New Privacy Requirements for Google Chrome Extensions
15 December 2020
Technology & eCommerce Regulation in the Spotlight
Google has recently announced new privacy related rules in the Chrome Web Store policy (“Policy Rules“). The implementation deadline of these new changes is 18 January 2021.
This initiative is a part of Google’s Project Strobe, which analyzes third-party developer access to data in various services. One of the project’s recent steps included policies that required developers to be transparent with regard to data that is collected by extensions, how they intend to safeguard that data, and to access only the least amount of data that is required for the disclosed purposes.
Consequently, the Policy Rules build upon these previous guidelines and introduce requirements in two areas: transparency of the extensions’ data collection practices, and limitations on the allowed uses of the collected data.
With regard to limited uses of users’ data, developers’ access to personal or sensitive data must comply with the new Limited Use Policy. The use of users’ data must be limited to providing or improving the extension’s single purpose. In addition, transfers of data are limited to certain purposes (e.g. to provide the single purpose, to comply with applicable laws, or to prevent fraud). Similarly, user data should only be read by others only under strict limitations (for example under the users’ explicit consent or for security purposes).
These requirements apply to both the raw data obtained and the data aggregated, anonymized, de-identified, or derived from such raw data. The requirements also apply to scraped content or user data that is automatically gathered.
The Limited Use Policy also highlights prohibited uses, sale or transfers of users’ data. Any of these actions is prohibited when the purpose is personalized advertisements or determining credit-worthiness for lending purposes, and where the target third parties are advertising platforms, data brokers, or other information resellers.
With regard to transparency, as of 18 January 2021, users will be shown developer-provided information about the data collected by the extension in a standardized and clear manner. Data disclosure forms, which include the developers’ certification of compliance with the new Limited Use Policy, are now available for developers through the privacy tab of the developer dashboard.
For extensions that do not provide privacy disclosures by 18 January 2021, users will be presented with a notice, informing them that the developer does not comply with the Limited Use policy yet.
Starting in 1 March 2021, Google will provide non-compliant developers with a warning to complete the disclosure requirement. If compliance is not achieved within 30 days then the extension will be suspended and the existing user base will be deactivated.
Google has recently taken additional steps to increase users’ privacy, see for example our previous updates on Google’s actions against resource-heavy advertisements and spam, and its plan to phase out third-party cookies.
This development joins these recent efforts and highlights the increased scrutiny of online platforms with regard to personal data. Feel free to contact us if you have any questions regarding the compliance of your extension or apps with the industry’s regulations.
****************************************
Feel free to contact us with any further question or comments regarding the update and subjects detailed above.
Kind regards,
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation
Herzog Fox & Neeman