The Chrome Web Store requires a privacy policy for any extension that handles personal or sensitive user data. If your extension requests permissions like tabs, cookies, history, bookmarks, identity, or webRequest, you must provide a privacy policy URL in your Developer Dashboard. Extensions submitted without one will be rejected. Existing extensions can be removed for non-compliance.
Chrome extensions operate with a unique level of access to user data. Unlike websites, which are sandboxed to their own domain, extensions can read browsing history, access page content across sites, intercept network requests, and access stored passwords or cookies. This level of access is exactly why Google requires transparency about how extensions handle data.
The Chrome Web Store review process has become significantly stricter since Google tightened its extension policies. Every extension that requests data-related permissions must provide a privacy policy URL that is publicly accessible. The policy must accurately describe what data the extension collects, how it uses that data, and whether it shares data with any third parties.
This guide covers exactly which permissions trigger the requirement, what Google expects in your policy, how the data handling certification works, how Manifest V3 affects your disclosures, and how to create a policy that passes the Chrome Web Store review process.
Does Your Chrome Extension Need a Privacy Policy?
The short answer: if your extension handles any personal or sensitive user data, yes. Google defines "personal or sensitive user data" broadly. It includes browsing activity, the content of web pages a user visits, form inputs, cookies, authentication tokens, bookmarks, and even data stored locally via chrome.storage if it contains personal information.
In practice, most Chrome extensions need a privacy policy. Even a simple extension that uses the activeTab permission to read the current page URL is technically accessing user browsing data. An extension that saves user preferences using chrome.storage.sync is storing data in the user's Google account. An extension that changes CSS on web pages still needs to access the page DOM.
The only extensions that definitively do not need a privacy policy are those that use no data-related permissions at all. An extension that only modifies the browser's new tab page with static content and requests no permissions might not strictly require one. But even in that case, Google recommends providing a policy.
Beyond the Chrome Web Store requirement, your extension may also be subject to GDPR if any users are in the EU, CCPA if any users are in California, and other regional privacy laws. These laws apply to any software that processes personal data, including browser extensions.
Required
For data-related permissions
Public
Must be publicly accessible
Enforced
Rejection or removal
Q: My extension is free and open source. Do I still need a privacy policy?
Yes. The privacy policy requirement is about data handling, not monetization. Open source extensions that access user data still need to disclose what they do with that data. Being free does not exempt you from Chrome Web Store policies or privacy laws.
Q: What if I distribute my extension outside the Chrome Web Store?
Chrome Web Store policies only apply to extensions published there. However, GDPR, CCPA, and other privacy laws apply regardless of distribution method. If your extension processes personal data from users in regulated jurisdictions, you need a privacy policy even if you distribute it through your own website.
Chrome Web Store Privacy Requirements
Google has specific, documented requirements for how Chrome extensions must handle user data and what must be disclosed. These are not suggestions. They are enforced during the review process and through ongoing compliance checks.
What Google Requires
- Privacy policy URL: A publicly accessible URL entered in the Developer Dashboard that links to your extension's privacy policy. This URL is displayed on your store listing.
- Accurate data disclosures: Your policy must accurately describe what data your extension collects, how it uses that data, whether it shares data with third parties, and how users can request data deletion.
- Data handling certification: You must complete the data handling section in the Developer Dashboard, certifying what types of data your extension collects and how it handles that data.
- Limited Use compliance: If your extension accesses certain categories of sensitive data, you must comply with the Chrome Web Store's Limited Use requirements and state this compliance in your policy.
- Minimum necessary permissions: Your extension must only request permissions it actually needs. Requesting broad permissions "just in case" will trigger additional scrutiny and require more extensive privacy disclosures.
Google reviews extensions both when they are submitted and on an ongoing basis. Extensions that violate these requirements can be removed without warning. Developer accounts with repeated violations can be permanently suspended. Google has removed thousands of extensions for privacy policy violations in recent years.
Did you know?
Google removed over 500 Chrome extensions from the Web Store in a single enforcement sweep in 2023 for violating its data handling policies. Many of these extensions had millions of users. The most common violations were collecting data not disclosed in the privacy policy, transmitting data to undisclosed servers, and requesting permissions beyond what was necessary for the extension's functionality.
