Chrome Extensions Requirements for Privacy Policy and Secure Handling

by Jennifer L. Legal writer.
Chrome Extensions Requirements for Privacy Policy and Secure Handling

If you're publishing an extension on Google Chrome's Web Store, and you handle any personal data at all, then you need to write and publish a Google-compliant Privacy Policy.

Extensions are add-ons designed to improve the user experience when someone browses the internet. With extensions, people can adapt their Chrome browser to their own unique needs. But if you're a developer and you plan on publishing an extension for download, here's how to know if you need a Privacy Policy.

According to global privacy laws, you need a Privacy Policy if you collect or handle any sensitive data belonging to an identifiable individual. The laws we're referring to include:

So if you've already drafted a Privacy Policy to comply with these laws, you're probably already complying with Google's requirements. But if you haven't drafted one, here's what the rules say.

The rules here are pretty simple. You can find them in Google's updated list of Privacy Policy requirements, but basically, it all comes down to two obligations.

  1. You must draft a Privacy Policy and publish it in your Developer Dashboard if you handle personal data, and
  2. You should always handle data safely

So first, you need a Privacy Policy. This is just a document setting out what data you process and how you keep it safe and secure while it's in your possession.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

Secondly, from a safety perspective, personal or sensitive data must be encrypted during transmission. You can only transmit it over secure connections, like HTTPS.

When it comes to data, you should :

  • Always encrypt the data you handle
  • Transmit it securely
  • Handle as little information as possible to minimize what you're transmitting

You'll see the Privacy Policy refers to personal data, so let's break down what this actually is.

Personal Data Explained

Personal Data Explained

When Google refers to "personal data," it's referring to any information that you can use to identify someone. Here are some examples:

  • Birth names or account names
  • Telephone number
  • Email or home address
  • Identification numbers e.g. passport numbers
  • Bank account details
  • Login credentials

If you handle any data like this, you must create and publish a compliant Privacy Policy. But what does it mean to "handle" data? Well, it can mean a few things, so here's what the rules say.

What it Means to Handle Data

You handle data if you use, share, collect or transmit it in any way. Google offers a few examples to illustrate what this means in practice:

Google Updated Privacy Policy and Secure Handling Requirements: Definition and examples of handling data

So, this could mean:

  • A user supplying login details to access the extension
  • Collecting details on the websites that a user visits while running your extension
  • Gathering payment information

Basically, if you handle any personal or sensitive information at all, you must comply with the Chrome Web Store Privacy Policy requirements.

Consequences if You Don't Comply

When you sign up to use Google's developer services, you must agree to its Developer Terms of Service. According to section 2, you must comply with applicable privacy laws, which means you need a Privacy Policy:

Google APIs Terms of Service: Using our APIs - Compliance with Law, Third Party Rights and Other Google Terms of Service section

If you don't comply with the Terms, Google can terminate your account and remove your extensions from the Web Store immediately. They don't need to tell you first.

As you'll soon see, it's really easy to write a compliant Privacy Policy, so there shouldn't be any need to worry about non-compliance.

If You Don't Handle Personal Data

Sure you don't handle any sensitive or personal data? Then you should explain this to your users. Otherwise, they might assume you do collect their data and just haven't disclosed it.

So, all you need is a simple clause telling people you don't handle their data.

Here's an example from the Global Drug Reference Online. It doesn't collect data unless someone voluntarily provides it:

Global Drug Reference Online Privacy Policy: Personally Identifiable Information clause

Now we're clear on when you need a Chrome Extension Privacy Policy, here's what it should include.

What to Include in Your Privacy Policy

What to Include in Your Privacy Policy

Google sets out fairly clear guidelines for what you should include in your Privacy Policy. Basically, you need clauses covering the following points:

  • Confirmation of personal data handling
  • The type of data you handle, and why you need it
  • Data sharing policies and security
  • What rights users have over the data you handle
  • Your contact details

These clauses are just the baseline for what should be included in a compliant Privacy Policy. Depending on your audience, you'll need other clauses, and we cover them below. But first, let's build a standard Chrome Extension Web Store Privacy Policy, working through one clause at a time.

Statement of Data Collection

First, state that you handle personal or sensitive data. Like Snap, you only need a few lines confirming this. Just make sure you post this statement at the start of your Policy, and that it's easy to understand:

Snap Privacy Policy: Introduction section

Types of Data Collected

Next, set out what personal data or sensitive information you collect. The goal is striking a balance between being too broad and too restrictive.

Here's an example from Screencastify that makes it quite clear what kind of data the company handles:

Screencastify Privacy Policy: What Information we Collect from You clause excerpt

This example from Markd LTD uses more broad language, noting right at the beginning of the clause that the company may collect some or all of a list of information types:

Markd LTD Privacy Policy: What Data Do We Collect clause

Purpose of Data Collection

Users have a right to know why you need the data you collect. This is true for all privacy laws around the world. So, set out explicitly why you're collecting certain information.

Again, note how Screencastify finds a balance between too vague and too restrictive:

Screencastify Privacy Policy: How we use your information clause excerpt

Here's an example from Snap that sets out a clear and detailed list of how personal data is used and why it is collected. This way, users know exactly what they can expect when they share their data.

What you'll also note is that, again, it's sufficiently broad for Snap to use the data for some purposes not specifically set out in the clause:

Snap Privacy Policy: Introduction clause excerpt

Your Data Sharing Policies

If you share data with third parties for any purpose, you need to state this in your Privacy Policy.

