Privacy Policy for Browser Extensions

If you're a developer or a business that wants to create extensions for popular browsers like Chrome, Safari, or Mozilla Firefox, you'll need to put the user's privacy at the forefront. Even though browser extensions don't collect a significant amount of user data, they still fall under scrutiny by regulatory bodies worldwide and have to follow the guidelines of the browser you'll publish them on.

Failure to comply with data collection regulations can result in severe consequences, including hefty fines, app or web store removal, and potentially irreparable damage to your reputation.

In this guide, we'll talk about the legalities surrounding a browser extension's Privacy Policy, clarify when it's mandatory, outline the essential information you should add to it, and indicate where you should place a Privacy Policy when publishing your browser extension.

What Is A Privacy Policy?

A Privacy Policy is a legal document outlining how your company handles user data. It clarifies how a consumer's information is collected, used, and protected when they interact with your extension.

A well-crafted and legally compliant Privacy Policy typically needs to include:

  1. Types of data collected
  2. Reason for collecting data
  3. The third parties with whom the data is shared
  4. Instructions on exercising consumer rights
  5. Data security practices that are employed to protect user data

Is a Privacy Policy Legally Required for Browser Extensions?

Publishing a Privacy Policy that outlines your company's data collection and handling practices isn't just required by third-party browsers, but is a legal requirement.

However, there isn't just one single law that requires companies to have a Privacy Policy. This requirement is, instead, declared in various US state laws and global privacy laws. Which of these laws your company needs to follow depends on where your company is located, what data it collects, and how it uses that data.

This means that simply complying with a third-party browser's requirements may not be enough. You may also need to comply with requirements of the Federal Trade Commission (FTC), the General Data Protection Regulation (GDPR) of the European Union (EU), and various US state laws like the California Consumer Privacy Act (CCPA) when creating a Privacy Policy for your browser extension.

It's highly recommended to have a compliant Privacy Policy if your extension collects any of the following data:

  • Browsing history
  • Search queries within the browser
  • Form data entered on websites
  • User preferences within the extension
  • Device information (operating system, browser version)

If your extension doesn't collect any user data, you likely wouldn't be legally required to have a Privacy Policy. However, the third-party browser you plan to publish your extension on might require a Privacy Policy nevertheless.

Here's what Google's guide for Privacy Policy for web-store extensions says regarding this:

Google Guide for Privacy Policy screenshot

DuckDuckGo is a search engine that keeps its consumer's privacy at the forefront. Even though they don't collect user data, they have a Privacy Policy page that indicates this.

Screenshot from Duck Duck Go Privacy Policy

Do Third Parties Require A Privacy Policy For Browser Extensions?

Every major third-party browser store has specific privacy requirements for every extension published on its store to ensure transparency and user trust on its platforms. Let's look at the requirements of some of the major browsers.

Google Chrome Web Store

In 2019, Google announced that extension developers would now need to post Privacy Policies. To help developers create compliant Privacy Policies, it also provided a detailed guide on creating privacy disclosures for extensions.

As per Google, the Privacy Policy must be "Accurate" and Up-to-date."

Accuracy in a Privacy Policy refers to how transparent you are with your consumers regarding the collection of their data in your extension. An accurate privacy policy should truthfully indicate all the aspects of the data collected without hiding anything or presenting vague or misguiding statements.

Keeping your browser extension's Privacy Policy up to date with the newest laws and acts is also important and required by Google.

On the Chrome Webstore, developers publish their extensions using the Developer Dashboard. Here, you'll have to fill in the privacy fields, where Google requires you to add the following information:

Google Certify Data Practices info

This information includes what data is collected and examples of said data. Everything else, including how the collected data is handled and whether this information is shared with any third parties, will be disclosed separately on your company's main Privacy Policy page. You'll also be required to provide a link to your Privacy Policy page in this section.

Grammarly's Chrome Web Store page includes the types of data it collects in the privacy section, along with a link to the detailed Privacy Policy on its website.

Google Web Store Page for Grammarly

Mozilla Firefox Add-ons

Similar to Chrome, Mozilla requires all add-ons to have a clear, concise, and easily accessible Privacy Policy. However, there are some key differences.

Mozilla add on requirements for a Privacy Policy

The add-on needs to provide a to-the-point Privacy Policy on its product page in the "More Information" section. This Privacy Policy has to be the complete text that applies to your extension, not just a link to an externally hosted privacy policy. Once that's done, you may additionally provide a link to your broader company Privacy Policy.

Additionally, you'll also need to provide your consumer with a summary of your add-on's Privacy Policy in the description of the product page.

Privacy Badger is a popular add-on that blocks tracking cookies automatically. On its product page, it provides the full text of its Privacy Policy relevant to this extension, along with a link to its broader Privacy Policy which contains all the extra information.

Privacy Badger Privacy Policy excerpt

Apple Safari Extensions Gallery

Apple's App Store Review Guidelines apply to Safari extensions as well and have a section dedicated to legal requirements concerning data privacy.

Apple App Store Review Guidelines: Privacy Policies section

Much similar to Chrome, Apple also requires developers to inform users about the data their extension will collect, including examples of said data, and provide a link to the official Privacy Policy.

Hyperweb is a Safari extension that shares the types of data it collects from users on the app page and also provides a link to its detailed Privacy Policy.

Hyperweb App Privacy page

How Do You Create A Privacy Policy For Browser Extensions?

