Google has published an important update to its User Data Policy for the Chrome Web Store. The new policy adds the following transparency requirements and data usage restrictions to the existing rules and policies:

  • Posting a Privacy Policy & Secure Transmission - If an extension/app ("Product") handles personal or sensitive user data (including personally identifiable information, financial and payment information, health information, authentication information, website content and resources, form data, and web browsing activity), then the Product must:
    • Post a privacy policy, and
    • Handle the user data securely, including transmitting it via modern cryptography.
  • Privacy Policy Requirements - The privacy policy must, together with any in-Product disclosures, comprehensively disclose how the Product collects, uses and shares user data, including the types of parties with whom it is shared. The Product must make the policy accessible by providing a link:
    • In the designated field in the Chrome Web Store Developer Dashboard; and
    • In the Product’s inline installation page (if applicable).
  • Prominent Disclosure Requirement - If the Product handles personal or sensitive user data that is not closely related to functionality which is prominently described in the Product’s Chrome Web Store page and user interface, then prior to the collection, it must:
    • Prominently disclose how the user data will be used; and
    • Obtain the user’s affirmative consent for such use.
  • Other Requirements - The new policy also adds various requirements and restrictions concerning specific types of personal or sensitive user data, including a new restriction, according to which, the collection and use of web browsing activity is prohibited except to the extent required for a user-facing feature described prominently in the Product’s Chrome Web Store page and in the Product’s user interface.

More information regarding the new policy is available on the following FAQ page.

Developers will have until 14 July 2016 to make any changes needed for compliance. After that date, Products that violate the policy will be  removed  from the  Web  Store  and will need to become compliant in order to be reinstated.