Chrome Extensions Requirements for Privacy Policy and Secure Handling
If you're publishing an extension on Google Chrome's Web Store, and you handle any personal data at all, then you need to write and publish a Google-compliant Privacy Policy.
Extensions are add-ons designed to improve the user experience when someone browses the internet. With extensions, people can adapt their Chrome browser to their own unique needs. But if you're a developer and you plan on publishing an extension for download, here's how to know if you need a Privacy Policy.
According to global privacy laws, you need a Privacy Policy if you collect or handle any sensitive data belonging to an identifiable individual. The laws we're referring to include:
- EU's General Data Protection Regulation (GDPR)
- NY SHIELD Act
- California Consumer Privacy Act (CCPA)
So if you've already drafted a Privacy Policy to comply with these laws, you're probably already complying with Google's requirements. But if you haven't drafted one, here's what the rules say.
The rules here are pretty simple. You can find them in Google's updated list of Privacy Policy requirements, but basically, it all comes down to two obligations.
- You must draft a Privacy Policy and publish it in your Developer Dashboard if you handle personal data, and
- You should always handle data safely
So first, you need a Privacy Policy. This is just a document setting out what data you process and how you keep it safe and secure while it's in your possession.
Secondly, from a safety perspective, personal or sensitive data must be encrypted during transmission. You can only transmit it over secure connections, like HTTPS.
When it comes to data, you should :
- Always encrypt the data you handle
- Transmit it securely
- Handle as little information as possible to minimize what you're transmitting
You'll see the Privacy Policy refers to personal data, so let's break down what this actually is.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
- 1. Personal Data Explained
- 2. What it Means to Handle Data
- 3. Consequences if You Don't Comply
- 4. If You Don't Handle Personal Data
- 5. What to Include in Your Privacy Policy
- 5.1. Statement of Data Collection
- 5.2. Types of Data Collected
- 5.3. Purpose of Data Collection
- 5.4. Your Data Sharing Policies
- 5.5. User Rights
- 5.6. Contact Details
- 6. Additional Global Privacy Requirements
- 6.1. The GDPR
- 6.2. The CCPA
- 6.3. NY SHIELD
- 7. Displaying Your Privacy Policy
- 8. Takeaway
Personal Data Explained
When Google refers to "personal data," it's referring to any information that you can use to identify someone. Here are some examples:
- Birth names or account names
- Telephone number
- Email or home address
- Identification numbers e.g. passport numbers
- Bank account details
- Login credentials
If you handle any data like this, you must create and publish a compliant Privacy Policy. But what does it mean to "handle" data? Well, it can mean a few things, so here's what the rules say.
What it Means to Handle Data
You handle data if you use, share, collect or transmit it in any way. Google offers a few examples to illustrate what this means in practice:
So, this could mean:
- A user supplying login details to access the extension
- Collecting details on the websites that a user visits while running your extension
- Gathering payment information
Basically, if you handle any personal or sensitive information at all, you must comply with the Chrome Web Store Privacy Policy requirements.
Consequences if You Don't Comply
When you sign up to use Google's developer services, you must agree to its Developer Terms of Service. According to section 2, you must comply with applicable privacy laws, which means you need a Privacy Policy:
If you don't comply with the Terms, Google can terminate your account and remove your extensions from the Web Store immediately. They don't need to tell you first.
As you'll soon see, it's really easy to write a compliant Privacy Policy, so there shouldn't be any need to worry about non-compliance.
If You Don't Handle Personal Data
Sure you don't handle any sensitive or personal data? Then you should explain this to your users. Otherwise, they might assume you do collect their data and just haven't disclosed it.
So, all you need is a simple clause telling people you don't handle their data.
Here's an example from the Global Drug Reference Online. It doesn't collect data unless someone voluntarily provides it:
Now we're clear on when you need a Chrome Extension Privacy Policy, here's what it should include.
What to Include in Your Privacy Policy
Google sets out fairly clear guidelines for what you should include in your Privacy Policy. Basically, you need clauses covering the following points:
- Confirmation of personal data handling
- The type of data you handle, and why you need it
- Data sharing policies and security
- What rights users have over the data you handle
- Your contact details
These clauses are just the baseline for what should be included in a compliant Privacy Policy. Depending on your audience, you'll need other clauses, and we cover them below. But first, let's build a standard Chrome Extension Web Store Privacy Policy, working through one clause at a time.
Statement of Data Collection
First, state that you handle personal or sensitive data. Like Snap, you only need a few lines confirming this. Just make sure you post this statement at the start of your Policy, and that it's easy to understand:
Types of Data Collected
Next, set out what personal data or sensitive information you collect. The goal is striking a balance between being too broad and too restrictive.
Here's an example from Screencastify that makes it quite clear what kind of data the company handles:
This example from Markd LTD uses more broad language, noting right at the beginning of the clause that the company may collect some or all of a list of information types:
Purpose of Data Collection
Users have a right to know why you need the data you collect. This is true for all privacy laws around the world. So, set out explicitly why you're collecting certain information.
