In May, Google announced updates to its User Data Policy for Chrome extensions. The company said it would soon require all extensions to only request access to the least amount of data. Additionally, more extensions would need to post privacy policies, expanding the list from any extension that handles personal and sensitive user data to any extension that handles user-provided content and personal communications. Today, Google set a deadline for developers to update their extensions accordingly: October 15, 2019.

The changes are now available in Chrome’s user data policy. After October 15, extensions that violate the policy will be removed from the Chrome Web Store and will need to become compliant to be reinstated. New submissions that don’t comply will also be rejected.

Google is asking Chrome developers to take the following steps over the next three months:

  • Inventory your extensions’ current permissions and, where possible, switch to alternatives that are more narrowly scoped. Additionally, include a list of permissions used and the reasons you require them in your Chrome Web Store listing or in an “about page” in your extension. If you expand the features of your extension and require a new permission, you may only request the new permission in the updated version of the extension.
  • If your extension handles Personal or Sensitive User Data, which now also includes user-provided content and personal communications, your Product must both post a privacy policy and handle the user data securely, including transmitting it via modern cryptography. To add a privacy policy, use the developer dashboard to link to your privacy policy with your developer account. All your published extensions share the same privacy policy.

Google regularly cracks down on Chrome extensions. In May 2015, Google began blocking extensions not listed in the Chrome Web Store. In September 2015, the company disabled inline installation of some Chrome extensions, and then in June 2018, it disabled inline installation completely. In October 2018, the company updated its Chrome Web Store review process and set new extension code requirements. And just last month, Google announced plans to limit content-blocking Chrome extensions that collect sensitive data.