store.

Like other browsers, Microsoft Edge also requires data minimization as a policy approach for extensions. You can see below that you may only collect information if required:

You can also see that you must tell users how you handle data at the time that they install the extension. A clear and comprehensive Privacy Policy is also required by Microsoft.

What Does Microsoft Edge Require?

Microsoft Edge requires:

• Having a Privacy Policy including descriptions of user controls over data, and how information is accessed
• Updating your Privacy Policy regularly
• Having a specific, relevant Privacy Policy to the Microsoft Edge browser
• Not collecting any highly sensitive information through your extension unless absolutely necessary for functionality
• Obtaining opt-in consent from users to share any data further to third parties

How Do You Meet Microsoft Edge Requirements?

This section will examine the requirements outlined above in more detail.

Create and Maintain an Appropriate Privacy Policy

Microsoft Edge requires that your Privacy Policy explains what controls users have over their data, and how they can access it. The Privacy Policy must be compliant with any laws that apply to your extension, and you have to update your Policy every time you add new features.

Like Firefox, the Privacy Policy you use for Edge must be specific to Edge, and relevant to the extension you are providing.

Similar to Google's requirements for the encryption of any collected data, Microsoft requires you to aggregate and anonymize any data that you collect.

Here's what Microsoft says about it:

Appropriately Handle Highly Sensitive Information

Microsoft guidelines include strict requirements for "Highly sensitive information."

This section prohibits you from collecting, storing, or transmitting highly sensitive personal information, unless it is related to the functionality of the extension itself. This includes health and financial data, and could include other sensitive information such as data about sexuality, religion, or other such categories.

If you collect this type of data through your extension, Microsoft requires you to obtain user consent expressly (opt-in).

Here's what Microsoft says:

Obtain Opt-in Consent for Third Parties

If your extension will collect any information that is then shared with third parties, Microsoft requires you to obtain opt-in consent.

Specifically, you need to tell your users how information is accessed, used, or shared, and tell them the types of parties that you will share it with. You are also required to include a way for users to later withdraw their consent and opt out of this data sharing.

Here's what Microsoft says:

Examples of Privacy Policy Clauses that Work For Most Browser Extensions

Include the following clauses when creating a Privacy Policy that will meet the requirements of what most browsers require for extensions.

What Personal Data You Collect

Disclose what personal data you will be collecting through your browser extension. Be as clear and specific as possible.

Here's now the Nimbus Screenshot browser extension lists the types of data it collects, and also notes that it only collects the least amount of information needed:

The Rakuten browser extension Privacy Policy includes a section noting the types of data collected via the browser, such as website URLs visited, and clicks made on websites. At the end of the clause, a note on sensitive personal information is included, noting that such information is not used for targeted advertising:

How and Why You Collect Personal Data

Let your extension users know how you will be collecting the personal data you collect, and for what purposes you will use it for.

Nimbus explains both how it will use data, and what it will not use it for:

Rakuten includes similar information, but goes more in depth and uses section headings to categorize all its types of uses. This can help with organization, especially if you have an extensive number of ways you use collected information:

What Rights Users Have and How They Can Be Exercised

Users must be informed of what legal rights they have, such as the right to request that you delete the personal information you have collected from them.

Include a clause that lists out the rights users have, and how they can exercise these rights if they wish to.

Rakuten explains in thorough detail what rights users have, and what each right grants:

At the end of this clause, Rakuten informs users exactly how they can exercise these rights and provides links to a Privacy Center and a contact method. It also includes a section about a right to appeal decisions made regarding rights requests:

Third Party Sharing of Personal Information

If you share any of the personal information you collect with any third parties, this must be disclosed in a Privacy Policy clause.

Here's how Rakuten again uses well-labeled sections to explain all of the different types of third parties it may share personal information with, including business partners, financial partners and advertising partners:

Even if you don't sell any personal information, you should note this as well. A simple, short statement would suffice, as seen here from the Honey browser extension Privacy Policy:

How Users Can Revoke Consent After Granting it

Even after a user has granted consent for you to collect or process personal information, the user must be able to revoke this consent at any time.

Include information about this right in your Privacy Policy, and explain how users can go about revoking consent if they wish to do so.

Rakuten lets users know that they can stop all collection of personal information via its extension by uninstalling it. Due to the nature in which the extension works, this is the main way to revoke consent and stop collection and use of information:

Your Use of Cookies

Disclose your use of cookies. This can be noted in your general clause about what methods you use to collect personal information. Or, it can be its own standalone clause.

If you have a Cookies Policy, link it to this clause.

Here's how Nimbus includes a short clause addressing its use of cookies, and how they can be disabled via browser settings:

While your browser extension Privacy Policy will likely need additional information and clauses, these clauses noted above are the core of any good Privacy Policy. Including them in your own Privacy Policy will ensure you're on your way to compliance with both privacy laws and individual browser requirements for extensions.

Summary

Each browser has its own requirements for Privacy Policies for extensions and plugins that are used with the browser. Many of them have similarities and overlaps, however. Chrome, Safari, Firefox and Edge all require you to have a Privacy Policy, and all explicitly mention data minimization principles as part of their guidelines.

Many browsers require opt-in consent for specific types of data collection, or all data collection. It is also common that some types of data collection are not allowed at all, such as advertising or in-app purchases for Apple extensions, or prohibiting the collection of search terms by Firefox.

When you are developing an extension for one or several of these browsers, be sure to check the browser's developer guidelines and Privacy Policy requirements, and set up a compliant Privacy Policy that can be provided within your extension itself, as well as in the online store or platform where the extension is downloaded.

Finally, check that your Privacy Policy contains all relevant information required by the browser's guidelines, and check which laws and regulations apply to you for the countries your extension will be available in.