Skip to main content

Google will change how Chrome extensions access data in 2021

Chrome extensions header

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


At Chrome Dev Summit 2020 today, Google announced it will change how extensions access data and how extension permissions work in 2021. On January 18, a day before the release of Chrome 88, Google will require that every extension publicly display its privacy practices and will limit what developers can do with the data they collect.

With over 1 billion users, Chrome is both a browser and a major platform. The Chrome Web Store hosts more than 250,000 extensions and themes with 4 million Chrome extensions downloaded every day. These privacy changes will impact not just users and developers but businesses too, from startups that build extensions to enterprises that rely on extensions for internal and external use.

The first change means that Chrome users next year will determine which websites an extension can access when they browse the web. Once you grant an extension permission to access a website’s data, that preference can be saved for that domain. Today, the extension makes that call. In 2021, you will still be able to grant an extension access to all the websites you visit, but that won’t be the default.

Chrome extensions privacy practices

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

Google outlined the second change last month: “each extension’s detail page in the Chrome Web Store will show developer-provided information about the data collected by the extension, in clear and easy to understand language.” The company also updated its user data privacy policy with an addition to how extension developers use data they collect. Specifically:

  • Ensuring the use or transfer of user data is for the primary benefit of the user and in accordance with the stated purpose of the extension.
  • Reiterating that the sale of user data is never allowed. Google does not sell user data and extension developers may not do this either.
  • Prohibiting the use or transfer of user data for personalized advertising.
  • Prohibiting the use or transfer of user data for creditworthiness or any form of lending qualification and to data brokers or other information resellers.

Starting January 18, listings for extensions on the Chrome Web Store will show whether the developer has certified that their extension complies with the above.

Chrome potentially harmful extensions disabled

This is part of a bigger effort by Google to improve extension security and privacy. Back in May, Google added a new Safety Check with the release of Chrome 83 that tells you if the passwords you’ve asked Chrome to remember have been compromised, whether Google’s Safe Browsing service is turned off, if your Chrome version is up-to-date, and whether any malicious extensions are installed. Since then, Google says that the number of malicious extensions that Chrome disabled to protect people grew by 81%.

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.