Google's "Data Disclosure" Policy

Google's "Data Disclosure" Policy

In January 2021, Google will be providing additional information to Chrome users when they browse extensions and other products in the Chrome Web Store. This information will include a detailed description of how each extension collects, uses, and shares user data.

Google is also cracking down on how Chrome products collect and use data, including a requirement that data is only used to benefit users and a ban on using people's data for personalized advertising or credit checks.

As a Chrome developer, your job is to implement these new policies by providing Google with additional information about your product, limiting how your product handles data, and creating or updating your Privacy Policy.

This article will walk you through Google's new requirements and provide an overview of all privacy and security requirements as a Chrome developer.


Why is Google Making These Changes?

Google's new rules coincide with Apple's recent overhaul of its iOS developer policies. Tech companies have recently had some bad press over their privacy practices, and increasing transparency and good practice among developers might help them address this.

These changes come as many regions worldwide are passing new privacy laws or increasing their enforcement of existing laws, such as the California Consumer Privacy Act (CCPA) and EU General Data Protection Regulation (GDPR).

As a Chrome extension developer, you must be aware of your privacy obligations, both under the laws applying to your users and the policies of your partners, such as Google.

Project Strobe 2019 Update

Google's November 2020 policies aren't the first time it has imposed stricter rules on Chrome extension developers.

In May 2019, Google announced a set of policy changes known as "Project Strobe," which included a "root-and-branch review of third-party developer access to data."

From October 15, 2019, Chrome extension developers:

  • Were explicitly required to only request access to the minimum possible amount of user data
  • Were required to post a Privacy Policy if their extension handled:

    • Personal and sensitive user data
    • User-provided content
    • Personal communications

Google's latest announcement builds on its 2019 policy changes and imposes further rules and restrictions on Chrome developers.

Google's New Requirements

Google's New Requirements

Here are the new requirements added to Google's Developer Program Policies on November 18, 2020.

Disclosing Privacy Information

From January 18, 2021, Google will display detailed privacy information relating to each extension in the Chrome Web Store.

Here's how this will look to users browsing the store:

google-chromium-blog-transparent-privacy-practices-extensions-simplifying-users-screenshot

Google requires developers to disclose if their product handles the following types of data:

Type of data Examples (not exhaustive)
Personally identifiable information
  • Name
  • Address
  • Email address
  • Age
  • ID number
Health information
  • Heart rate data
  • Medical history
  • Symptoms
  • Diagnoses
  • Procedures
Financial and payment information
  • Transactions
  • Credit card numbers
  • Credit ratings
  • Financial statements
  • Payment history
Authentication information
  • Passwords
  • Credentials
  • Security questions
  • Personal identification number (PIN)
Personal communications
  • Emails
  • Text or chat messages
  • Social media posts
  • Conference calls
Location
  • Region
  • IP address
  • GPS coordinates
  • Information about things near the user's device
Web history
  • The list of web pages the user has visited
  • Associated data, such as page title or time or visit
User activity
  • Network monitoring
  • Clicks
  • Mouse position
  • Scroll
  • Keystroke logging
Website content
  • Text
  • Images
  • Sounds
  • Videos
  • Hyperlinks

Developers can already submit their data use information using the Developer Dashboard. Choose the "privacy" tab above your product listing to do so.

New Rules on Data Use

New Rules on Data Use

In addition to the new data disclosure requirements, developers have some new rules regarding how they handle sensitive and personal user data. These rules form part of Google's Developer Program Policies.

Here are the new rules:

  • You must only use or transfer data:

    • Primarily for the benefit of the user
    • In accordance with the stated purpose of your extension
  • You must not use or transfer user data for the purposes of:

    • Personalized advertising
    • Creditworthiness or any form of lending qualification
  • You must not transfer user data to data brokers or other information resellers
  • You must never sell user data

You'll be asked to confirm your compliance with these rules when you submit your data use information via the Developer Dashboard.

What Happens If I Ignore Google's New Rules?

You'll have to complete the data disclosure form and confirm you're complying with the new rules before January 18, 2021. If you don't, Google will display a notice in the Chrome Web Store informing users that you haven't provided the information.

Starting in March 2021, Google will begin removing products from the Chrome Web Store belonging to developers who have not completed the data disclosure form. You'll get 30 days' notice before this happens.

Chrome Developer Privacy and Security Checklist

Chrome Developer Privacy and Security Checklist

Now that we've looked at Google's new requirements, let's take an overview of your privacy and security obligations as a Chrome developer. Failing to comply with Google's policies could lead to the removal of your product from the Chrome Web Store.

Privacy Policy Requirement

Google requires that you create a Privacy Policy if your Chrome extension handles "personal and sensitive user data," which includes:

  • Personally identifiable information
  • Financial and payment information
  • Health information
  • Authentication information
  • Website content and resources
  • Form data
  • Personal communications
  • User-generated content
  • Web browsing activity data (any information about the websites or other web resources a user requests or interacts with, including the domains or URLs the browser interacts with)

See our table above for examples of some of these types of data.

You still need a Privacy Policy even if your product only handles personal and sensitive data locally, on the user's device.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the Website option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your website and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

Somewhat confusingly, if your product doesn't handle personal or sensitive user data, Google says you should declare this in your Privacy Policy. This implies that you need a Privacy Policy whether you handle personal or sensitive user data or not.