Enforcement Consequences
New Extensions
Rejected
Will not pass review without a compliant privacy policy
Existing Extensions
Removed
Can be taken down at any time for non-compliance
Which Permissions Trigger the Privacy Policy Requirement?
Not all Chrome extension permissions are equal when it comes to privacy policy requirements. Some permissions grant access to personal or sensitive data and clearly require a privacy policy. Others are ambiguous. The following table covers the most common permissions and whether they trigger the requirement.
| Permission | Data Access | Policy Required? | Risk Level |
|---|---|---|---|
| activeTab | Current tab URL and page content when user clicks the extension | Recommended | Low |
| tabs | URLs and titles of all open tabs, tab events | Yes | Medium |
| storage | Local or synced storage for extension data | If storing personal data | Low-Medium |
| cookies | Read and modify cookies for any domain | Yes | High |
| webRequest | Observe and intercept all network requests | Yes | High |
| history | Full browsing history, search history, visit counts | Yes | High |
| bookmarks | Read and modify all bookmarks | Yes | Medium |
| identity | User's Google account email and profile | Yes | High |
| downloads | Download history, manage downloads | Yes | Medium |
| <all_urls> | Content scripts on every website the user visits | Yes | Very High |
| declarativeNetRequest | Block or modify network requests via rules | Recommended | Low-Medium |
| alarms / notifications | Schedule events, show notifications | Only if combined with data access | Low |
The general rule: if your extension can access, read, modify, or store any information that relates to a user or their browsing activity, you need a privacy policy. When in doubt, provide one. The cost of not having one (rejection or removal) far outweighs the effort to create one.
Also note that host permissions (specific domains your extension can access via content scripts) count as data access. If your extension injects content scripts into specific websites, it can read page content from those sites. This is user data access and should be disclosed.
Did you know?
The <all_urls> permission and broad host permissions like *://*/* trigger the highest level of review scrutiny from Google. Extensions requesting these permissions must justify why they need access to every website and provide especially detailed privacy policies. Google recommends using activeTab or specific host permissions instead whenever possible.
The Data Handling Certification
In addition to providing a privacy policy URL, the Chrome Web Store requires you to complete a data handling certification in the Developer Dashboard. This certification is a structured declaration of what data your extension collects and how it handles that data.
The certification asks you to declare whether your extension collects each of the following data types: personally identifiable information, health information, financial and payment information, authentication information, personal communications, location data, web history, user activity, and website content.
For each data type you declare, you must specify how it is used. The options include: core extension functionality, analytics, developer communications, advertising or marketing, credit fraud detection, and personalization.
Limited Use Policy
Google's Limited Use policy restricts how extensions can use data they collect. Under Limited Use, your extension may only use data for the purposes described in your listing and privacy policy. You cannot sell user data. You cannot use data for advertising purposes unrelated to the extension's functionality. You cannot transfer data to third parties unless necessary for the extension's stated purpose.
Restricted Use Policy
Some data categories trigger even stricter Restricted Use requirements. If your extension reads email content, accesses drive files, or handles other sensitive Google Workspace data, Restricted Use applies. Under Restricted Use, data can only be used to provide the extension's core functionality. No secondary uses are permitted. Your privacy policy must explicitly state your compliance with these restrictions.
Q: What if my certification does not match my privacy policy?
Google checks for consistency between your data handling certification, your privacy policy, and your extension's actual behavior. If your certification says you do not collect location data but your privacy policy mentions geolocation, or vice versa, your extension will be flagged. All three must be consistent.
Q: Do I need to update my certification when I update my extension?
Yes. If you add new permissions or change how your extension handles data, you must update both your data handling certification and your privacy policy before submitting the update. Submitting an update with changed permissions but unchanged certifications will trigger review issues.
Manifest V3 and Privacy
Manifest V3 is Chrome's current extension platform, replacing Manifest V2. While MV3 does not directly change privacy policy requirements, it introduces architectural changes that affect how your extension handles data, and your privacy policy must reflect the new data flows.
Service Workers Replace Background Pages
In MV2, extensions could use persistent background pages that ran continuously and held data in memory. MV3 replaces these with service workers that are event-driven and terminate when idle. This means your extension can no longer keep data in memory indefinitely. If your extension previously held user data in a background page variable, it now must store that data somewhere persistent, either chrome.storage.local, chrome.storage.session, or chrome.storage.sync.
