Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
In January 2021, Google will be providing additional information to Chrome users when they browse extensions and other products in the Chrome Web Store. This information will include a detailed description of how each extension collects, uses, and shares user data.
Google is also cracking down on how Chrome products collect and use data, including a requirement that data is only used to benefit users and a ban on using people's data for personalized advertising or credit checks.
This article will walk you through Google's new requirements and provide an overview of all privacy and security requirements as a Chrome developer.
Google's new rules coincide with Apple's recent overhaul of its iOS developer policies. Tech companies have recently had some bad press over their privacy practices, and increasing transparency and good practice among developers might help them address this.
These changes come as many regions worldwide are passing new privacy laws or increasing their enforcement of existing laws, such as the California Consumer Privacy Act (CCPA) and EU General Data Protection Regulation (GDPR).
As a Chrome extension developer, you must be aware of your privacy obligations, both under the laws applying to your users and the policies of your partners, such as Google.
Google's November 2020 policies aren't the first time it has imposed stricter rules on Chrome extension developers.
In May 2019, Google announced a set of policy changes known as "Project Strobe," which included a "root-and-branch review of third-party developer access to data."
From October 15, 2019, Chrome extension developers:
Google's latest announcement builds on its 2019 policy changes and imposes further rules and restrictions on Chrome developers.
Here are the new requirements added to Google's Developer Program Policies on November 18, 2020.
From January 18, 2021, Google will display detailed privacy information relating to each extension in the Chrome Web Store.
Here's how this will look to users browsing the store:
Google requires developers to disclose if their product handles the following types of data:
|Type of data||Examples (not exhaustive)|
|Personally identifiable information||
|Financial and payment information||
Developers can already submit their data use information using the Developer Dashboard. Choose the "privacy" tab above your product listing to do so.
In addition to the new data disclosure requirements, developers have some new rules regarding how they handle sensitive and personal user data. These rules form part of Google's Developer Program Policies.
Here are the new rules:
You must only use or transfer data:
You must not use or transfer user data for the purposes of:
You'll be asked to confirm your compliance with these rules when you submit your data use information via the Developer Dashboard.
You'll have to complete the data disclosure form and confirm you're complying with the new rules before January 18, 2021. If you don't, Google will display a notice in the Chrome Web Store informing users that you haven't provided the information.
Starting in March 2021, Google will begin removing products from the Chrome Web Store belonging to developers who have not completed the data disclosure form. You'll get 30 days' notice before this happens.
Now that we've looked at Google's new requirements, let's take an overview of your privacy and security obligations as a Chrome developer. Failing to comply with Google's policies could lead to the removal of your product from the Chrome Web Store.
See our table above for examples of some of these types of data.
"Handing" personal and sensitive data means "collecting, transmitting, using, or sharing" user data. For example:
Google's "prominent disclosure requirement" applies if your product handles personal and sensitive data in a way that "is not closely related to the functionality" of your product as described in the Chrome Web Store and your product's user interface.
Under the prominent disclosure requirement, you must display a notice in your app's interface that describes:
You must also request consent for your collection and use of this data.
Google has certain rules regarding your prominent disclosure:
Google provides some examples of products that would require a prominent disclosure:
"An extension whose sole marketed purpose is adding themes to popular social media sites, but also anonymously scrapes the number of friends a user has, for sale or research purposes."
"An extension, app, or hosted app that handles an email address for login purposes and also provides that email address to others for the others' marketing purposes."
The following examples would not meet the prominent disclosure requirements:
"An extension, app, or hosted app collects and transmits anonymous usage information about how frequently users click on or see various user interface elements of the Product."
"An extension whose sole marketed purpose is to sync a user's browser history to a central service."
Google's "limited use requirement" limits how developers collect and use data. It contains four basic rules:
You may only transfer personal or sensitive data to a third party if:
You may not allow a human to read personal or sensitive data unless:
Google states that developers must "handle (personal and sensitive) user data securely, including transmitting it via modern cryptography."
Handling data securely means encrypting all transmissions of personal and sensitive user data. Google further recommends you encrypt all transmissions of any data. You should transmit data over a secure connection, such as HTTPS or WSS.
You must also store personal and sensitive user data securely. This means encrypting it at rest using a strong encryption protocol, such as RSA or AES.
You must not encrypt data using any cipher suite on the Internet and Engineering Task Force (IETF) blacklist, found at Appendix A of the Hypertext Transfer Protocol Version 2 (HTTP/2) standard.
Google has a couple of additional rules regarding personal and sensitive data:
Don't publicly disclose the following types of data:
To comply with Google's privacy and security requirements for developers of products in the Chrome Web Store you must:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022