Google Chrome Extensions Requirements for Privacy Policy & Secure Handling

Google Chrome Extensions Requirements for Privacy Policy & Secure Handling

There are now specific rules regarding privacy and data handling, which you need to comply with to make your extension available on the Google Chrome Web Store.

Back at the beginning of 2019, Google made two significant announcements concerning its expectations regarding how Chrome extension developers must safeguard their users' privacy. In October of that year, Google expanded those requirements, so that extension developers also need to post Privacy Policies.

Google updated its policy for extensions for Chrome yet again in November of 2020, with new changes that went into effect in January 2021.

In the article below, we'll discuss how Google's Chrome extension rules may apply to you and how you can satisfy them.


Do Google's Rules Apply to You?

Google's new rules apply to you if your extension handles personal or sensitive information and you want to have your product in the Google Chrome store. If that's the case, you must ensure user data security, and you must post a Privacy Policy.

Check out our free tools for website owners:

  • Cookie Consent - a free cookie consent solution to comply with GDPR + ePrivacy Directive.
  • CCPA Opt-Out - a free CCPA opt-out solution to allow visitors to opt-out from personalized ads and comply with GDPR.
  • I Agree Checkbox - a free solution to enforce your legal agreements.

Generate legal agreements for your website or app in minutes with TermsFeed: Privacy Policy, Terms & Conditions, Cookies Policy and more.

To be clear, under Google's rules, the term "product" refers to:

  • Apps for the Google Chrome operating system, and
  • Extensions for the Chrome browser

What Does Handling Data Refer to?

According to Google, "handling data" refers specifically to "collecting, transmitting, using or sharing user data."

Examples include:

  • Collecting any data about the resources or website content that a user requests or interacts with (this includes URLs or domains the browser interacts with, the information in a website's browser storage, such as cookies, and the content of HTTP requests and responses)
  • Scraping or clipping content from any website a user visits (including capturing a web page's data or taking screenshots)
  • Using a form that collects any kind of personally identifiable information
  • Having login functionality (even though you might use a third-party system, such as Google authentication), and
  • Collecting information from web requests like data from a user's cloud service, emails, files, or other background activity, which accesses contacts

It's important to note that these are Google policies rather than a set of laws. Because of that fact, Google has the right to interpret its rules however it sees fit.

Therefore, experts recommend being prudent and adhering to the most conservative interpretation of Google's guidelines as possible instead of trying to look for loopholes.

What Does Sensitive or Personal Data Refer to?

Google doesn't provide a comprehensive list of data types that count as sensitive or personal data. However, it does provide numerous examples. Some of these types are decided by technology, and others due to the kind of personally identifiable information or health data they contain.

Just some examples Google provides include:

  • User-generated content
  • Personal communications
  • Form data
  • Website content and resources
  • Financial and payment information
  • Name, address, telephone number, username, email address
  • Any government-issued ID number
  • Driver's license number
  • Account numbers
  • Health information, including authentication data (logins, cookies, and passwords)

If your extension doesn't collect and store these types of sensitive or personal data, then Google doesn't demand that you publish a Privacy Policy. However, it's highly advisable that you do so as laws in some areas (such as within the European Union) may demand it regardless of Google's policies.

One piece of guidance Google suggests is that if you decide to publish a Privacy Policy but do not handle these types of data, you state clearly within the policy that you don't handle personal or sensitive information.

Privacy Policies for Chrome Extensions

Privacy Policies for Chrome Extensions

Just as Google doesn't provide a comprehensive list of sensitive or personal data types, it also does not give specifics on what must be included in your Privacy Policy. However, it does provide guidelines.

According to Google, you should always include information on:

  • How you collect information
  • How you use that information, and
  • How you disclose that information

In terms of the above, Google recommends the following:

  • Always explain what kind of data your extension collects. This could include data transmitted by the extension, server and HTTP logs, and other usage information. Additionally, it might consist of data you get directly from the user, any persistent identifiers, or other data gathered through API permissions.
  • You should show how you intend to use information. For instance, you might use the information to recognize a user the next time they log in or use your extension. You might use it to send promotional emails. You might also use it to provide other services.
  • You should also explain under what circumstances you share data with others.

According to many laws, including Europe's General Data Protection Regulation (GDPR), your Privacy Policy actually should include a lot more information than what Google demands.

In other words, you might put together a privacy policy that is Google compliant, but that doesn't meet the demands of most privacy legislation in the world today.

For instance, some things the GDPR demands be included in a Privacy Policy, but that Google doesn't, are the following:

  • How you store and secure information
  • How long you retain that information, and
  • How users can access, check, correct, or delete that information

What to Do if Your Extension Handles Sensitive or Personal Data

What to Do if Your Extension Handles Sensitive or Personal Data

In addition to including a Privacy Policy in your extension, Google demands that you:

  • Handle user information in a secure fashion and that any transmission of that data be encrypted, and
  • You must post your Privacy Policy in the Chrome Web Store Developer Dashboard

Here's an example of where Google places the link to Similar Web's extension in the Google Web Store. Note how it's placed at the bottom right of the extension's product description:

SimilarWeb Chrome Extension Store listing with Privacy Policy link highlighted

Under certain circumstances, it could well be that you might need to publish a separate, "prominent disclosure." If you handle sensitive or personal information in a way that isn't "closely related to the functionality described prominently in the Product's Chrome Web Store page and user interface," then this applies to you.

