[go: up one dir, main page]

Protecting users and their data is a fundamental aspect of the work we do on Chrome. Last year, as part of Google’s Project Strobe, we announced an important set of policies for extensions to protect users and their data. These policies require extensions to request only the permissions needed to implement their features. Additionally, we required more extensions to post privacy policies and handle user data securely.  


Today, we are announcing changes that build upon those protections with an update to our developer policy that limits what extension developers can do with the data they collect. The new policy also requires developers to certify their data use practices, and display that information directly on the Chrome Web Store listing to help users understand an extension’s privacy practices. 


Simplifying privacy practices for our users

Starting January 2021, each extension’s detail page in the Chrome Web Store will show developer-provided information about the data collected by the extension, in clear and easy to understand language. Data disclosure collection is available to developers today. 

Updating our user data privacy policy

We are also introducing an additional policy focused on limiting how extension developers use data they collect. More specifically:

  • Ensuring the use or transfer of user data is for the primary benefit of the user and in accordance with the stated purpose of the extension.

  • Reiterating that the sale of user data is never allowed. Google does not sell user data and extension developers may not do this either.

  • Prohibiting the use or transfer of user data for personalized advertising. 

  • Prohibiting the use or transfer of user data for creditworthiness or any form of lending qualification and to data brokers or other information resellers. 


The item listing page will also display whether the developer has certified that their extension complies with this new policy. 


Developer-provided privacy disclosures

To publish or update an extension, our new policy will require developers to provide data usage disclosures directly from the privacy tab of the developer dashboard. These disclosures include:

  • The nature of the data being collected from users.  

  • The developer’s certification that they comply with the new Limited Use policy. 


The disclosure form is grouped by category to make it simpler for developers, and maps exactly to the disclosures that will be displayed to Chrome users. Most of this information will be consistent with existing privacy policies that developers have provided to the Chrome Web Store. 


Data disclosures collection will be made available to developers today, and will be displayed on the Chrome Web Store listing starting January 18, 2021


For developers who have not yet provided privacy disclosures by January 18, 2021, a notice will be shown on their Chrome Web Store listings to inform users that the developer hasn’t certified that they comply with the Limited Use policy yet. 


You can find the full policy in the Developer Program Policies page as well as additional details in the User Data FAQ .


Thank you for working with us to build a better web with transparency, choice, and control for everyone.



Posted by Alexandre Blondin and Mark M. Jaycox, Chrome Product & Policy
Labels: , ,

On May 30, Google announced the next iteration of Project Strobe, a root-and-branch review of third-party developer access to user data. This announcement included the following two updates to our User Data Policy:

  • We’re requiring extensions to only request access to the least amount of data. While this has previously been encouraged of developers, now we’re making this a requirement for all extensions.
  • We’re requiring more extensions to post privacy policies, including extensions that handle personal communications and user-provided content. Our policies have previously required any extension that handles personal and sensitive user data to post a privacy policy and handle that data securely. Now, we’re expanding this category to include extensions that handle user-provided content and personal communications. Of course, extensions must continue to be transparent in how they handle user data, disclosing the collection, use and sharing of that data. 
The policies for these two changes are now published to the updated User Data Policy. They will go into effect on October 15, 2019.

To ensure compliance with this policy update, we suggest developers check their extensions per the guidelines below. After October 15, 2019, items that violate these updates to the User Data policy will be removed or rejected from the Web Store and will need to become compliant to be reinstated. We will continue to take action on violations of the User Data Policy in its current form.

  • Inventory your extensions' current permissions and, where possible, switch to alternatives that are more narrowly scoped. Additionally, include a list of permissions used and the reasons you require them in your Chrome Web Store listing or in an "about page" in your extension. If you expand the features of your extension and require a new permission, you may only request the new permission in the updated version of the extension.
  • If your extension handles Personal or Sensitive User Data, which now also includes, user-provided content and personal communications, your Product must both post a privacy policy and handle the user data securely, including transmitting it via modern cryptography. To add a privacy policy, use the developer dashboard to link to your privacy policy with your developer account. All your published extensions share the same privacy policy.

You can find more information in the updated User Data FAQ. Thank you for joining us in building a better web with transparency, choice and control for both users and developers.


Posted by Alexandre Blondin and Swagateeka Panigrahy, Chrome Product & Policy
Labels: , , , ,