This article is more than 1 year old

Google tells Chrome extension devs to declare their code's usage of personal data

Ad biz is serious about making others disclose information collection

Hot on the heels of Apple slapping privacy "nutrition labels" on app listing pages in its App Store, Google says it plans to require similar privacy disclosures from those offering Chrome extensions in its Chrome Web Store.

Starting in January, 2021, the Chrome Web Store listing pages for extensions will display developer-supplied information about whatever data the code supposedly collects, said Alexandre Blondin, product manager, and Mark Jaycox, senior policy advisor, in a blog post on Wednesday.

The disclosure requirement, which calls for "clear and easy to understand language," builds upon a data policy change last year, part of Project Strobe, that limited extensions to requesting the least amount of data possible in order to function and broadened the criteria for when a privacy policy is necessary.

Starting today, Chrome extension coders using Google's developer dashboard can fill out a data disclosure form that describes categories of sensitive or personal information gathered by their extension. These include: personally identifiable information, health information, financial and payment information, authentication information, personal communications, location, web history, usage activity, and website content.


Microsoft will adopt Google Chrome's controversial Manifest V3 in Edge


Per the company's newly added Limited Use Policy, the submission form requires that developers "certify" their disclosures and agree to: not sell user data to third parties; not use or transfer user data for purposes other than the extension's "single purpose"; and not to transfer, use, or sell user data to determine creditworthiness or for purposes related to lending.

These disclosures will be made visible on Chrome extension listing pages in the Chrome Web Store starting next year.

The Register asked Google whether certification violators might face legal consequences that differ from those violating privacy promises referred to using less formal terms. We've not heard back, but at the very least Google has the option to boot deceptive extensions from its store and to expel developers found to have violated commitments from its developer program.

The ad pipeline biz has had to conduct such purges on a fairly regular basis. Over the past ten years, abuse of Chrome extensions by ill-intentioned developers has been a persistent, unsolved problem.

The Chrome Web Store policy changes coincide with a related effort, Manifest v3, to revise Chrome extension APIs so they're less powerful – making them less suitable for abuse but also less useful for content blocking.

Google is still planning to activate Manifest v3 in a stable version of Chrome before the end of the year. Since Chrome 88 isn't slated to hit the stable release channel until January, that means Manifest v3 should arrive as a patch to Chrome 87, which debuted on Tuesday.

Thereafter, there's likely to be a deprecation period for Manifest v2 ranging from a few months to a year or more, after which extensions based on the outdated manifest spec will no longer function in the latest Chrome builds. ®

Similar topics


Send us news

Other stories you might like