Legal and data protection research writer at TermsFeed.
On this page
- 1. Do Google's Rules Apply to You?
- 1.1. What Does Handling Data Refer to?
- 1.2. What Does Sensitive or Personal Data Refer to?
- 2. Privacy Policies for Chrome Extensions
- 2.1. What to Do if Your Extension Handles Sensitive or Personal Data
- 3. Principles for Compliance
- 3.1. Collecting Information
- 3.2. Using Information
- 3.3. Disclosing Information
- 3.4. User Access to Data
- 4. Secure Handling of Data
- 4.1. Consequences of Non-Compliance
- 5.1. Consequences of Failing to Comply With the New Rules
- 5.2. Does Any of This Matter?
There are now specific rules regarding privacy and data handling, which you need to comply with to make your extension available on the Google Chrome Web Store.
Back at the beginning of 2019, Google made two significant announcements concerning its expectations regarding how Chrome extension developers must safeguard their users' privacy. In October of that year, Google expanded those requirements, so that extension developers also need to post Privacy Policies.
Google updated its policy for extensions for Chrome yet again in November of 2020, with new changes that went into effect in January 2021.
In the article below, we'll discuss how Google's Chrome extension rules may apply to you and how you can satisfy them.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
Do Google's Rules Apply to You?
To be clear, under Google's rules, the term "product" refers to:
- Apps for the Google Chrome operating system, and
- Extensions for the Chrome browser
What Does Handling Data Refer to?
According to Google, "handling data" refers specifically to "collecting, transmitting, using or sharing user data."
- Collecting any data about the resources or website content that a user requests or interacts with (this includes URLs or domains the browser interacts with, the information in a website's browser storage, such as cookies, and the content of HTTP requests and responses)
- Scraping or clipping content from any website a user visits (including capturing a web page's data or taking screenshots)
- Using a form that collects any kind of personally identifiable information
- Having login functionality (even though you might use a third-party system, such as Google authentication), and
- Collecting information from web requests like data from a user's cloud service, emails, files, or other background activity, which accesses contacts
It's important to note that these are Google policies rather than a set of laws. Because of that fact, Google has the right to interpret its rules however it sees fit.
Therefore, experts recommend being prudent and adhering to the most conservative interpretation of Google's guidelines as possible instead of trying to look for loopholes.
What Does Sensitive or Personal Data Refer to?
Google doesn't provide a comprehensive list of data types that count as sensitive or personal data. However, it does provide numerous examples. Some of these types are decided by technology, and others due to the kind of personally identifiable information or health data they contain.
Just some examples Google provides include:
- User-generated content
- Personal communications
- Form data
- Website content and resources
- Financial and payment information
- Name, address, telephone number, username, email address
- Any government-issued ID number
- Driver's license number
- Account numbers
- Health information, including authentication data (logins, cookies, and passwords)
Privacy Policies for Chrome Extensions
According to Google, you should always include information on:
- How you collect information
- How you use that information, and
- How you disclose that information
In terms of the above, Google recommends the following:
- Always explain what kind of data your extension collects. This could include data transmitted by the extension, server and HTTP logs, and other usage information. Additionally, it might consist of data you get directly from the user, any persistent identifiers, or other data gathered through API permissions.
- You should show how you intend to use information. For instance, you might use the information to recognize a user the next time they log in or use your extension. You might use it to send promotional emails. You might also use it to provide other services.
- You should also explain under what circumstances you share data with others.
- How you store and secure information
- How long you retain that information, and
- How users can access, check, correct, or delete that information
What to Do if Your Extension Handles Sensitive or Personal Data
- Handle user information in a secure fashion and that any transmission of that data be encrypted, and
Here's an example of where Google places the link to Similar Web's extension in the Google Web Store. Note how it's placed at the bottom right of the extension's product description:
Under certain circumstances, it could well be that you might need to publish a separate, "prominent disclosure." If you handle sensitive or personal information in a way that isn't "closely related to the functionality described prominently in the Product's Chrome Web Store page and user interface," then this applies to you.
