Project Strobe: Updates to Our User Data Policy

July 23rd, 2019

On May 30, Google announced the next iteration of Project Strobe, a root-and-branch review of third-party developer access to user data. This announcement included the following two updates to our User Data Policy:

  • We’re requiring extensions to only request access to the least amount of data. While this has previously been encouraged of developers, now we’re making this a requirement for all extensions.
  • We’re requiring more extensions to post privacy policies, including extensions that handle personal communications and user-provided content. Our policies have previously required any extension that handles personal and sensitive user data to post a privacy policy and handle that data securely. Now, we’re expanding this category to include extensions that handle user-provided content and personal communications. Of course, extensions must continue to be transparent in how they handle user data, disclosing the collection, use, and sharing of that data. 

The policies for these two changes are now published to the updated User Data Policy. They will go into effect on October 15, 2019.

To ensure compliance with this policy update, we suggest developers check their extensions per the guidelines below. After October 15, 2019, items that violate these updates to the User Data policy will be removed or rejected from the Web Store and will need to become compliant to be reinstated. We will continue to take action on violations of the User Data Policy in its current form.

  • Inventory your extensions’ current permissions and, where possible, switch to alternatives that are more narrowly scoped. Additionally, include a list of permissions used and the reasons you require them in your Chrome Web Store listing or in an “about page” in your extension. If you expand the features of your extension and require new permission, you may only request the new permission in the updated version of the extension.
  • If your extension handles Personal or Sensitive User Data, which now also includes, user-provided content and personal communications, your Product must both post a privacy policy and handle the user data securely, including transmitting it via modern cryptography. To add a privacy policy, use the developer dashboard to link to your privacy policy with your developer account. All your published extensions share the same privacy policy.

You can find more information on the updated User Data FAQ. Thank you for joining us in building a better web with transparency, choice, and control for both users and developers.

Posted by Alexandre Blondin and Swagateeka Panigrahy, Chrome Product & Policy