If you're a developer or a business that wants to create extensions for popular browsers like Chrome, Safari, or Mozilla Firefox, you'll need to put the user's privacy at the forefront. Even though browser extensions don't collect a significant amount of user data, they still fall under scrutiny by regulatory bodies worldwide and have to follow the guidelines of the browser you'll publish them on.
Failure to comply with data collection regulations can result in severe consequences, including hefty fines, app or web store removal, and potentially irreparable damage to your reputation.
In this guide, we'll talk about the legalities surrounding a browser extension's Privacy Policy, clarify when it's mandatory, outline the essential information you should add to it, and indicate where you should place a Privacy Policy when publishing your browser extension.
A Privacy Policy is a legal document outlining how your company handles user data. It clarifies how a consumer's information is collected, used, and protected when they interact with your extension.
A well-crafted and legally compliant Privacy Policy typically needs to include:
Publishing a Privacy Policy that outlines your company's data collection and handling practices isn't just required by third-party browsers, but is a legal requirement.
However, there isn't just one single law that requires companies to have a Privacy Policy. This requirement is, instead, declared in various US state laws and global privacy laws. Which of these laws your company needs to follow depends on where your company is located, what data it collects, and how it uses that data.
This means that simply complying with a third-party browser's requirements may not be enough. You may also need to comply with requirements of the Federal Trade Commission (FTC), the General Data Protection Regulation (GDPR) of the European Union (EU), and various US state laws like the California Consumer Privacy Act (CCPA) when creating a Privacy Policy for your browser extension.
It's highly recommended to have a compliant Privacy Policy if your extension collects any of the following data:
If your extension doesn't collect any user data, you likely wouldn't be legally required to have a Privacy Policy. However, the third-party browser you plan to publish your extension on might require a Privacy Policy nevertheless.
Here's what Google's guide for Privacy Policy for web-store extensions says regarding this:
DuckDuckGo is a search engine that keeps its consumer's privacy at the forefront. Even though they don't collect user data, they have a Privacy Policy page that indicates this.
Every major third-party browser store has specific privacy requirements for every extension published on its store to ensure transparency and user trust on its platforms. Let's look at the requirements of some of the major browsers.
In 2019, Google announced that extension developers would now need to post Privacy Policies. To help developers create compliant Privacy Policies, it also provided a detailed guide on creating privacy disclosures for extensions.
As per Google, the Privacy Policy must be "Accurate" and Up-to-date."
Accuracy in a Privacy Policy refers to how transparent you are with your consumers regarding the collection of their data in your extension. An accurate privacy policy should truthfully indicate all the aspects of the data collected without hiding anything or presenting vague or misguiding statements.
Keeping your browser extension's Privacy Policy up to date with the newest laws and acts is also important and required by Google.
On the Chrome Webstore, developers publish their extensions using the Developer Dashboard. Here, you'll have to fill in the privacy fields, where Google requires you to add the following information:
This information includes what data is collected and examples of said data. Everything else, including how the collected data is handled and whether this information is shared with any third parties, will be disclosed separately on your company's main Privacy Policy page. You'll also be required to provide a link to your Privacy Policy page in this section.
Grammarly's Chrome Web Store page includes the types of data it collects in the privacy section, along with a link to the detailed Privacy Policy on its website.
Similar to Chrome, Mozilla requires all add-ons to have a clear, concise, and easily accessible Privacy Policy. However, there are some key differences.
The add-on needs to provide a to-the-point Privacy Policy on its product page in the "More Information" section. This Privacy Policy has to be the complete text that applies to your extension, not just a link to an externally hosted privacy policy. Once that's done, you may additionally provide a link to your broader company Privacy Policy.
Additionally, you'll also need to provide your consumer with a summary of your add-on's Privacy Policy in the description of the product page.
Privacy Badger is a popular add-on that blocks tracking cookies automatically. On its product page, it provides the full text of its Privacy Policy relevant to this extension, along with a link to its broader Privacy Policy which contains all the extra information.
Apple's App Store Review Guidelines apply to Safari extensions as well and have a section dedicated to legal requirements concerning data privacy.
