26 March 2021
There are now specific rules regarding privacy and data handling, which you need to comply with to make your extension available on the Google Chrome Web Store.
Back at the beginning of 2019, Google made two significant announcements concerning its expectations regarding how Chrome extension developers must safeguard their users' privacy. In October of that year, Google expanded those requirements, so that extension developers also need to post Privacy Policies.
Google updated its policy for extensions for Chrome yet again in November of 2020, with new changes that went into effect in January 2021.
In the article below, we'll discuss how Google's Chrome extension rules may apply to you and how you can satisfy them.
Check out our free tools for website owners:
To be clear, under Google's rules, the term "product" refers to:
According to Google, "handling data" refers specifically to "collecting, transmitting, using or sharing user data."
It's important to note that these are Google policies rather than a set of laws. Because of that fact, Google has the right to interpret its rules however it sees fit.
Therefore, experts recommend being prudent and adhering to the most conservative interpretation of Google's guidelines as possible instead of trying to look for loopholes.
Google doesn't provide a comprehensive list of data types that count as sensitive or personal data. However, it does provide numerous examples. Some of these types are decided by technology, and others due to the kind of personally identifiable information or health data they contain.
Just some examples Google provides include:
According to Google, you should always include information on:
In terms of the above, Google recommends the following:
Here's an example of where Google places the link to Similar Web's extension in the Google Web Store. Note how it's placed at the bottom right of the extension's product description:
Under certain circumstances, it could well be that you might need to publish a separate, "prominent disclosure." If you handle sensitive or personal information in a way that isn't "closely related to the functionality described prominently in the Product's Chrome Web Store page and user interface," then this applies to you.
It sounds redundant, but Google wants to make sure that this prominent disclosure is seen by any potential user before you collect their data. To ensure the user sees it, Google demands that this disclosure be included in your extension's user interface.
You can ensure explicit consent by providing users with a confirmation button and a checkbox with text that states they've read and understand what you're asking of them and that they agree to your use of their data.
Here's what it says:
HOW IS THE DATA USED?
We collect your information during your access or use of the Extensions for the purpose of providing and improving the Services. We use your Extension Usage Data based on the necessity of such information in providing and improving the Services. We process the Communication Data based on the necessity of such information in providing you with the support you have requested. In this context, we use your information in an effort to improve our users' experience, to communicate with you about our Services, and to further develop, customize, enhance and improve the performance of our Services and Extensions.
Ultimately, if you don't follow Google's rules concerning how you handle sensitive or personal information, you'll be in breach of Google's Chrome Web Store policies.
If your product is brand new and hasn't ever been on the Web Store before, Google will automatically reject it. If you've been compliant before but fall out of compliance due to a breach of rules, Google will remove your extension until you've rectified the problem.
It's crucial to note that as of January 2021, these are the new rules (outlined below), which could cause you to fall out of compliance if you don't already meet the new requirements. In that case, your extension may or may not be removed from the Web Store until you update your product.
After January 2021, developers of Chrome extensions in the Web Store need to certify their privacy practices and data use. They need to provide information about the data their products collect "in clear and easy to understand language." Additionally, that information must be placed on the product's detail page in the Web Store.
Some of the major changes and updates made by Google forbid developers from transferring collected data to information resellers or data brokers, using data to establish a user's creditworthiness, and from selling that information. Moreover, developers must ensure that the use or transfer of information is congruent with the extension's stated purpose and that it benefits the user.
All privacy-related data must be shown within the privacy practices tab of the extension's Web Store listing.
As noted above, your extension may or may not be removed from the Web Store until you comply with Google's new disclosure policies and certify that you've complied with the Limited Use Policy.
Specifically, the Chrome Web Store will say that you haven't provided any information about how you collect or use the data you collect from users. Google hasn't explicitly stated that they'll remove your app from the Web Store, but it is a possibility.
Some may argue that Google's new requirements are a bit toothless since most users probably won't actually read any privacy information developers place in the privacy practices tab in the Web Store. Moreover, Google might not actually check to see if developers are telling the truth when they certify their use of data.
Still, you should never assume. Recall that Google kicked more than 500 extensions off of the Chrome Web Store at the beginning of 2020 for maliciously injecting ads into millions of Chrome installs.
Other apps have been kicked off for far less, such as simply violating the Web Store's "Use of Permissions" Policy. The Pushbullet extension found that out the hard way. As always, it's better to comply to avoid any issues that could have detrimental and lasting effects on your business.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.