In effect, what this is talking about is a situation in which you collect, use, or share information in a way that's not entirely transparent and obvious. It's fundamentally the same information you'd place in your Privacy Policy but stripped down to its bare essentials.

It sounds redundant, but Google wants to make sure that this prominent disclosure is seen by any potential user before you collect their data. To ensure the user sees it, Google demands that this disclosure be included in your extension's user interface.

Moreover, in the same fashion that the EU's GDPR demands that you obtain explicit user consent for the use of cookies, Google also demands that you acquire explicit permission from the user that they've agreed to your use of their data.

You can ensure explicit consent by providing users with a confirmation button and a checkbox with text that states they've read and understand what you're asking of them and that they agree to your use of their data.

Principles for Compliance

Principles for Compliance

To ensure compliance across the board, there are a few things you should always ensure that your Privacy Policy covers. Let's look at them one at a time.

Collecting Information

  • State explicitly when your extension collects information
  • When relevant, state whether your product collects API permissions data
  • When relevant, state whether your product directly collects data from the user
  • When relevant, state whether your product collects information on how people use it
  • When relevant, state whether your product collects data logs, and
  • State whether your product automatically collects data, and if so, what kind

Using Information

  • Always state the reasons for which you collect a user's information
  • Always explain how you use collected information
  • Always explain how long you store a user's data. Specify whether you retain data for as long as you need it to provide a service or for a set period.

See how SimilarWeb's extension outlines its use of user data in its Privacy Policy below:

SimilarWeb Privacy Policy: How is the Data Used clause

Here's what it says:

HOW IS THE DATA USED?

We collect your information during your access or use of the Extensions for the purpose of providing and improving the Services. We use your Extension Usage Data based on the necessity of such information in providing and improving the Services. We process the Communication Data based on the necessity of such information in providing you with the support you have requested. In this context, we use your information in an effort to improve our users' experience, to communicate with you about our Services, and to further develop, customize, enhance and improve the performance of our Services and Extensions.

Disclosing Information

  • Always state whether you pass information on to third parties
  • Explicitly state whether you sell information
  • Explain how you respond to legal demands to access information

User Access to Data

  • Explain how users can check the data you've collected from them
  • Explain whether users can request the deletion of data, whether wholly or in part. Additionally, detail how they can make such a request and whether that request will harm their ability to use your extension
  • Explain on what grounds a user can request a correction in their information if any

Secure Handling of Data

Secure Handling of Data

There are a few technical steps that Google requires of all extensions that handle sensitive and personal information. In addition to posting a Privacy Policy, you'll need to:

  • Request only the lowest permission levels necessary for the product to provide its features and services
  • Ensure that all sensitive or personal information is encrypted when transmitting it
  • Sensitive or personal user information must be transmitted over secure connections (i.e., WSS, HTTPS) and stored at rest using a powerful encryption method like AES or RSA. You shouldn't use a cipher suite, which IETF blacklists

Consequences of Non-Compliance

Ultimately, if you don't follow Google's rules concerning how you handle sensitive or personal information, you'll be in breach of Google's Chrome Web Store policies.

If your product is brand new and hasn't ever been on the Web Store before, Google will automatically reject it. If you've been compliant before but fall out of compliance due to a breach of rules, Google will remove your extension until you've rectified the problem.

It's crucial to note that as of January 2021, these are the new rules (outlined below), which could cause you to fall out of compliance if you don't already meet the new requirements. In that case, your extension may or may not be removed from the Web Store until you update your product.

Google's Privacy Policy & Secure Handling Update

Google's Privacy Policy and Secure Handling Update

After January 2021, developers of Chrome extensions in the Web Store need to certify their privacy practices and data use. They need to provide information about the data their products collect "in clear and easy to understand language." Additionally, that information must be placed on the product's detail page in the Web Store.

Some of the major changes and updates made by Google forbid developers from transferring collected data to information resellers or data brokers, using data to establish a user's creditworthiness, and from selling that information. Moreover, developers must ensure that the use or transfer of information is congruent with the extension's stated purpose and that it benefits the user.

All privacy-related data must be shown within the privacy practices tab of the extension's Web Store listing.

Consequences of Failing to Comply With the New Rules

As noted above, your extension may or may not be removed from the Web Store until you comply with Google's new disclosure policies and certify that you've complied with the Limited Use Policy.

Specifically, the Chrome Web Store will say that you haven't provided any information about how you collect or use the data you collect from users. Google hasn't explicitly stated that they'll remove your app from the Web Store, but it is a possibility.

Does Any of This Matter?

Some may argue that Google's new requirements are a bit toothless since most users probably won't actually read any privacy information developers place in the privacy practices tab in the Web Store. Moreover, Google might not actually check to see if developers are telling the truth when they certify their use of data.

Still, you should never assume. Recall that Google kicked more than 500 extensions off of the Chrome Web Store at the beginning of 2020 for maliciously injecting ads into millions of Chrome installs.

Other apps have been kicked off for far less, such as simply violating the Web Store's "Use of Permissions" Policy. The Pushbullet extension found that out the hard way. As always, it's better to comply to avoid any issues that could have detrimental and lasting effects on your business.

William B.

William B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.