— MV3 2026 enforcement
Manifest V3 extensions must publish a privacy policy URL that accurately reflects their service worker data flows, host permissions, and remote code restrictions. While MV3 does not change the legal requirement to have a privacy policy, it changes what that policy must describe. Service workers behave differently from background pages, host permissions are more granular, and remote code is restricted, all of which must be reflected in your disclosures.
What Manifest V3 Changes for Privacy
Manifest V3 replaced persistent background pages with event driven service workers. A background page in MV2 ran continuously and could hold data in memory across the user session. A service worker terminates when idle and reloads on the next event, which changes how and where extensions cache or persist user data.
MV3 also restricts remote code execution. Extensions can no longer load and run JavaScript fetched from a remote server at runtime. All executable code must be bundled with the extension. This removes a privacy concern around hidden third party code but still requires disclosure of any data sent to remote endpoints.
Host permissions in MV3 are also more granular. Users can grant access to specific sites at install time, on click, or for the current site only. Your privacy policy must describe what data is read from those sites and whether it is sent off device.
What Your Privacy Policy Must Say Under MV3
Describe how your service worker handles data. If your worker writes anything to chrome.storage, IndexedDB, or any other persistent location, list what is stored, why, and how long. If it sends data to a remote API, name the endpoint and what is sent.
Describe how host permissions are used. If your extension reads page content on websites the user visits, say so explicitly, including whether the content is sent off device or processed locally. The phrase only stored locally is acceptable if true and is taken seriously by reviewers.
If your extension uses the offscreen API or any other MV3 specific feature that processes user data, describe it in plain language. Reviewers know what these APIs do and will check your policy reflects them.
The Data Handling Certification You Must Match
When you submit an MV3 extension, you complete a certification in the Chrome Web Store Developer Dashboard. You declare which categories of data your extension touches: personally identifiable information, health, financial, authentication, personal communications, location, web history, or user activity.
Your privacy policy at the URL you submit must match this certification exactly. A mismatch is the single most common cause of rejection. Read both side by side before submitting and adjust whichever is wrong.
If your extension collects nothing in any of those categories, you still need to publish a short privacy policy that says so and explains what your service worker does. Empty cert plus no policy is a flag for reviewers.
Migrating From MV2 to MV3 Without Privacy Issues
Many extensions migrating from MV2 to MV3 carry over a privacy policy that was written for the old architecture. If your policy mentions persistent background pages, runtime code injection, or remote scripts, update it before migrating. Reviewers will compare against the new manifest.
Audit what your service worker actually persists. The migration often introduces new chrome.storage usage to replace in memory state, which is now visible to users in their browser data. List anything new in the policy.
Update the last modified date so it reflects the migration. Reviewers tend to scrutinise policies that are older than the most recent extension version.
Frequently Asked Questions
Does Manifest V3 itself require a new privacy policy?
Not legally. The privacy policy requirement comes from data protection laws and Chrome Web Store rules, not from MV3 directly. But because MV3 changes how your extension handles data internally, your existing policy almost certainly needs an update to remain accurate.
Can a Manifest V3 extension still load remote code?
No. MV3 prohibits running remotely hosted code. All executable code must be bundled in the extension package. You can still call remote APIs and process responses, but you cannot fetch and execute JavaScript at runtime. Your privacy policy should reflect this.
What if my service worker only uses chrome.storage.local and never sends data anywhere?
Your privacy policy can clearly state that all data is stored locally on the user device and never transmitted. This is a strong privacy statement and reviewers accept it. Keep the certification matching: tick the boxes for any data type the local storage actually contains.
Do MV3 host permissions need a separate disclosure?
Yes. Your privacy policy should describe the categories of websites your extension accesses and what it does with the page content. For example: this extension reads the URL of the active tab to show suggestions, and the URL is never transmitted off your device.
Build a Manifest V3 ready privacy policy in 60 seconds
Service worker disclosures, host permission language, and Chrome Web Store certification, all covered.
Related Resources
Privacy Policy for Chrome Extension
Web Store policy guide for any extension.
Chrome Extension User Data Policy
Full breakdown of Google's user data rules.
Chrome Extension Privacy Best Practices
Patterns that pass review on the first try.
Chrome Extension Single Purpose Policy
How the single purpose rule interacts with privacy.