Google forces devs to reveal Chrome extensions’ data use, privacy practices
Starting January 2021, developers of Chrome extensions will have to certify their data use and privacy practices and provide information about the data collected by the extension(s), “in clear and easy to understand language,” in the extension’s detail page in the Chrome Web Store.
“We are also introducing an additional policy focused on limiting how extension developers use data they collect,” Google added.
Privacy practices get more attention
Two weeks ago Apple announced that developers of apps offered trough its App Store will have to provide privacy-focused labels so that users can review an app’s privacy practices before they download the app.
“You’ll need to provide information about your app’s privacy practices, including the practices of third-party partners whose code you integrate into your app, in App Store Connect,” Apple told app developers. “This information will be required to submit new apps and app updates to the App Store starting December 8, 2020.”
Now Google is forcing developers to provide similar information for Chrome extension and, at the same time, the company is updating its developer policy to limit what extension developers can do with the data they collect.
The change means that extension developers are prohibited from selling user data, using it for personalized advertising or to establish users’ creditworthiness / lending qualification, transferring the data to data brokers or other information resellers. In addition to this, they must ensuring the use or transfer of user data primarily benefits the user and is in accordance with the stated purpose of the extension.
The privacy-related information will be shown in the Privacy practices tab of the extension’s Chrome Web Store listing:
Will this be enough?
If developers fail to provide data privacy disclosures and to certify they comply with the Limited Use policy, starting with January 18, 2021, their listing on the Chrome Web Store will say that the publisher has not provided any information about the collection or usage of user data (but the extension apparently won’t be pulled from the store).
Will this stop users from downloading such an extension? Will most users actually read the information provided in the Privacy practices tab? Unfortunately, the answer to these questions is no. Does Google check whether extension developers were truthful when they “certified” their data use practices? Google doesn’t say, but the answer is likely no, as the task would be massive and the claims difficult (if not impossible) to confirm at that scale.
The problem with Apple’s and Google’s latest app privacy transparency push is that the companies shift the responsibility on app/extension users and developers, and that the sanctions for developers who don’t comply with the store policies are not enough to stop those that are set on abusing them.