It sounds redundant, but Google wants to make sure that this prominent disclosure is seen by any potential user before you collect their data. To ensure the user sees it, Google demands that this disclosure be included in your extension's user interface.
You can ensure explicit consent by providing users with a confirmation button and a checkbox with text that states they've read and understand what you're asking of them and that they agree to your use of their data.
Principles for Compliance
- State explicitly when your extension collects information
- When relevant, state whether your product collects API permissions data
- When relevant, state whether your product directly collects data from the user
- When relevant, state whether your product collects information on how people use it
- When relevant, state whether your product collects data logs, and
- State whether your product automatically collects data, and if so, what kind
- Always state the reasons for which you collect a user's information
- Always explain how you use collected information
- Always explain how long you store a user's data. Specify whether you retain data for as long as you need it to provide a service or for a set period.
Here's what it says:
HOW IS THE DATA USED?
We collect your information during your access or use of the Extensions for the purpose of providing and improving the Services. We use your Extension Usage Data based on the necessity of such information in providing and improving the Services. We process the Communication Data based on the necessity of such information in providing you with the support you have requested. In this context, we use your information in an effort to improve our users' experience, to communicate with you about our Services, and to further develop, customize, enhance and improve the performance of our Services and Extensions.
- Always state whether you pass information on to third parties
- Explicitly state whether you sell information
- Explain how you respond to legal demands to access information
User Access to Data
- Explain how users can check the data you've collected from them
- Explain whether users can request the deletion of data, whether wholly or in part. Additionally, detail how they can make such a request and whether that request will harm their ability to use your extension
- Explain on what grounds a user can request a correction in their information if any
Secure Handling of Data
- Request only the lowest permission levels necessary for the product to provide its features and services
- Ensure that all sensitive or personal information is encrypted when transmitting it
- Sensitive or personal user information must be transmitted over secure connections (i.e., WSS, HTTPS) and stored at rest using a powerful encryption method like AES or RSA. You shouldn't use a cipher suite, which IETF blacklists
Consequences of Non-Compliance
Ultimately, if you don't follow Google's rules concerning how you handle sensitive or personal information, you'll be in breach of Google's Chrome Web Store policies.
If your product is brand new and hasn't ever been on the Web Store before, Google will automatically reject it. If you've been compliant before but fall out of compliance due to a breach of rules, Google will remove your extension until you've rectified the problem.
It's crucial to note that as of January 2021, these are the new rules (outlined below), which could cause you to fall out of compliance if you don't already meet the new requirements. In that case, your extension may or may not be removed from the Web Store until you update your product.
After January 2021, developers of Chrome extensions in the Web Store need to certify their privacy practices and data use. They need to provide information about the data their products collect "in clear and easy to understand language." Additionally, that information must be placed on the product's detail page in the Web Store.
Some of the major changes and updates made by Google forbid developers from transferring collected data to information resellers or data brokers, using data to establish a user's creditworthiness, and from selling that information. Moreover, developers must ensure that the use or transfer of information is congruent with the extension's stated purpose and that it benefits the user.
All privacy-related data must be shown within the privacy practices tab of the extension's Web Store listing.
Consequences of Failing to Comply With the New Rules
As noted above, your extension may or may not be removed from the Web Store until you comply with Google's new disclosure policies and certify that you've complied with the Limited Use Policy.
Specifically, the Chrome Web Store will say that you haven't provided any information about how you collect or use the data you collect from users. Google hasn't explicitly stated that they'll remove your app from the Web Store, but it is a possibility.
Does Any of This Matter?
Some may argue that Google's new requirements are a bit toothless since most users probably won't actually read any privacy information developers place in the privacy practices tab in the Web Store. Moreover, Google might not actually check to see if developers are telling the truth when they certify their use of data.
Still, you should never assume. Recall that Google kicked more than 500 extensions off of the Chrome Web Store at the beginning of 2020 for maliciously injecting ads into millions of Chrome installs.
Other apps have been kicked off for far less, such as simply violating the Web Store's "Use of Permissions" Policy. The Pushbullet extension found that out the hard way. As always, it's better to comply to avoid any issues that could have detrimental and lasting effects on your business.