There are specific rules regarding privacy and data handling, which you need to comply with to make your extension available on the Google Chrome Web Store.
Back at the beginning of 2019, Google made two significant announcements concerning its expectations regarding how Chrome extension developers must safeguard their users' privacy. In October of that year, Google expanded those requirements, so that extension developers also need to post Privacy Policies.
Google updated its policy for extensions for Chrome yet again in November of 2020, with new changes that went into effect in January 2021.
In the article below, we'll discuss how Google's Chrome extension rules may apply to you and how you can satisfy them.
Google's new rules apply to you if your extension handles personal or sensitive information and you want to have your product in the Google Chrome store. If that's the case, you must ensure user data security, and you must post a Privacy Policy.
To be clear, under Google's rules, the term "product" refers to:
According to Google, "handling data" refers specifically to "collecting, transmitting, using or sharing user data."
Examples include:
It's important to note that these are Google policies rather than a set of laws. Because of that fact, Google has the right to interpret its rules however it sees fit.
Therefore, experts recommend being prudent and adhering to the most conservative interpretation of Google's guidelines as possible instead of trying to look for loopholes.
Google doesn't provide a comprehensive list of data types that count as sensitive or personal data. However, it does provide numerous examples. Some of these types are decided by technology, and others due to the kind of personally identifiable information or health data they contain.
Just some examples Google provides include:
If your extension doesn't collect and store these types of sensitive or personal data, then Google doesn't demand that you publish a Privacy Policy. However, it's highly advisable that you do so as laws in some areas (such as within the European Union) may demand it regardless of Google's policies.
One piece of guidance Google suggests is that if you decide to publish a Privacy Policy but do not handle these types of data, you state clearly within the policy that you don't handle personal or sensitive information.
Just as Google doesn't provide a comprehensive list of sensitive or personal data types, it also does not give specifics on what must be included in your Privacy Policy. However, it does provide guidelines.
According to Google, you should always include information on:
Here's a clause that demonstrates how you can disclose how you collect and use information:
This clause outlines how information is shared/disclosed:
In terms of the above, Google recommends the following:
According to many laws, including Europe's General Data Protection Regulation (GDPR), your Privacy Policy actually should include a lot more information than what Google demands.
In other words, you might put together a privacy policy that is Google compliant, but that doesn't meet the demands of most privacy legislation in the world today.
For instance, some things the GDPR demands be included in a Privacy Policy, but that Google doesn't, are the following:
In addition to including a Privacy Policy in your extension, Google demands that you:
Here's an example of where Google places the link to Similar Web's extension in the Google Web Store. Note how it's placed at the bottom right of the extension's product description:
Under certain circumstances, it could well be that you might need to publish a separate, "prominent disclosure." If you handle sensitive or personal information in a way that isn't "closely related to the functionality described prominently in the Product's Chrome Web Store page and user interface," then this applies to you.
Here's information from Google on this, with some examples:
In effect, what this is talking about is a situation in which you collect, use, or share information in a way that's not entirely transparent and obvious. It's fundamentally the same information you'd place in your Privacy Policy but stripped down to its bare essentials.
It sounds redundant, but Google wants to make sure that this prominent disclosure is seen by any potential user before you collect their data. To ensure the user sees it, Google demands that this disclosure be included in your extension's user interface.
Moreover, in the same fashion that the EU's GDPR demands that you obtain explicit user consent for the use of cookies, Google also demands that you acquire explicit permission from the user that they've agreed to your use of their data.
You can ensure explicit consent by providing users with a confirmation button and a checkbox with text that states they've read and understand what you're asking of them and that they agree to your use of their data.
To ensure compliance across the board, there are a few things you should always ensure that your Privacy Policy covers. Let's look at them one at a time.
Here's an example of a clause that addresses these points:
See how SimilarWeb's extension outlines its use of user data in its Privacy Policy below:
Here's what it says:
HOW IS THE DATA USED?
We collect your information during your access or use of the Extensions for the purpose of providing and improving the Services. We use your Extension Usage Data based on the necessity of such information in providing and improving the Services. We process the Communication Data based on the necessity of such information in providing you with the support you have requested. In this context, we use your information in an effort to improve our users' experience, to communicate with you about our Services, and to further develop, customize, enhance and improve the performance of our Services and Extensions.
Here's another example:
Here's how this can be done, in a detailed clause:
This may be a user rights clause, like the following:
There are a few technical steps that Google requires of all extensions that handle sensitive and personal information. In addition to posting a Privacy Policy, you'll need to:
Ultimately, if you don't follow Google's rules concerning how you handle sensitive or personal information, you'll be in breach of Google's Chrome Web Store policies.
If your product is brand new and hasn't ever been on the Web Store before, Google will automatically reject it. If you've been compliant before but fall out of compliance due to a breach of rules, Google will remove your extension until you've rectified the problem.
It's crucial to note that as of January 2021, these are the new rules (outlined below), which could cause you to fall out of compliance if you don't already meet the new requirements. In that case, your extension may or may not be removed from the Web Store until you update your product.
After January 2021, developers of Chrome extensions in the Web Store need to certify their privacy practices and data use. They need to provide information about the data their products collect "in clear and easy to understand language." Additionally, that information must be placed on the product's detail page in the Web Store.
Some of the major changes and updates made by Google forbid developers from transferring collected data to information resellers or data brokers, using data to establish a user's creditworthiness, and from selling that information. Moreover, developers must ensure that the use or transfer of information is congruent with the extension's stated purpose and that it benefits the user.
All privacy-related data must be shown within the privacy practices tab of the extension's Web Store listing.
As noted above, your extension may or may not be removed from the Web Store until you comply with Google's new disclosure policies and certify that you've complied with the Limited Use Policy.
Specifically, the Chrome Web Store will say that you haven't provided any information about how you collect or use the data you collect from users. Google hasn't explicitly stated that they'll remove your app from the Web Store, but it is a possibility.
Some may argue that Google's new requirements are a bit toothless since most users probably won't actually read any privacy information developers place in the privacy practices tab in the Web Store. Moreover, Google might not actually check to see if developers are telling the truth when they certify their use of data.
Still, you should never assume. Recall that Google kicked more than 500 extensions off of the Chrome Web Store at the beginning of 2020 for maliciously injecting ads into millions of Chrome installs.
Other apps have been kicked off for far less, such as simply violating the Web Store's "Use of Permissions" Policy. The Pushbullet extension found that out the hard way. As always, it's better to comply to avoid any issues that could have detrimental and lasting effects on your business.