Microsoft Edge

Edge Extension Privacy Policy Requirements

Microsoft Edge Add ons store has its own developer policies for browser extensions. They overlap with Chrome Web Store rules but have important differences. Here is what your privacy policy must cover for Edge in 2026.

Last updated · Reviewed for compliance

AK
Written by Anupam Kumar
Updated
8 min read
Reviewed for compliance

Microsoft Edge 2026 rules

Microsoft Edge requires every extension that collects or accesses user data to publish a clear, comprehensive privacy policy that explains data handling practices and any third party services involved. The policy must be specific to your extension, must not reuse the Microsoft privacy statement, must use HTTPS, and must accurately describe data minimisation, security controls, and user controls. Reviewers compare it against the certification you submit through Partner Center.

How Edge Privacy Rules Differ From Chrome

Edge extensions are based on the same WebExtensions API as Chrome, so most code ports directly. The privacy review, however, is run by Microsoft and follows the Microsoft Edge Add ons Developer Policies, not the Chrome Web Store policies.

Edge places stronger emphasis on data minimisation. Microsoft expects extensions to collect only what is strictly necessary for the stated function and to aggregate or anonymise data wherever possible. A privacy policy that lists broad data categories without specific justifications is more likely to draw questions from Edge reviewers than from Chrome.

Edge also requires that user sensitive data is encrypted in transit, that data sharing with any third party requires opt in consent, and that the privacy policy refer specifically to the Edge browser when it discusses data flows tied to that browser.

What an Edge Extension Privacy Policy Must Disclose

Describe every category of user data your extension collects or accesses. This includes browsing history, page content, form data, identity, cookies, location, and any other category covered by your manifest permissions.

Describe how data is used, who it is shared with, and how users can exercise control. Microsoft expects an explicit description of how a user can opt out, request deletion, or see what is stored.

Describe security measures. At minimum, name the transport encryption used (TLS 1.2 or higher) and any storage encryption applied to sensitive data. If you do not encrypt at rest, say so and explain why it is acceptable for the data type.

Identify any third party services your extension communicates with. Include analytics, error reporting, and any backend you operate. Reviewers cross check by inspecting network traffic and will reject extensions whose policy omits a service that the extension actually contacts.

Common Reasons Edge Reviewers Reject Extensions

Reusing the Microsoft privacy statement instead of writing your own. Edge developer policies explicitly prohibit this unless your extension is an official Microsoft product. Always write or generate a policy that names your extension and your company.

Vague data descriptions. Phrases like we may collect some information that helps us improve the product are not enough. Be specific about what is collected, why, and where it goes.

Missing third party disclosures. If your extension uses Google Analytics, Sentry, Mixpanel, or any other service, name it in the policy. Reviewers compare network traffic against the policy and a mismatch fails the review.

Submitting and Updating Through Partner Center

Edge extensions are submitted through Microsoft Partner Center. The privacy policy URL field is on the Properties tab of your extension submission. Paste the public HTTPS URL where your policy is hosted.

Submit the privacy questionnaire alongside the policy. The questionnaire asks the same kinds of questions as Chrome's data handling certification. Make sure your answers match what your policy says.

When you update the extension code, review the privacy policy at the same time. If your update adds new data collection, network endpoints, or permissions, the policy must be updated before the new version is submitted.

Frequently Asked Questions

Can I use my Chrome extension privacy policy for Edge as well?

Yes, if the policy is generic enough to apply to both browsers and you update the references. Many developers maintain a single policy that names both browsers. Edge reviewers will accept this as long as the policy is specific to the extension and not a generic boilerplate.

Does Edge require a privacy policy for extensions that collect zero user data?

Technically no, if your extension truly accesses no user data and requests no data permissions. In practice, Microsoft recommends having one anyway, even if it just states no data is collected. This avoids confusion during review.

What encryption standard does Microsoft expect for Edge extensions?

Edge developer policies require TLS for any data transmitted off the user device. Most modern HTTPS deployments use TLS 1.2 or 1.3, which satisfy this. Disable older TLS versions on any backend your extension contacts.

Can my Edge extension share data with third parties?

Only after obtaining opt in consent from the user. The default must be no sharing. The user must take an explicit action to allow it. Your privacy policy must describe the consent flow and the categories of data that may be shared.

Generate an Edge ready privacy policy

Covers Microsoft Edge Add ons developer policies, data minimisation, and Partner Center certification.

Related Resources

Privacy Policy for Chrome Extension

Sister browser extension guide.

Chrome Extension Privacy Policy Template

Reusable template that works on Edge too.

Chrome Extension GDPR Compliance

EU and UK user rights for browser extensions.

Chrome Extension Privacy Best Practices

Patterns that pass review on the first try.