Privacy Policies for Chrome Apps and Extensions

If you have an extension or app available on the Google Chrome Web Store, you need to comply with specific Google rules on data handling and privacy.

In October 2019, the scope of these rules expanded to cover many more extensions and apps. If the rules apply to you, you'll need to post a Privacy Policy. How and where you display it depends on how you use personal data.

We'll cover all of that in this article.

Do the Rules Apply to My Situation?

The basic principle is that any product in the Google Chrome store that handles sensitive or personal data must post a Privacy Policy and handle user data securely. Let's break that principle down to look at the specifics.

The term "product" covers:

• Extensions for the Chrome browser
• Apps for the Chrome operating system

What Counts as Handling Data?

Google's specific definition is that handle means "collecting, transmitting, using or sharing user data."

It gives several examples including:

• Logins and forms
• Collecting data from websites the user visits, for example in a screenshot
• Collecting data about a user's online activity
• Collecting data about background activity

As the definition of "handling data" is part of a policy laid down by Google rather than legislation, Google has the right to interpret it broadly. This means you need to err on the side of caution rather than look for loopholes in the policy's wording.

Google specifically points out that "handling data" does cover cases where your product only stores information locally on the user's computer. This includes storing it within Chrome itself through the Chrome Storage Sync API.

This is the case with this example from Dark Reader which published a Privacy Policy for its Chrome extension. The Privacy Policy includes a third party services clause that explicitly mentions the use of Chrome or WebExtensions Storage Sync API and how it's used to store user settings:

What Counts as Sensitive or Personal Data?

Again, Google gives examples rather than an exhaustive list.

Some types of sensitive or personal data are determined by technology: website content, forms, and web browsing activity are all covered.

Other data qualifies because it involves personally identifiable information such as contact details, account and identification numbers.

Other data qualifies because of its subject matter: health, finance and authentication information are all covered this way.

Two new categories took effect from 15 October 2019. These are personal communications and user-generated content. This could include emails, blogs, social media posts, and media files the user has put online.

If you don't meet these criteria, Google doesn't require you to publish a Privacy Policy. Doing so, however, is still a good idea and very likely a legal requirement. Google says that if you do publish a Privacy Policy in these circumstances, you should include a statement to say that you don't handle sensitive or personal data.

What to Include in Your Privacy Policy for Chrome Apps and Extensions

Unlike with some privacy laws, Google doesn't lay down specific pieces of information that must go in a Privacy Policy. Instead it lays down two principles.

The Privacy Policy must always say how you

• Collect data
• Use data
• Disclose data

Normally the Privacy Policy should also cover:

• How you secure data
• How long you keep data
• If and how users can check, correct and access data

Let's break down the questions your Privacy Policy will need to answer to make sure it complies with these principles.

Collecting Data

• What information does your product collect automatically?
• Does your product collect data logs?
• Does your product collect data about how people use it?
• Does your product collect data directly from the user?
• Does your product collect data through the permissions API?
• When does your extension collect data?

Using Data

• Why do you collect the data?
• How do you use the data?
• How long do you keep the data? Is it a set period or simply until you no longer need it to provide a service?

In this example of a Chrome Extension Privacy Policy from Honey, the developers have covered the key points in a brief "letter" while using a menu for users to access more detail:

Disclosing Data

• Do you pass the data on to third parties? If so, who?
• How do you respond to legal demands to access the data?
• Do you sell the data?

User Access

• How can the user check what data you have collected about them?
• Can the user correct any data? If so, on what grounds?
• Can the user request that you delete some or all of the data? If so, how can they do so? Will this restrict their ability to use your product?

The Privacy Policy for the Microsoft Office extension neatly sums up a complex situation for user access:

Where to Display Your Privacy Policy for Chrome Apps and Extensions

You must always post your Privacy Policy in the Chrome Web Store Developer Dashboard. This will make it available to users who are browsing the Chrome Web Store. They will see a link to the policy in the product description as shown on the bottom right in this example from Grammarly:

In some cases you may also need to publish a "prominent disclosure" that is separate to your Privacy Policy. This applies if you handle personal or sensitive data and the way you handle it is not "closely related to functionality described prominently in the Product's Chrome Web Store page and user interface."

In simple terms, this means that you collect, use or share data in a way that wouldn't be obvious to somebody who'd read your product's description or used the product. This is particularly likely to be the case if you collect data that isn't needed for the product to work, or if you pass on data for somebody else to use.

