Chrome Extension User Data Policy: Complete Requirements (2026)

Q: When does a Chrome extension need a user data policy?

Google requires a privacy policy for any Chrome extension that collects, uses, or transmits user data. This includes: reading browsing history, accessing tab information, reading clipboard contents, collecting form data, storing user preferences beyond local extension storage, or transmitting any data to external servers. If your extension requests any permission that gives access to user data, you need a privacy policy.

Q: What is the Chrome Web Store limited use disclosure?

The Chrome Web Store Limited Use Policy requires that user data collected by Chrome extensions be used only to provide or improve the user-facing features of the extension. You must not use, transfer, or sell user data for advertising purposes, data brokers, or creditworthiness purposes. Your privacy policy must explicitly state that you comply with these limited use requirements.

Q: What personal and sensitive data requires additional disclosure?

Chrome Web Store requires prominent disclosure and explicit user consent for: web history, financial information, authentication information, personal communications, location data, health information, and system activity. For these categories, you must have a prominent in-product disclosure before data collection begins, not just a privacy policy.

Q: Where does my Chrome extension privacy policy need to be linked?

Your privacy policy must be linked in: your Chrome Web Store listing page in the Privacy practices tab, your extension's Chrome Web Store detail page, and if you have a companion website, in the website footer. The policy URL must be an active, publicly accessible link - not a PDF or Google Doc that requires login.

What Counts as User Data in Chrome Extensions?

Under Chrome Web Store policy, "user data" means any information about a user's identity, browsing activity, or system that your extension can access. You need a privacy policy if your extension does any of the following:

Reads browsing history, tabs, or URLs visited
Accesses clipboard contents
Reads cookies from any domain
Captures keystrokes or form inputs
Accesses geolocation
Communicates with external servers
Stores data in any cloud or remote system
Reads bookmarks, downloads, or browser history

When Is a User Data Policy Required?

Google's Chrome Web Store Developer Program Policies require a privacy policy in two situations:

Situation	Policy Required?	Extra Steps?
Extension collects or transmits any user data	Yes - mandatory	Limited use disclosure required
Extension uses sensitive user data (web history, comms)	Yes - mandatory	Prominent in-product disclosure + consent
Extension stores data locally only, no transmission	Recommended	Good practice even if not mandatory
Extension has no data access at all	No	Still good practice

Did you know?

Google can remove your extension from the Chrome Web Store without warning if you collect user data without a valid privacy policy link. Extensions are regularly reviewed and policy violations can result in immediate takedown, affecting all your users.

The Limited Use Disclosure Requirement

The Chrome Web Store Limited Use Policy is one of the strictest requirements. Your privacy policy must explicitly state that you comply with it. The limited use requirements are:

Only use data to provide or improve user-facing features

You cannot use extension user data for purposes unrelated to the core function of the extension.

Do not use for advertising purposes

User data collected by your extension cannot be used to serve or target advertisements, even if anonymized.

Do not sell to data brokers

You cannot transfer or sell user data to data brokers, information resellers, or similar entities.

Do not use for creditworthiness assessment

User data cannot be used to determine credit eligibility, insurance rates, or similar financial assessments.

Required statement in your privacy policy:

"The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements."

Sensitive Data Categories Requiring Extra Disclosure

For certain sensitive data categories, a privacy policy alone is not enough. Google requires a prominent in-product disclosure before collecting this data:

Data Category	Policy Required	In-Product Disclosure
Web browsing history	Yes	Yes - before collection
Financial information	Yes	Yes - before collection
Authentication credentials	Yes	Yes - before collection
Personal communications (email, messages)	Yes	Yes - before collection
Location data	Yes	Yes - before collection
Health information	Yes	Yes - before collection
System activity monitoring	Yes	Yes - before collection

What to Include in Your Extension User Data Policy

What data your extension collects

List every type of data your extension can access: URLs, browsing history, clipboard, cookies, form inputs, etc.

