Chrome Extension Privacy Policy — How to Write One That Passes CWS Review
7 min readChrome Extension Privacy Policy — How to Write One That Passes CWS Review
A privacy policy is your transparency contract with users. The Chrome Web Store (CWS) requires a privacy policy when your extension collects, processes, or transmits any user data. This guide walks you through creating a compliant privacy policy that satisfies CWS reviewers, respects user privacy, and meets legal requirements under GDPR and CCPA.
Understanding CWS Privacy Policy Requirements
The Chrome Web Store’s Developer Program Policies mandate that extensions collecting user data must provide a privacy policy. This requirement exists regardless of whether you operate in the EU or California.
Google reviewers check your privacy policy during the review process. If your policy is missing, vague, or contradicts your extension’s actual behavior, your extension will be rejected. The policy must be accessible at a URL you provide in the CWS developer dashboard.
When Is a Privacy Policy Required?
| Data Activity | Policy Required? |
|---|---|
| Local storage only | Recommended but not required |
| Analytics (even anonymous) | Yes |
| Cookies or site data access | Yes |
tabs, activeTab, webRequest permissions |
Yes |
| Host permissions (:///*) | Yes |
| Sending data to your servers | Yes |
| No data collection whatsoever | Not required |
Required Disclosures
Your privacy policy must clearly address these elements to pass CWS review:
1. Data Collection Practices
State explicitly what data your extension collects. Be specific — “we collect the URLs of tabs you open to provide bookmark functionality” is better than “we collect browsing data.” List each data type:
- Personal information (name, email, if applicable)
- Browsing data (URLs, page content, history)
- Usage data (features used, frequency)
- Device data (browser version, OS type)
- Cookies and local storage
2. Data Usage Purpose
Explain why you collect each data type. Users and reviewers need to understand the connection between the data you collect and the functionality you provide. Avoid generic statements like “to improve user experience” — be specific about what improvement and how.
3. Data Sharing Third Parties
If you share user data with any third parties — analytics providers, advertising networks, API services — disclose this explicitly. Name the third parties where possible. If you don’t share data, state that clearly.
4. User Control and Deletion
Explain how users can access, export, or delete their data. This is a CWS requirement and also a GDPR/CCPA requirement. Provide instructions for data deletion requests if you receive them.
Data Collection Types to Consider
Chrome extensions can access various data types depending on their permissions. Document each one honestly:
Extension-Generated Data
- User preferences stored in
chrome.storage - Extension-specific settings or notes
- Authentication tokens or session data
Browsing-Related Data
- Current tab URL (accessed via
tabsAPI) - Page content (via content scripts)
- Cookies for specific domains
- Browsing history (via
historyAPI)
Third-Party Data
- Analytics events and metrics
- Remote server logs
- API calls to external services
- User authentication data
GDPR and CCPA Compliance
If your extension has users in the European Union or California, your privacy policy must address specific legal requirements.
GDPR Requirements for Chrome Extensions
The General Data Protection Regulation applies to any EU user, regardless of where your business is located:
- Lawful basis: Explain the legal basis for processing (typically consent or legitimate interest)
- Data subject rights: Include information about access, rectification, erasure, and portability rights
- International transfers: If you transfer data outside the EU, disclose this and mention safeguards
- DPO contact: Provide contact information for data protection inquiries
- Right to complain: Inform users they can complain to their local data protection authority
CCPA Requirements for California Residents
The California Consumer Privacy Act requires specific disclosures for California residents:
- Categories of data: List the categories of personal information collected
- Right to know: Explain users can request to know what data you collect
- Right to delete: Explain the deletion request process
- Right to opt-out: If you sell data, include opt-out mechanisms (even if you don’t sell, include a statement)
- Non-discrimination: State that users won’t be discriminated against for exercising rights
Privacy Policy Template
Below is a template you can adapt for your extension. Replace placeholders with your specific information.
# Privacy Policy
**Last Updated:** [Date]
## Overview
[Your Extension Name] ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Chrome extension.
## Data We Collect
### Information You Provide
- [List any user-provided data, e.g., account information, preferences]
### Automatically Collected Information
- [List automatically collected data, e.g., browser type, extension usage data]
- [List any analytics data, even if anonymized]
### Data from Browser Access
- [List what browsing data you access: URLs, page content, cookies, etc.]
- [Explain why each type is needed for extension functionality]
## How We Use Your Data
We use the collected data for the following purposes:
- [Primary functionality, e.g., "to provide the bookmarking service you request"]
- [Secondary purposes, e.g., "to improve our service based on usage patterns"]
## Data Sharing
We do NOT sell your personal information. We may share data with:
- [List third parties: analytics providers, hosting services, etc.]
- [If none, state: "We do not share your data with any third parties"]
## Your Rights
### GDPR Rights (EU Users)
- Right to access your data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to data portability
- Right to object to processing
To exercise these rights, contact: [email address]
### CCPA Rights (California Residents)
- Right to know what personal information we collect
- Right to delete your personal information
- Right to opt-out of the sale of personal information (if applicable)
To exercise these rights, contact: [email address]
## Data Security
We implement appropriate security measures to protect your information. However, no method of transmission over the Internet is 100% secure.
## Children's Privacy
Our service is not intended for children under 13. We do not knowingly collect data from children under 13.
## Changes to This Policy
We may update this Privacy Policy periodically. We will notify users of any material changes.
## Contact Us
[Your Name/Company Name]
[Email Address]
[Physical Address, if applicable]
Hosting Options for Your Privacy Policy
CWS requires your privacy policy to be hosted at a publicly accessible URL. Here are common options:
Option 1: GitHub Pages (Free)
If your extension has a website or documentation, host the privacy policy there:
https://yourusername.github.io/your-repo/privacy-policy.html
Option 2: Standalone GitHub Gist
Create a Gist and use a service like Githack or Bl.ocks for a raw URL:
https://gist.github.com/yourusername/your-gist-id
Option 3: Your Own Domain
Host on your extension’s website or company domain. This is the most professional option.
Option 4: Notion (Free)
Publish a Notion page and use a service like Notion2HTML for a clean URL. Note: Ensure the page is truly public.
Tips for Passing CWS Review
-
Be specific, not generic: Avoid copy-pasting generic privacy policies. Customize for your extension’s actual data practices.
-
Match your manifest: Your privacy policy should align with permissions in
manifest.json. If you requesttabspermission, explain why in the policy. -
Link from the extension: Consider linking to your privacy policy from your extension’s popup, options page, or Chrome Web Store listing.
-
Update regularly: Review and update your privacy policy when you add new features that collect additional data.
-
Include a contact method: CWS reviewers need to verify users can contact you regarding privacy concerns.
Summary
A compliant privacy policy for your Chrome extension requires:
- Clear disclosure of all collected data types
- Explanation of data usage purposes
- Third-party sharing details (or statement that none occurs)
- User rights information (GDPR and CCPA)
- A publicly accessible URL
- Regular updates as your extension evolves
Invest time in creating an accurate, comprehensive privacy policy. It protects both your users and your extension from rejection or legal issues.