This change affects your privacy policy because data that was previously ephemeral (held in memory and lost when the browser closed) may now be persisted in storage. If your MV3 extension uses chrome.storage.sync, the data is synced across the user's devices via their Google account. Your policy should disclose this.
declarativeNetRequest Replaces webRequest Blocking
MV3 replaces the webRequest blocking API with declarativeNetRequest for most use cases. This is a privacy improvement because declarativeNetRequest uses predefined rules rather than allowing extensions to observe and modify every network request in real time. If your extension migrated from webRequest to declarativeNetRequest, your privacy policy may need fewer data handling disclosures since the extension no longer has direct access to request content.
However, some extensions still use webRequest in observational (non-blocking) mode, which MV3 permits. If your extension observes network requests without blocking them, your privacy policy must still disclose this data access.
Did you know?
Chrome is phasing out Manifest V2 support entirely. Starting in 2024, MV2 extensions can no longer be published as new listings, and existing MV2 extensions are losing functionality. If your extension still uses MV2, you will need to migrate to MV3, and that migration is the perfect time to review and update your privacy policy to match the new architecture.
MV2 vs MV3: Privacy Disclosure Comparison
| Feature | Manifest V2 | Manifest V3 |
|---|---|---|
| Background data handling | Persistent background page, data in memory | Service worker, data must be stored persistently |
| Network request access | Full webRequest API (blocking + observing) | declarativeNetRequest (rules-based) + observe only |
| Data storage disclosure | May be less, if data was only in memory | More storage use, must disclose persistence |
| Cross-device sync | Optional via chrome.storage.sync | More likely due to service worker ephemerality |
| Privacy review scrutiny | Standard review | Enhanced review for data-heavy extensions |
Common Chrome Extension Privacy Mistakes
These mistakes are the most common reasons Chrome extensions get rejected or removed from the Web Store. Each one reflects a misunderstanding of what Google requires and what privacy laws demand.
Mistake: "My extension only changes CSS so no policy is needed"
CSS-modifying extensions still need content script access to inject styles into web pages. This means your extension has access to the DOM of whatever pages it runs on. Even if your extension does not read page content, the permission to do so means you should have a privacy policy. Additionally, if your extension uses host permissions or <all_urls> to inject CSS broadly, Google requires even more detailed disclosures.
Mistake: "activeTab does not collect data"
The activeTab permission gives your extension temporary access to the current tab when the user clicks the extension icon. During that access, your extension can read the page URL, title, and content. Whether you read and store that data or not, the capability exists. If your extension reads anything from the active tab, even the URL, that is user data access. Your privacy policy should disclose what you access and whether you store or transmit it.
Mistake: "I use chrome.storage.local so data stays local"
While chrome.storage.local does keep data on the user's device, it still constitutes data collection and storage. Your privacy policy must disclose what data is stored locally and for what purpose. Additionally, if you use chrome.storage.sync instead, the data is synced to the user's Google account and stored on Google's servers, which is a significantly different data flow that requires explicit disclosure.
Mistake: "Google's privacy policy covers my extension"
Google's privacy policy covers the Chrome browser and Google services. It does not cover your extension. You are the data controller for your extension's data handling. Google is the platform provider. Your extension is your software, and you are responsible for disclosing how it handles user data. Pointing to Google's privacy policy does not satisfy the Chrome Web Store requirement.
Mistake: "I will add one later after publishing"
If your extension handles user data, you cannot publish without a privacy policy. The review process will reject your submission. Even if an earlier version was published without one, submitting an update that adds data-related permissions without providing a privacy policy URL will trigger a rejection. Create your privacy policy before you submit your extension for review, not after.
How to Create a Privacy Policy for Your Chrome Extension (7 Steps)
Follow this process to create a privacy policy that satisfies the Chrome Web Store requirements, passes the review process, and complies with GDPR and CCPA.
Audit every permission in your manifest.json
Open your manifest.json and list every permission under "permissions", "optional_permissions", and "host_permissions". For each one, document what data it gives your extension access to. Remove any permissions you are not actively using. Fewer permissions means fewer disclosure requirements and a smoother review.