Here's how Screencastify sets this out:

Screencastify Privacy Policy: Who Do We Share Your Information With clause excerpt

It's especially important to declare if you sell the data, since you need permission to do this. You can also state if you don't sell data, like Screencastify. But if you change your policy on this, you need to update the document to reflect this and notify users.

Furthermore, you must specify how you protect data as it's transmitted to a third party.

Here's an example from Markd LTD:

Markd LTD Privacy Policy: Do You Share My Personal Data clause - Security section highlighted

User Rights

According to global privacy rules, everyone has certain rights over their data. These rights include the right to see what information a company holds on them, and have this information amended. So, set these rights out clearly somewhere in your Privacy Policy.

Snap has a good example for this:

Snap Privacy Policy: Control Over Your Information - User Rights clause

Screencastify titles this clause "Your Rights" to make it very clear what the clause is about:

Screencastify Privacy Policy: Your Rights clause excerpt

Contact Details

You need to give people the chance to contact you if they want to discuss your Policy. The easiest way to do this is to include a clause with your contact details clearly set out.

There's no rule as to where you should put the contact details, but people often expect to find these details at the end of the document.

Here's an example from Weava:

Weava Privacy Policy: Contact clause

It's best to provide as many different ways as possible for users to contact you, including an email address, a mailing address and a phone number if you have one to provide.

Additional Global Privacy Requirements

Additional Global Privacy Requirements

The clauses we've looked at so far should be in every Privacy Policy for extensions published on the Chrome Web Store. But depending on where your audience is, there are some other clauses you need to include in your Policy.

Let's run over them briefly.

The GDPR

As one of the strictest privacy laws in the world, the GDPR places additional requirements on you if you're processing data from EU residents. One of them is to disclose the rights that your EU users have.

Screencastify sets these rights out in a clause dedicated to EU residents. This is a good approach because then it's easy for EU residents to scroll straight to this clause:

Screencastify Privacy Policy: European Union Residents clause excerpt

The CCPA

If you collect personal data from people living in California, you need to update your Privacy Policy at least once every 12 months. This is good practice for all Privacy Policies, anyway, so it should be easy to comply with this requirement.

Under the CCPA, someone can ask for one free copy of the data you hold on them per year. You're obliged to give them this.

Some businesses choose to dedicate specific clauses in their Privacy Policy to CCPA compliance. This isn't essential, but it can make your Privacy Policy appear more professional and help users find relevant information faster.

Here's an example from Tim Hortons:

Tim Hortons Privacy Policy: Your California Privacy Rights clause excerpt

NY SHIELD

Collecting personal data from New York residents means implementing what's known as a data security program. Basically, this is just:

  • Ensuring you have sufficient cybersecurity and safeguards in place to keep data safe
  • Limiting employee access to personal data
  • Creating a cybersecurity policy for your business and ensuring your team understands it

To comply with NY SHIELD, it's a good idea to set out some of your security measures in your Privacy Policy. There's no need to cover them all, but just a reference to the key ways in which you protect data.

Here's an example from Rogue Fitness:

Rogue Fitness Privacy Policy: Data Security clause

You'll see there's also a caveat to explain the company doesn't guarantee perfect security at all times. You should always include a disclaimer like this to protect your interests, because downtime is inevitable and you can't guarantee 100% safety.

Now we're clear on how to write a Google-compliant Privacy Policy, let's look at where you should display it.

Displaying Your Privacy Policy

Displaying Your Privacy Policy

People need to see your Privacy Policy before they install your extension. So, you need to place a link to the Policy on the Developer Dashboard.

It's best to put the link under the "Developer" heading in the "Additional Information" column. It's easy for people to find it there.

Here's an example from Bitmoji:

Bitmoji Chrome Web Store listing with Privacy Policy highlighted

In some cases, you'll also need what's called a "prominent disclosure."

A prominent disclosure basically draws attention to the type of data you handle and what you use it for. You only need this if it's not obvious from the product page how you handle personal data.

An example makes this clearer, so let's stick with an app like Bitmoji. It collects personal data to let users send Bitmojis in Gmail. But if the developer decided to use the user's details for marketing purposes, they can't do this without posting a prominent disclosure.

So where do you post the disclosure? According to section 10 of the Web Store Privacy Policy, you should:

  • Post it somewhere obvious so the person sees it before they agree to anything
  • Use a checkbox to get consent
  • Place the disclosure in the product interface rather than just the Web Store description

Takeaway

Anyone who uploads extensions onto the Google Chrome Web Store and handles personal data needs to publish a compliant Privacy Policy on their dashboard. You must also use secure handling processes at all times.

Personal data is essentially anything you can use to identify a single individual. You handle it if you collect, use, transmit, or share it in any way at all.

A basic Privacy Policy should include clauses explaining:

  • What data you collect, why you need it, and how it's used
  • Who you share it with
  • How people can contact you
  • What rights people have around their personal data
  • How you secure the data when it's in your possession

You should publish the Privacy Policy on your dashboard, and include a prominent disclosure if you're using data in a way that's not obvious from the dashboard description. If you don't comply, you'll lose access to the Google Chrome Web Store.

And finally remember, depending on your jurisdiction, you might need to comply with other privacy laws such as the GDPR and the CCPA.

Last updated on 07 June 2021

Article categories

Jennifer L.

Legal writer.