If you have an extension or app available on the Google Chrome Web Store, you need to comply with specific Google rules on data handling and privacy.
We'll cover all of that in this article.
- 1. Do the Rules Apply to My Situation?
- 1.1. What Counts as Handling Data?
- 1.2. What Counts as Sensitive or Personal Data?
- 2.1. Collecting Data
- 2.2. Using Data
- 2.3. Disclosing Data
- 2.4. User Access
- 4. Technical Steps to Take
- 5. What If I Don't Comply?
- 6.1. General Data Protection Regulation (GDPR)
- 6.2. California Consumer Privacy Act (CCPA)
- 6.3. Children's Online Privacy Protection Rule (COPPA)
- 6.4. Personal Information Protection and Electronic Documents Act (PIPEDA)
- 6.5. California Online Privacy Protection Act (CalOPPA)
- 7. Conclusion
Do the Rules Apply to My Situation?
The term "product" covers:
- Extensions for the Chrome browser
- Apps for the Chrome operating system
What Counts as Handling Data?
Google's specific definition is that handle means "collecting, transmitting, using or sharing user data."
It gives several examples including:
- Logins and forms
- Collecting data from websites the user visits, for example in a screenshot
- Collecting data about a user's online activity
- Collecting data about background activity
As the definition of "handling data" is part of a policy laid down by Google rather than legislation, Google has the right to interpret it broadly. This means you need to err on the side of caution rather than look for loopholes in the policy's wording.
Google specifically points out that "handling data" does cover cases where your product only stores information locally on the user's computer. This includes storing it within Chrome itself through the Chrome Storage Sync API.
What Counts as Sensitive or Personal Data?
Again, Google gives examples rather than an exhaustive list.
Some types of sensitive or personal data are determined by technology: website content, forms, and web browsing activity are all covered.
Other data qualifies because it involves personally identifiable information such as contact details, account and identification numbers.
Other data qualifies because of its subject matter: health, finance and authentication information are all covered this way.
Two new categories took effect from 15 October 2019. These are personal communications and user-generated content. This could include emails, blogs, social media posts, and media files the user has put online.
- Collect data
- Use data
- Disclose data
- How you secure data
- How long you keep data
- If and how users can check, correct and access data
- What information does your product collect automatically?
- Does your product collect data logs?
- Does your product collect data about how people use it?
- Does your product collect data directly from the user?
- Does your product collect data through the permissions API?
- When does your extension collect data?
- Why do you collect the data?
- How do you use the data?
- How long do you keep the data? Is it a set period or simply until you no longer need it to provide a service?
- Do you pass the data on to third parties? If so, who?
- How do you respond to legal demands to access the data?
- Do you sell the data?
- How can the user check what data you have collected about them?
- Can the user correct any data? If so, on what grounds?
- Can the user request that you delete some or all of the data? If so, how can they do so? Will this restrict their ability to use your product?
In simple terms, this means that you collect, use or share data in a way that wouldn't be obvious to somebody who'd read your product's description or used the product. This is particularly likely to be the case if you collect data that isn't needed for the product to work, or if you pass on data for somebody else to use.
As well as showing the prominent disclosure, you must get active consent from the user to say they agree to the data use you've specified. This could be a confirmation button, though adding a checkbox as well will give an extra layer of certainty that the user consents.
Technical Steps to Take
- Encrypt all personal or sensitive user data when transmitting it
- Only transmit personal or sensitive user data over secure connections
- Only request the minimum level of permissions needed for the product to provide its services and features
What If I Don't Comply?
If you handle personal or sensitive data, failing to meet the rules is a breach of Google's Chrome Web Store policies. Any new products breaching the rules will be rejected from the Web Store. Any existing products breaching the rules will be removed from the Web Store until you have fixed the breach.
Remember that the definition of personal or sensitive data expanded on 15 October 2019 to include personal communications and user-generated content. This means existing products that previously met the rules could be removed from that date forward.
General Data Protection Regulation (GDPR)
The GDPR applies to processors and controllers of personal data in any of three cases:
- The processor or controller is in a European Union country
- The individual concerned is in a European Union country
- The processing takes place in a European Union country
- Details of your Data Protection Officer if applicable
- Under which specific legal basis you are collecting the data
- Whether you use automated decision-making
California Consumer Privacy Act (CCPA)
The CCPA applies to for-profit organizations that do business in California and have a gross revenue above $25 million, make half their revenue from selling consumer data, or handle data covering 50,000 Californian people, households or devices.
- Detail the consumer's rights under the CCPA
- List the types of information you have collected, sold and disclosed in the past 12 months
- Have a dedicated page detailing how people can demand you don't sell their personal data (a "Do Not Sell My Personal Information" page)
Children's Online Privacy Protection Rule (COPPA)
COPPA applies to organizations which are based in the United States or have US-based users, and either aim their service at under-13s or know under-13s use it.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA applies to private-sector organizations using personal data as part of commercial activity. In some cases a provincial law may apply in place of PIPEDA but will have the same principles.
- Who in your organization is responsible for data protection
- How people can make a complaint if you breach the PIPEDA rules
California Online Privacy Protection Act (CalOPPA)
CalOPPA applies to anyone providing an online service that collects data on California citizens, regardless of where the service is based.
- Whether or not your product responds to "Do Not Track" signals in a web browser
Let's recap what you need to know about Google's rules for Chrome Store products.
- The rules apply to Chrome browser extensions and Chrome OS apps (collectively known as products) that handle sensitive or personal data.
- Handling covers collection, sharing and using data, a definition interpreted broadly by Google.
- The definition of sensitive or personal data can cover how it's collected (eg web forms), whether it's personally identifiable data, or the subject matter (eg health or finance).
- User-generated content and personal communications both count as sensitive or personal data.
- If you don't comply with the rules, Google may remove your product from the Chrome Web Store until you do.