Map all data flows in your extension
Trace how data moves through your extension from start to finish. What data is read from the browser or web pages? What is processed in your service worker or content scripts? What is stored in chrome.storage? What is sent to any remote server or API? What is shared with any third-party service? Document each flow.
Check Limited Use and Restricted Use requirements
Review Google's Chrome Web Store User Data Policy to determine whether your data handling falls under Limited Use or Restricted Use. If your extension accesses sensitive data categories like email content or financial information, additional restrictions apply. Your privacy policy must explicitly address these requirements.
Generate your privacy policy
Use a privacy policy generator to create a policy tailored to your Chrome extension's data handling. Include details about each permission, data storage methods, any remote server communication, and all third-party services. The policy must match your data handling certification exactly.
Host your privacy policy at a permanent public URL
Publish your privacy policy at a URL that is publicly accessible without requiring a login. Options include a page on your personal or company website, a GitHub Pages site, or any publicly hosted webpage. The URL must remain accessible for as long as your extension is published on the Chrome Web Store.
Add the URL to your Developer Dashboard
In the Chrome Web Store Developer Dashboard, go to your extension listing. Find the privacy policy URL field (in the Privacy tab or Store Listing section) and enter your publicly accessible URL. This link will be displayed on your extension's store listing page so users can review it before installing.
Complete the data handling certification
Fill out the data handling certification in the Developer Dashboard. Declare every type of data your extension collects and how it is used. Make sure these declarations match your privacy policy exactly. Any mismatch between your certification, your policy, and your extension's actual behavior will cause rejection.
Frequently Asked Questions
Does my Chrome extension need a privacy policy?
If your extension handles any personal or sensitive user data, yes. This includes accessing browsing data, page content, cookies, history, bookmarks, or user identity. The Chrome Web Store will reject extensions that request data-related permissions without providing a privacy policy URL.
What happens if I publish without a privacy policy?
New extensions that handle user data will be rejected during the review process. Existing extensions found to be non-compliant can be removed from the store at any time. Your developer account may face suspension for repeated violations. Google has become significantly stricter about enforcement since 2023.
Where do I add my privacy policy URL?
In the Chrome Web Store Developer Dashboard, go to your extension listing and find the privacy policy URL field in the Privacy tab or Store Listing section. Enter a publicly accessible URL that does not require a login to view. This URL will be displayed on your extension's store listing page.
Does activeTab require a privacy policy?
The activeTab permission alone may not strictly require one, but most extensions using activeTab do read page content or URLs, which constitutes data access. Google recommends a privacy policy for all extensions. If your extension reads anything from the active tab, even temporarily, you should have one.
What must my extension privacy policy include?
Your policy must disclose what data your extension collects, how it uses that data, whether it shares data with third parties, how it stores data, and how users can delete their data. For extensions subject to Limited Use requirements, you must also state your compliance with the Chrome Web Store User Data Policy.
What is the data handling certification?
The data handling certification is a required section in the Developer Dashboard where you declare what data your extension collects and how it uses that data. You must certify whether you collect personally identifiable information, health data, financial data, authentication data, communications, location data, web history, or user activity. Your privacy policy must match these declarations.
Does Manifest V3 change privacy policy requirements?
Manifest V3 does not change the requirements directly, but it affects what you need to disclose. Service workers replace background pages, changing how data persistence works. declarativeNetRequest replaces webRequest blocking, changing network access patterns. If you migrated from MV2, review whether your policy still accurately describes your data handling.
Related Resources
Chrome Extension Privacy Policy Template
Free, copy-paste ready template for your extension
Chrome Web Store Requirements
Full checklist of what Google checks during review
Do Chrome Extensions Need a Privacy Policy?
When a privacy policy is required and when it is not
Chrome Extension GDPR Compliance
Complete GDPR guide for extension developers
Privacy Policy for Google Play
Google Play Store privacy policy requirements
GDPR Privacy Policy Template
All 12 required GDPR sections with a compliant template
Privacy Policy for Apps
App store requirements for mobile and desktop applications
What Happens Without a Privacy Policy
Real consequences of operating without one
Ready to Publish Your Chrome Extension?
Do not let a missing privacy policy block your Web Store submission. Generate a compliant policy that covers your permissions, data handling, and user rights. Takes under 60 seconds.
Covers GDPR, CCPA, and Chrome Web Store requirements · Customized for extensions · Just $4.99