Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Google Tightens Security Rules for Chrome Extensions

Google has updated its User Data Policy for the Chrome Web Store, in an attempt to improve the safety and privacy for users of its Chrome web browser.

Google has updated its User Data Policy for the Chrome Web Store, in an attempt to improve the safety and privacy for users of its Chrome web browser.

Following the new changes, third-party developers are required to be transparent in how they handle user data, while also being required to inform users on what data they collect, how they use it, and who they share it with. Moreover, Google requires developers to limit their use of the data to the practices they disclosed.

The new User Data Policy for the Chrome Web Store requires developers to keep users informed on data collection and on the manner in which the data is handled. They should also ask for user consent when collecting sensitive data.

Developers of Chrome extensions that handle personal or sensitive user data such as personally identifiable information, financial and payment information, authentication information, and the like are required to post a privacy policy and to handle data securely, including transmitting it via modern cryptography.

“The privacy policy must, together with any in-Product disclosures, comprehensively disclose how your Product collects, uses and shares user data, including the types of parties with whom it’s shared,” Google notes in the User Data Policy.

Additionally, the Internet giant notes that, for extensions and apps that handle personal or sensitive user data “that is not closely related to functionality described prominently in the Product’s Chrome Web Store page and user interface,” developers need to prominently disclose how the user data will be used, and also obtain the user’s affirmative consent for such use.

Based on the new policy, developers are prohibited from collecting web browsing activity when it’s not required for an item’s main functionality: “collection and use of web browsing activity is prohibited except to the extent required for a user-facing feature described prominently in the Product’s Chrome Web Store page and in the Product’s user interface.”

Advertisement. Scroll to continue reading.

According to Google, developers will be notified when products in the Chrome Web Store are found to violate the User Data Policy. Developers will have until July 14, 2016 to make any changes needed for compliance, or extensions and apps that violate the policy will be removed from the Web Store until they will need to become compliant to be reinstated.

The Internet giant also notes that the changes were designed to improve user protection, and that they will allow users to stay better informed and choose how their user data is handled. However, Google is still required to properly enforce the new rules to make a difference, otherwise the change would not be effective.

Related: Google Disables Inline Installation of Chrome Extensions for Deceptive Developers

Related: Google Releases Chrome Extension to Protect Users Against Phishing Attacks

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.