How to Add a Privacy Policy to a Chrome Extension

Why Chrome Extensions Need a Privacy Policy URL

Google requires a privacy policy URL for any Chrome extension that requests permissions involving user data. This includes tabs, cookies, history, identity, storage, host permissions, and many others. The requirement applies whether the data is stored locally or sent to your server.

Without a valid privacy policy URL on your listing, the Chrome Web Store review team will reject your submission. Existing extensions that fail to maintain a valid policy can be unpublished. The 2026 enforcement of Chrome Web Store policies has made this stricter than in previous years.

The URL itself is only one part of the requirement. Google also expects your policy to be specific to your extension, written in plain language, and to match the data handling certification you submit through the dashboard.

Step by Step: Adding the Privacy Policy URL

Open your Chrome Web Store Developer Dashboard and select the extension you want to update. In the left sidebar, click Privacy practices. Scroll to the section labelled Privacy policy.

Paste the public URL where your privacy policy is hosted. The URL must use HTTPS and must resolve to a page that anyone can read without logging in. A common mistake is to host the policy on a Google Doc behind sharing restrictions; that will fail review.

After pasting the URL, complete the data handling certification just below it. You will tick boxes describing what data your extension collects: personally identifiable information, health information, financial information, authentication data, personal communications, location, web history, or user activity.

Save your changes and submit the extension for review. Reviews typically take a few business days. If anything in your certification contradicts what is in the privacy policy at the URL, the reviewer will reject the submission and ask you to fix the inconsistency.

Where to Host Your Privacy Policy

Your privacy policy needs a permanent, publicly accessible URL. The most common options are: a page on your own domain (best for trust and control), a free static hosting service like GitHub Pages or Netlify, or a hosted document on a service designed for legal pages.

Avoid using a shared Google Doc, a Notion page behind login, a Gist, or any URL that could change. The Chrome Web Store team has flagged these in the past, and changing your URL later requires resubmission.

If you do not have a website yet, the simplest path is to create a single static HTML page on a free host and link it. The page should include your extension name, the date it was last updated, and a contact email so reviewers and users can verify it belongs to you.

What the Policy Itself Must Include

Your privacy policy must list every type of data your extension collects, accesses, or transmits. Be specific: list each category of data, the source, and what you do with it. Vague language like we may collect some user data is not enough and can fail review.

Cover how the data is stored, how long it is kept, who it is shared with (including any analytics or crash reporting services), how users can request deletion, and how to contact you with questions. Include a last updated date.

If your extension is subject to GDPR because users may be in the EU or UK, also include a legal basis for processing, a description of user rights, and information about international data transfers if any data leaves the EU.

Common Reasons Reviewers Reject the Privacy Policy

The most common reason for rejection is a mismatch between the policy and the certification. For example, the certification says no PII is collected, but the policy mentions email addresses. Fix this by making sure the two match exactly before submission.

Another frequent issue is hosting the policy at a URL that is not publicly reachable, such as a private Google Doc or a page behind a login. Fix it by moving the document to a public URL.

Less common but still seen: copy and paste templates that reference the wrong company or extension name. Reviewers spot these immediately. Always customise the template to your specific extension before submitting.