Why you collect each type of data

Describe the specific extension feature that requires each data type. Be specific - 'to enable tab synchronization' not 'to improve user experience'.

Where data is sent or stored

If any data leaves the user's device, specify where it goes: your own servers, third-party services, cloud storage.

Limited use compliance statement

Explicitly state that your data use complies with Chrome Web Store User Data Policy and Limited Use requirements.

How users can request deletion

Provide a process for users to request deletion of any data you hold about them.

Data retention period

Specify how long you retain user data and your deletion process.

Prominent Disclosure: What It Means

For sensitive data, Google requires "prominent disclosure" - meaning the disclosure must be presented clearly before any data collection, not buried in a settings page or privacy policy.

Acceptable Prominent Disclosure

Pop-up dialog before first use
Onboarding screen explaining data collection
In-extension permission request with clear explanation
Dedicated settings page shown on first install

NOT Sufficient

Privacy policy link only
Small text in extension description
Disclosure buried in Chrome Web Store listing
Disclosure only in terms of service

Did you know?

Google reviews extensions for prominent disclosure compliance using automated tools and manual review. Extensions that collect web history or communications without a visible in-product disclosure are among the most commonly removed from the Chrome Web Store.

5 Common Chrome Extension User Data Policy Mistakes

Using a generic website privacy policy for your extension

A standard website privacy policy doesn't cover extension-specific requirements like limited use disclosure, permission-specific data use, or Chrome Web Store compliance. You need an extension-specific policy.

Not adding the limited use compliance statement

Google specifically requires you to state in your privacy policy that you comply with the Chrome Web Store User Data Policy and Limited Use requirements. A generic policy that omits this can trigger policy violations.

Linking to a Google Doc or PDF that requires login

Your privacy policy must be on a publicly accessible URL. Google's review system cannot access documents behind authentication, and users cannot read policies they need to log in to view.

Collecting more data than required for your extension's stated purpose

The data minimization principle requires you to only collect what is necessary for the extension's core function. Requesting excessive permissions or collecting data beyond what features require violates the Developer Program Policies.

Not updating the policy when adding new permissions

Every new permission you add to your extension that accesses user data requires an update to your privacy policy. Submitting an update that adds data-accessing permissions without updating the policy can cause rejection.

Frequently Asked Questions

When does a Chrome extension need a user data policy?

Any extension that collects, uses, or transmits user data needs a privacy policy. This includes reading tabs, browsing history, clipboard, cookies, or communicating with external servers.

What is the Chrome Web Store limited use disclosure?

It requires that user data be used only to provide or improve the extension's user-facing features. Data cannot be used for advertising, sold to data brokers, or used for creditworthiness assessments. Your policy must explicitly state compliance.

What personal and sensitive data requires additional disclosure?

Web history, financial information, authentication credentials, personal communications, location, health information, and system activity all require prominent in-product disclosure before collection.

Where does my Chrome extension privacy policy need to be linked?

In your Chrome Web Store listing's Privacy practices tab, on your extension's store page, and on your companion website if you have one. Must be a publicly accessible URL, not behind a login.

Generate Your Chrome Extension Privacy Policy

Create a privacy policy that meets all Chrome Web Store user data requirements in under 2 minutes. Includes limited use disclosure, sensitive data sections, and permission-specific language.

Limited use compliance statement included
Sensitive data categories covered
Permission-specific data disclosures
Chrome Web Store policy compliant

Related Resources

Chrome Extension Privacy Policy Template

Complete template for Chrome extensions

Do Chrome Extensions Need a Privacy Policy?

When Chrome extensions require a policy

Chrome Web Store Privacy Policy Requirements

Full Chrome Web Store policy requirements

Chrome Extension GDPR Compliance

GDPR requirements for Chrome extensions

Chrome Extension Single Purpose Policy

Single purpose policy requirements explained

Chrome extension privacy policy guide

Mozilla Firefox extension requirements

GDPR Privacy Policy Template

EU-compliant privacy policy template