Again, note how Screencastify finds a balance between too vague and too restrictive:
Here's an example from Snap that sets out a clear and detailed list of how personal data is used and why it is collected. This way, users know exactly what they can expect when they share their data.
What you'll also note is that, again, it's sufficiently broad for Snap to use the data for some purposes not specifically set out in the clause:
Your Data Sharing Policies
If you share data with third parties for any purpose, you need to state this in your Privacy Policy.
Here's how Screencastify sets this out:
It's especially important to declare if you sell the data, since you need permission to do this. You can also state if you don't sell data, like Screencastify. But if you change your policy on this, you need to update the document to reflect this and notify users.
Furthermore, you must specify how you protect data as it's transmitted to a third party.
Here's an example from Markd LTD:
User Rights
According to global privacy rules, everyone has certain rights over their data. These rights include the right to see what information a company holds on them, and have this information amended. So, set these rights out clearly somewhere in your Privacy Policy.
Snap has a good example for this:
Screencastify titles this clause "Your Rights" to make it very clear what the clause is about:
Contact Details
You need to give people the chance to contact you if they want to discuss your Policy. The easiest way to do this is to include a clause with your contact details clearly set out.
There's no rule as to where you should put the contact details, but people often expect to find these details at the end of the document.
Here's an example from Weava:
It's best to provide as many different ways as possible for users to contact you, including an email address, a mailing address and a phone number if you have one to provide.
Additional Global Privacy Requirements
The clauses we've looked at so far should be in every Privacy Policy for extensions published on the Chrome Web Store. But depending on where your audience is, there are some other clauses you need to include in your Policy.
Let's run over them briefly.
The GDPR
As one of the strictest privacy laws in the world, the GDPR places additional requirements on you if you're processing data from EU residents. One of them is to disclose the rights that your EU users have.
Screencastify sets these rights out in a clause dedicated to EU residents. This is a good approach because then it's easy for EU residents to scroll straight to this clause:
The CCPA
If you collect personal data from people living in California, you need to update your Privacy Policy at least once every 12 months. This is good practice for all Privacy Policies, anyway, so it should be easy to comply with this requirement.
Under the CCPA, someone can ask for one free copy of the data you hold on them per year. You're obliged to give them this.
Some businesses choose to dedicate specific clauses in their Privacy Policy to CCPA compliance. This isn't essential, but it can make your Privacy Policy appear more professional and help users find relevant information faster.
Here's an example from Tim Hortons:
NY SHIELD
Collecting personal data from New York residents means implementing what's known as a data security program. Basically, this is just:
- Ensuring you have sufficient cybersecurity and safeguards in place to keep data safe
- Limiting employee access to personal data
- Creating a cybersecurity policy for your business and ensuring your team understands it
To comply with NY SHIELD, it's a good idea to set out some of your security measures in your Privacy Policy. There's no need to cover them all, but just a reference to the key ways in which you protect data.
Here's an example from Rogue Fitness:
You'll see there's also a caveat to explain the company doesn't guarantee perfect security at all times. You should always include a disclaimer like this to protect your interests, because downtime is inevitable and you can't guarantee 100% safety.
Now we're clear on how to write a Google-compliant Privacy Policy, let's look at where you should display it.
Displaying Your Privacy Policy
People need to see your Privacy Policy before they install your extension. So, you need to place a link to the Policy on the Developer Dashboard.
It's best to put the link under the "Developer" heading in the "Additional Information" column. It's easy for people to find it there.
Here's an example from Bitmoji:
In some cases, you'll also need what's called a "prominent disclosure."
A prominent disclosure basically draws attention to the type of data you handle and what you use it for. You only need this if it's not obvious from the product page how you handle personal data.
An example makes this clearer, so let's stick with an app like Bitmoji. It collects personal data to let users send Bitmojis in Gmail. But if the developer decided to use the user's details for marketing purposes, they can't do this without posting a prominent disclosure.
So where do you post the disclosure? According to section 10 of the Web Store Privacy Policy, you should:
- Post it somewhere obvious so the person sees it before they agree to anything
- Use a checkbox to get consent
- Place the disclosure in the product interface rather than just the Web Store description
Takeaway
Anyone who uploads extensions onto the Google Chrome Web Store and handles personal data needs to publish a compliant Privacy Policy on their dashboard. You must also use secure handling processes at all times.
Personal data is essentially anything you can use to identify a single individual. You handle it if you collect, use, transmit, or share it in any way at all.
A basic Privacy Policy should include clauses explaining:
- What data you collect, why you need it, and how it's used
- Who you share it with
- How people can contact you
- What rights people have around their personal data
- How you secure the data when it's in your possession
You should publish the Privacy Policy on your dashboard, and include a prominent disclosure if you're using data in a way that's not obvious from the dashboard description. If you don't comply, you'll lose access to the Google Chrome Web Store.
And finally remember, depending on your jurisdiction, you might need to comply with other privacy laws such as the GDPR and the CCPA.