Much similar to Chrome, Apple also requires developers to inform users about the data their extension will collect, including examples of said data, and provide a link to the official Privacy Policy.
Hyperweb is a Safari extension that shares the types of data it collects from users on the app page and also provides a link to its detailed Privacy Policy.
A well-written Privacy Policy fosters user trust and demonstrates your commitment to data privacy. Google, in its guidelines, states that a Privacy Policy must disclose the following:
If your extension collects a lot of user data, it's always recommended that you create a Privacy Policy that checks all the requirements of privacy laws and third-party browser requirements.
In this section, we will go over the key clauses you should include in your extension's Privacy Policy.
As per Google's guidelines and privacy laws like GDPR and CCPA, your browser extension's Privacy Policy must list all the types of data it collects. It also needs to indicate why the mentioned data is collected.
Types of data that you may include could be any of the following:
Sider AI, a GPT extension on Chrome Web Store, mentions all the types of data they collect, with examples, in their Privacy Policy.
Dashlane's Privacy Policy details why the information they collect is important and how it's used.
You can also provide this information in a table format for better categorization and readability.
If you share your consumer's data with third parties, you must list them in your Privacy Policy. It is also recommended to:
The WordTune extension for Google Chrome provides an in-depth explanation of how the data collected by it is shared with third parties in its Privacy Policy.
Before collecting consumer data, asking for their consent is necessary. As per Firefox:
"Before an add-on may collect personal information, it must clearly describe, and the user must affirmatively consent (i.e., explicitly opt-in) to the type of personal data being collected."
Apple has a similar requirement for its Safari extensions.
In the Privacy Policy, you also need to inform users of their right to access the data collected about them and request correction in case any inaccuracies are made. The process for submitting such requests should be clearly outlined, for instance, through a link to a web form, or email address.
There may be cases where a user wishes to delete or opt out of further data collection, which is their right. You need to provide specific instructions on how they can do this within the extension settings or via a web form.
1Password is a popular password management extension for Safari. It is paramount that it provides its consumers with the right to control their data and stay compliant with Apple's requirements, which it does by adding this clause to its Privacy Policy:
Take security measures to protect the user data your extension collects and mention it in your Privacy Policy. Data security measures may include:
BitWarden is a password manager extension for Firefox, and it takes security very seriously. In its Privacy Policy, it mentions how it uses AES 256-bit encryption on all consumer data.
Lastly, include readily available contact information for users to reach you with privacy-related inquiries or concerns. This can be through an email address or a web form for submitting questions. You can also include a physical address so your consumers can reach you by mail.
Here's an example.
You must place your extension's Privacy Policy in an easily accessible location. These include:
Additionally, when users first install the extension, consider displaying a notification with a link to the Privacy Policy. The Privacy Policy should also be accessible within the extension's settings menu.
Snov.io is an email tracker for Gmail on Chrome, and its product page is a good example of how a company should share the important details of its Privacy Policy on Chrome Webstore.
You may have heard about Tripadvisor's browser extension. On its website, you can easily find its detailed Privacy Policy in the footer. This footer is visible on every webpage of its site, allowing consumers to effortlessly access it.
Creating a transparent and informative Privacy Policy for your browser extension is essential to build trust with your user base and ensure it operates within legal boundaries. But creating a compliant Privacy Policy is only the beginning, your actions must also align with it.
A well-written Privacy Policy empowers users by clearly outlining what data is collected (browsing history, preferences, etc.) and how it's used to improve their experience.
This information must be disclosed to the consumer, along with mentioning the third parties, if any, with whom you share your consumer's data. Your Privacy Policy must also mention user rights and communicate the data security practices you employ to safeguard their personal data.
Compliance with third-party browser's privacy requirements doesn't automatically make your extension compliant with privacy laws like GDPR and CCPA. Stricter requirements in these laws, such as requiring user consent and granting them control over their data, necessitate further additions to your Privacy Policy. Always try to create a Privacy Policy that's compliant on both ends.
Finally, make sure you display your extension's Privacy Policy on its product page and the footer of your website if you have one for your extension.