User Data Policy Updates Coming Soon

Intro

Chrome will be releasing two key changes to its Chrome Web Store Policies, expanding when a privacy policy is required, and introducing a “minimum permission” policy.

General Questions

Q: When will these new policies be enforced?

A: These policies will be enforced beginning fall of 2019, but don’t worry, we’ll announce the enforcement date at least 90 days beforehand. More details will be announced this summer.

Q: Does this apply to new and existing extensions?

A: Yes.

Q: What will happen if my extension does not comply with these policies?

A: It will be removed from the Chrome Web Store. For those extensions created prior to the announcement of the official policy language later this summer, your extension may be removed from the Chrome Web Store as early as 90 days from the date of such announcement. You will still be able to update the extension and file appeals. Please keep in mind that your re-published item will not be immediately published live in the store and will undergo a compliance review before being re-published.

To minimize disruption for users, we recommend that you review your extensions and make necessary updates as soon as possible.

Q: What will happen to non-compliant extensions installed by users?

A: Non-compliant extensions will be disabled in end-users' browsers. Once the developer re-publishes a compliant version of their extension, the extension will be updated and re-enabled for it's installed user base.

Q: I am an administrator for my enterprise. Are self-hosted extensions force-installed with enterprise policies affected by these policies?

A: These policies only apply to extensions hosted on the Chrome Web Store.

Minimum Permission

Q: Why did Google create a “minimum permission” policy for Chrome extensions?

A: Chrome Web Store provides a platform for users to access a wide variety of useful apps, and we want extension users to be confident that their data is secure. We want to support the use of extension permissions that directly benefit the user. In the past we've tried to ensure end-user safety and security by recommending that extensions only use the minimum set of permissions necessary, but to promote safe data use practices, we are now making that recommendation a requirement for all extensions.

Extensions must require only the narrowest set of permissions necessary to provide their existing services or features. Developers may use minimally-scoped optional permissions to further enhance the capabilities of the extension, but must not require users to agree to additional permissions. When an update requires additional permissions, end users will be prompted to accept them or disable the extension. This prompt notifies users that something has changed and gives them control over whether or not to accept this new use.

Q: Does the “minimum permission” policy also apply to optional permissions?

A: Yes. The policy applies to both required and optional permissions.

Q: Where can I find the “minimum permission” policy?

A: The policy language will be released as an update to the Chrome Web Store Developer Policies during the summer of 2019, but we wanted to share details in advance in order to help our developers plan accordingly. The policy will reflect the principles discussed here.

Q: What does “minimum permission” mean here?

A: Extensions must only require access to the narrowest set of permissions necessary to implement the existing services or features of your product. If there is more than one permission that can be used to implement a feature, you must choose the one that accesses the least amount of data.

Q: Will the “minimum permission” policy affect my extension?

A: The exact impact will depend on what permissions you request and how they are used. You should inventory your extensions' current permissions and, where possible, switch to alternatives that are more narrowly scoped. Additionally, you should include a list of permissions used and the reasons you require them in your Chrome Web Store listing and in an "about page" in your extension.

Q: My extension is currently using more permissions than needed so I can future-proof future versions of my extension. Is this ok under the “minimum permission” policy?

A: No, extensions may not require permissions they do not need for their current functionality, regardless of future plans. Extensions must only require permissions that enable their existing services or features. Extensions may request additional capabilities via minimally-scoped optional permissions. If you expand the features of your extension and require a new permission, you may only request the permission in the updated version of the extension.

Updated Privacy Policy & Secure Handling Requirements

Q: Where can I find the updated description of “personal and sensitive user data”?

A: It will be part of our full policy announcement this summer. The policy language will be released as an update to the Chrome Web Store Developer Policies during the summer of 2019, but we wanted to share details in advance in order to help our developers plan accordingly. The policy will reflect the principles discussed here.

Q: What forms of user data are now considered “personal and sensitive user data” under the Chrome Web Store Developer Policies?

A: In addition to the data described in the Personal and Sensitive User Data policy, the definition in the Chrome Web Store Developer Policies will include user-generated content and personal communications. These changes will primarily impact extensions handling messaging and file management.

Q: My extension does not handle any form of user data, do I need a privacy policy?

A: If the extension does not handle any form of personal and sensitive user data, a privacy policy is not required by this policy. However, it is recommended for developers to provide a privacy statement to notify their users that no data is handled by the extension.

Q: I have never written a privacy policy before, where do I start?

At a minimum, a privacy policy will typically state how a developer collects, uses, and discloses data. Privacy policies frequently address additional topics, such as information security practices; how users can access, change, or delete their data; and how long users' data is retained. While we can’t give legal advice on how to draft a privacy policy, we’ve suggested some points below to guide your thinking:

  • What information do you collect?
    Explain all the information your extension collects. This includes information that you may collect automatically, such as server and HTTP logs, data transmitted by the extension to you, and usage information. This also includes information that you get from the user, either directly or via the permissions API, including persistent identifiers.
  • How do you use the information?
    Disclose how you use the information you collect. For example, you may use the information to provide certain services to users, to recognize them the next time they use your extension, or to send them promotional emails.
  • What information do you share?
    Describe the circumstances when you share information.

Q: I have a privacy policy, where do I need to put it?

Use the developer dashboard to link to your privacy policy with your developer account. All your published extensions share the same privacy policy.

Q: When handling “personal and sensitive user data,” what type of encryption does the User Data Policy require?

Extensions must transmit “personal and sensitive user data” over a secure connection (e.g. HTTPS, WSS) and stored at rest using a strong encryption method such as RSA or AES. You should not use any cipher suite that is blacklisted by IETF. Our requirements may change over time.