Google announces new privacy requirements for Chrome extensions

Google today announced two major changes to how it expects Chrome extension developers to protect their users’ privacy. Starting this summer, extension developers are required to only request access to the data they need to implement their features — and nothing more. In addition, the company is expanding the number of extension developers who will have to post privacy policies.

The company is also announcing changes to how third-party developers can use the Google Drive API to provide their users access to files there.

All of this is part of Google’s Project Strobe, an effort the company launched last year to reconsider how third-party developers can access data in your Google account and on your Android devices. It was Project Strobe, for example, that detected the issues with Google+’s APIs that hastened the shutdown of the company’s failed social network. It also extends some of the work on Chrome extensions the company announced last October.

“Third-party apps and websites create services that millions of people use to get things done and customize their online experience,” Google Fellow and VP of Engineering Ben Smith writes in today’s announcement. “To make this ecosystem successful, people need to be confident their data is secure, and developers need clear rules of the road.”

With today’s announcements, Google aims to provide these rules. For extension developers, that means that if they need multiple permissions to implement a feature, they must access the least amount of data possible, for example. Previously, that’s something the company recommended. Now, it’s required.

Previously, only developers who write extensions that handle personal or sensitive data had to post privacy policies. Going forward, this requirement will also include extensions that handle any user-provided content and personal communications. “Of course, extensions must continue to be transparent in how they handle user data, disclosing the collection, use and sharing of that data,” Smith adds.

As for the Drive API, Google is essentially locking down the service a bit more and limiting third-party access to specific files. Apps that need broader access, including backup services, will have to be verified by Google. The Drive API changes won’t go into effect until next year, though.