"Handing" personal and sensitive data means "collecting, transmitting, using, or sharing" user data. For example:

  • Allowing users to log into your product
  • Using a form to collect data
  • Clipping or scraping website content
  • Collecting web browsing history data

Google states that your Privacy Policy must "comprehensively disclose how your product collects, uses, and shares user data, including the types of parties with whom it's shared."

Over and above Google's requirements, your Privacy Policy must comply with the laws of the regions in which your users reside.

Here are some examples of privacy laws that require companies to create a Privacy Policy:

  • United States: California Online Privacy Protection Act (CalOPPA) and California Consumer Privacy Act (CCPA)
  • European Union and European Economic Area: General Data Protection Regulation (GDPR)
  • United Kingdom: GDPR and Data Protection Act 2018
  • Canada: Personal Information Protection and Electronic Documents Acts (PIPEDA)
  • Australia: Privacy Act 1988
  • South Africa: Protection of Personal Information Act (POPI Act)
  • Brasil: Lei Geral de Proteção de Dados (LGPD)

The requirements for your Privacy Policy will vary depending on which laws apply to your business. At a minimum, your Privacy Policy should include:

  • Contact details for your business
  • An explanation of what personal information you collect
  • A list of any third parties with whom you share personal information
  • An explanation of whether your extension tracks users' online activity
  • An explanation of how your customers can request access to their personal information

Prominent Disclosure Requirement

Google's "prominent disclosure requirement" applies if your product handles personal and sensitive data in a way that "is not closely related to the functionality" of your product as described in the Chrome Web Store and your product's user interface.

Under the prominent disclosure requirement, you must display a notice in your app's interface that describes:

  • The types of personal or sensitive user data your product collects and uses
  • How you will use each type of data

You must also request consent for your collection and use of this data.

Google has certain rules regarding your prominent disclosure:

  • The prominent disclosure must occur within the product interface so that the user can see it easily.
  • A disclosure appearing in the Chrome Web Store or your Privacy Policy alone will not satisfy Google's prominent disclosure requirements.
  • The prominent disclosure must ask the user to "take a specific action clearly agreeing to the disclosure" before you collect or use the user's data.

Google provides some examples of products that would require a prominent disclosure:

  • "An extension whose sole marketed purpose is adding themes to popular social media sites, but also anonymously scrapes the number of friends a user has, for sale or research purposes."

    • The product handles uses personal or sensitive data (website content and resources)
    • This use of data is not closely related to its main functionality (adding social media themes)
  • "An extension, app, or hosted app that handles an email address for login purposes and also provides that email address to others for the others' marketing purposes."

    • The product handles personal or sensitive data (website content and resources)
    • This use of data is not closely related to its main functionality (logging into websites)

The following examples would not meet the prominent disclosure requirements:

  • "An extension, app, or hosted app collects and transmits anonymous usage information about how frequently users click on or see various user interface elements of the Product."

    • The product doesn't handle personal or sensitive data
  • "An extension whose sole marketed purpose is to sync a user's browser history to a central service."

    • The product uses personal and sensitive data only for its stated purpose

Rules on Handling Personal and Sensitive Information

Rules on Handling Personal and Sensitive Information

Google's "limited use requirement" limits how developers collect and use data. It contains four basic rules:

  1. You may only request access to personal or sensitive data to provide or improve your product's "single purpose" or "user-facing features."
  2. You may only transfer personal or sensitive data to a third party if:

    1. It is necessary in order to fulfil your product's single purpose
    2. You are legally required to do so
    3. It is necessary for security purposes
    4. You are doing so as part of a merger, acquisition, or sale of your assets
  3. You may not use or sell personal or sensitive data for personalized advertising.
  4. You may not allow a human to read personal or sensitive data unless:

    1. You have the user's consent
    2. You are legally required to do so
    3. It is necessary for security purposes
    4. You have aggregated and anonymized the data are are using it for internal purposes

Security Requirement

Google states that developers must "handle (personal and sensitive) user data securely, including transmitting it via modern cryptography."

Handling data securely means encrypting all transmissions of personal and sensitive user data. Google further recommends you encrypt all transmissions of any data. You should transmit data over a secure connection, such as HTTPS or WSS.

You must also store personal and sensitive user data securely. This means encrypting it at rest using a strong encryption protocol, such as RSA or AES.

You must not encrypt data using any cipher suite on the Internet and Engineering Task Force (IETF) blacklist, found at Appendix A of the Hypertext Transfer Protocol Version 2 (HTTP/2) standard.

Additional Rules for Certain Types of Data

Additional Rules for Certain Types of Data

Google has a couple of additional rules regarding personal and sensitive data:

  • Don't publicly disclose the following types of data:

    • Financial or payment information
    • Authentication information
  • Don't use web browsing history data unless required to do so for a "user-facing feature" described prominently in the Chrome Web Store and your product's user interface

Summary

To comply with Google's privacy and security requirements for developers of products in the Chrome Web Store you must:

  • Provide information about what user data your product collects
  • Agree with Google's new rules on data use
  • Create a Privacy Policy
  • Provide a prominent disclosure if required
  • Only request access to data required to fulfill your app's single purpose
  • Obey Google's rules limiting how you collect and transmit personal and service user data
  • Ensure you handle personal and sensitive user data securely by encrypting it in transit and at rest
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.