Google unveils new privacy rules for Chrome extensions and Drive
The Project Strobe rules will go into effect this fall.
Google announced new rules that will restrict access to user data for third-party add-ons in Chrome and Drive. From now on, Chrome extension developers must request the least amount of user data their app requires to function. Apps that connect with Google Drive -- such as Pixlr and many popular document signing apps -- will be barred from accessing the entirety of the user's files. The changes are a result of Project Strobe, an audit Google launched in October to study how third-party services handle user data.
Notably, Google will require browser extensions that handle user-provided content and personal communications to post a privacy policy. In the past, Google only required a small number of Chrome plug-ins -- those that handle sensitive user data -- to actually post a privacy policy. While this rules change will add more apps to that list, it doesn't apply to all of the 180,000 options in the Chrome Web Store. Roughly 85 percent of Chrome extensions don't have a privacy policy listed, according to a recent survey of developers. Given that you can't violate a privacy policy without having a privacy policy, this relieves a great number of third-party Chrome developers of liability.
Google Drive apps are being asked to move to a "per-file" user consent model. In short, apps will have to ask for permission each time they need access to an individual file.
While the new privacy rules are promising, they'll take some time to go into effect. Google is making developers aware of the updated policy today, but the rules won't be enforced until this fall. For Google Drive developers, enforcement won't start until early next year.