A well-written Privacy Policy fosters user trust and demonstrates your commitment to data privacy. Google, in its guidelines, states that a Privacy Policy must disclose the following:

  • What information do you collect
  • How do you use the information
  • What information do you share

If your extension collects a lot of user data, it's always recommended that you create a Privacy Policy that checks all the requirements of privacy laws and third-party browser requirements.

In this section, we will go over the key clauses you should include in your extension's Privacy Policy.

Specifics About the Collected Information

As per Google's guidelines and privacy laws like GDPR and CCPA, your browser extension's Privacy Policy must list all the types of data it collects. It also needs to indicate why the mentioned data is collected.

Types of data that you may include could be any of the following:

  • Name
  • Age
  • Email address
  • User's device information
  • Usage data
  • Location

Sider AI, a GPT extension on Chrome Web Store, mentions all the types of data they collect, with examples, in their Privacy Policy.

Sider AI Privacy Policy: Types of data collected clause

Dashlane's Privacy Policy details why the information they collect is important and how it's used.

Dashlane Privacy Policy: How personal data is used clause

You can also provide this information in a table format for better categorization and readability.

Disclosing Data Sharing with Third-Parties

If you share your consumer's data with third parties, you must list them in your Privacy Policy. It is also recommended to:

  • Include data transfer agreements with third-party providers outlining data security practices
  • Outline scenarios where data disclosure might be necessary (for instance when complying with court orders and legal investigations or in case of bankruptcy)
  • Explain how anonymized or non-personally identifiable data might be used

The WordTune extension for Google Chrome provides an in-depth explanation of how the data collected by it is shared with third parties in its Privacy Policy.

Wordtune Privacy Policy: How we share personal data clause

User Consent

Before collecting consumer data, asking for their consent is necessary. As per Firefox:

"Before an add-on may collect personal information, it must clearly describe, and the user must affirmatively consent (i.e., explicitly opt-in) to the type of personal data being collected."

Apple has a similar requirement for its Safari extensions.

User Rights

In the Privacy Policy, you also need to inform users of their right to access the data collected about them and request correction in case any inaccuracies are made. The process for submitting such requests should be clearly outlined, for instance, through a link to a web form, or email address.

There may be cases where a user wishes to delete or opt out of further data collection, which is their right. You need to provide specific instructions on how they can do this within the extension settings or via a web form.

1Password is a popular password management extension for Safari. It is paramount that it provides its consumers with the right to control their data and stay compliant with Apple's requirements, which it does by adding this clause to its Privacy Policy:

1Password Privacy Policy: Your right to access and control clause

Data Security Measures

Take security measures to protect the user data your extension collects and mention it in your Privacy Policy. Data security measures may include:

  • Encryption of data using strong encryption methods like RSA or AES
  • Transmission of data only over a secure connection like HTTPS or WSS
  • Secure storage practices by using reputable cloud storage providers with robust security measures
  • Regular security audits and vulnerability assessments

BitWarden is a password manager extension for Firefox, and it takes security very seriously. In its Privacy Policy, it mentions how it uses AES 256-bit encryption on all consumer data.

BitWarden Privacy Policy: Security clause

Provide Clear Contact Information

Lastly, include readily available contact information for users to reach you with privacy-related inquiries or concerns. This can be through an email address or a web form for submitting questions. You can also include a physical address so your consumers can reach you by mail.

Here's an example.

Todoist Privacy Policy Contact and Complaints clause

Where Do You Display A Privacy Policy For Browser Extensions?

You must place your extension's Privacy Policy in an easily accessible location. These include:

  • For Chrome Webstore and App Store, the "Privacy" section of the product page, where the types of data your extension collects must be mentioned, along with a link to your official Privacy Policy.

  • For Mozilla Firefox, you must provide the full text of your Privacy Policy of your add-on that's relevant to your extension in the "More Information" section, and a summary of it in the description. A link to your official Privacy Policy page is optional.
  • If you have a website for your extension, prominently display a link to the Privacy Policy page within the footer.

Additionally, when users first install the extension, consider displaying a notification with a link to the Privacy Policy. The Privacy Policy should also be accessible within the extension's settings menu.

Snov.io is an email tracker for Gmail on Chrome, and its product page is a good example of how a company should share the important details of its Privacy Policy on Chrome Webstore.

Snovio Google Webstore page Privacy section

You may have heard about Tripadvisor's browser extension. On its website, you can easily find its detailed Privacy Policy in the footer. This footer is visible on every webpage of its site, allowing consumers to effortlessly access it.

Tripadvisor website footer with Privacy and Cookies link highlighted

Summary

Creating a transparent and informative Privacy Policy for your browser extension is essential to build trust with your user base and ensure it operates within legal boundaries. But creating a compliant Privacy Policy is only the beginning, your actions must also align with it.

A well-written Privacy Policy empowers users by clearly outlining what data is collected (browsing history, preferences, etc.) and how it's used to improve their experience.

This information must be disclosed to the consumer, along with mentioning the third parties, if any, with whom you share your consumer's data. Your Privacy Policy must also mention user rights and communicate the data security practices you employ to safeguard their personal data.

Compliance with third-party browser's privacy requirements doesn't automatically make your extension compliant with privacy laws like GDPR and CCPA. Stricter requirements in these laws, such as requiring user consent and granting them control over their data, necessitate further additions to your Privacy Policy. Always try to create a Privacy Policy that's compliant on both ends.

Finally, make sure you display your extension's Privacy Policy on its product page and the footer of your website if you have one for your extension.