The prominent disclosure needs to detail the types of sensitive or personal data you collect and how you will use it. In effect, it's a bare-bones version of the Privacy Policy. You must guarantee the user will see it before you collect any data. To do so, you must build the prominent disclosure into the user interface of the product.

As well as showing the prominent disclosure, you must get active consent from the user to say they agree to the data use you've specified. This could be a confirmation button, though adding a checkbox as well will give an extra layer of certainty that the user consents.

Technical Steps to Take

If your product meets the criteria of handling personal or sensitive data, you must also take several technical steps along with posting the Privacy Policy. The main ones are:

• Encrypt all personal or sensitive user data when transmitting it
• Only transmit personal or sensitive user data over secure connections
• Only request the minimum level of permissions needed for the product to provide its services and features

What If I Don't Comply?

If you handle personal or sensitive data, failing to meet the rules is a breach of Google's Chrome Web Store policies. Any new products breaching the rules will be rejected from the Web Store. Any existing products breaching the rules will be removed from the Web Store until you have fixed the breach.

Remember that the definition of personal or sensitive data expanded on 15 October 2019 to include personal communications and user-generated content. This means existing products that previously met the rules could be removed from that date forward.

Does My Google Product Privacy Policy Need Anything Else?

As well as complying with Google's rules, your product may come under various laws on data privacy. This can require additional information in your Privacy Policy beyond that required by Google. Here's an overview of some of the key laws that could apply.

General Data Protection Regulation (GDPR)

The GDPR applies to processors and controllers of personal data in any of three cases:

• The processor or controller is in a European Union country
• The individual concerned is in a European Union country
• The processing takes place in a European Union country

Your Privacy Policy must include the following to comply with the GDPR:

• Details of your Data Protection Officer if applicable
• Under which specific legal basis you are collecting the data
• Whether you use automated decision-making

California Consumer Privacy Act (CCPA)

The CCPA applies to for-profit organizations that do business in California and have a gross revenue above $25 million, make half their revenue from selling consumer data, or handle data covering 50,000 Californian people, households or devices.

Your Privacy Policy must include the following to comply with the CCPA:

• Detail the consumer's rights under the CCPA
• List the types of information you have collected, sold and disclosed in the past 12 months
• Have a dedicated page detailing how people can demand you don't sell their personal data (a "Do Not Sell My Personal Information" page)

Children's Online Privacy Protection Rule (COPPA)

COPPA applies to organizations which are based in the United States or have US-based users, and either aim their service at under-13s or know under-13s use it.

Your COPPA-compliant Privacy Policy will need to include details of all the personal data you collect about under-13s, not just data classed as sensitive.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA applies to private-sector organizations using personal data as part of commercial activity. In some cases a provincial law may apply in place of PIPEDA but will have the same principles.

Your Privacy Policy must include the following to comply with PIPEDA:

• Who in your organization is responsible for data protection
• How people can make a complaint if you breach the PIPEDA rules

California Online Privacy Protection Act (CalOPPA)

CalOPPA applies to anyone providing an online service that collects data on California citizens, regardless of where the service is based.

Your Privacy Policy must include the following to comply with CalOPPA:

• Details of any changes to the Privacy Policy you make over time
• Whether or not your product responds to "Do Not Track" signals in a web browser

This privacy policy for the Meow Playground extension specifically addresses CalOPPA requirements:

Conclusion

Let's recap what you need to know about Google's rules for Chrome Store products.

• The rules apply to Chrome browser extensions and Chrome OS apps (collectively known as products) that handle sensitive or personal data.
• Handling covers collection, sharing and using data, a definition interpreted broadly by Google.
• The definition of sensitive or personal data can cover how it's collected (eg web forms), whether it's personally identifiable data, or the subject matter (eg health or finance).
• User-generated content and personal communications both count as sensitive or personal data.
• Your Privacy Policy must cover how you collect, use and disclose data. Normally it should also say how you secure data, how long you keep it, and how users can access and correct their data or request that you delete it.
• You must post the Privacy Policy to the Chrome Web Store Developer Dashboard. If you handle it in a way that doesn't directly relate to the app's stated purpose, you must include the key points of the Privacy Policy in a "prominent disclosure." This must be part of the product's user interface and you must get active confirmation that the user agrees to the listed points.
• If you don't comply with the rules, Google may remove your product from the Chrome Web Store until you do.
• Several data protection laws may require additional information in your Privacy Policy beyond that covered by Google's rules.