Skip to content

Google is closing the loophole letting Chrome extensions overcollect your data

Chrome Extensions Face New Data Privacy Rules Starting August 1

Google is tightening the rules on what Chrome extensions can do with your data, and developers have until August 1, 2026 to fall in line. The updated Chrome Web Store developer policies, published July 1 on the official Chrome for Developers blog, close a loophole that let extensions collect information far beyond what their stated purpose required.

If you have ever wondered why a simple coupon finder or screenshot tool wanted access to your entire browsing history, this is Google’s answer. Extensions still collecting data outside their disclosed purpose after the deadline risk removal from the Chrome Web Store.

TL;DR: Google updated its Chrome Web Store developer policies on July 1, 2026, and enforcement starts August 1. Extensions can now only collect data strictly necessary for their stated purpose, and any data collection has to be disclosed upfront, even when it is central to the extension’s job. Google also banned extensions built to bypass AI safety guardrails and ones that enable real money predictive markets. Non compliant extensions risk removal from the Chrome Web Store.

What Google actually changed in the Chrome Web Store rules

Four separate policy areas shifted in this update, and together they reset the baseline for what a Chrome extension is allowed to do with your information.

The Limited Use Policy now restricts developers to collecting only the data their extension’s disclosed single purpose actually requires. Collecting anything extra, for analytics, advertising, or an unreleased future feature, is no longer allowed.

The Disclosure Requirements Policy goes further than the old standard. Previously, developers mostly needed to explain data collection when it was not obvious from what the extension did. Now every instance of data collection needs a clear disclosure, and developers must tell users if their data practices change after installation.

Google also expanded what counts as a prohibited product. Extensions that facilitate real money transactions on predictive outcomes are banned, alongside a new rule against extensions designed to circumvent safety guardrails built into AI powered services.

Policy areaWhat changesEnforcement date
Limited Use PolicyData collection limited to the extension’s disclosed single purposeAugust 1, 2026
Disclosure RequirementsAll data collection must be disclosed, even if core to the extension’s functionAugust 1, 2026
Malicious and Prohibited ProductsExtensions built to bypass AI safety guardrails are bannedAugust 1, 2026
Regulated Goods and ServicesExtensions enabling real money predictive markets are bannedAugust 1, 2026

The announcement lands less than a week after Google’s own Chrome 151 security update patched 382 vulnerabilities, and together the two moves show Chrome tightening from both directions, code level bugs on one side, extension behavior on the other. That gap between requested permissions and actual use is exactly what the next change targets directly.

Why a coupon extension asking for camera access should worry you

The Limited Use Policy targets a pattern that has been common on the Chrome Web Store for years. Extensions request broad permissions during installation, then use only a fraction of that access for their advertised function while quietly logging the rest.

A coupon finder does not need your camera roll. A screenshot tool does not need your full browsing history. Developers now have to justify every category of data against the single purpose they declared, and Google can act on the mismatch directly rather than waiting for a complaint.

That distinction, between data an extension needs and data it simply can access, is the gap that let some of Chrome’s most ordinary looking tools quietly behave like data brokers.

Expect more disclosure prompts, not fewer permissions

The Disclosure Requirements Policy changes what happens after you already trust an extension enough to install it. Previously, an extension only needed to explain collection that was not obvious from its function, so a password manager collecting saved credentials rarely triggered extra disclosure.

Now, disclosure is required regardless of how closely the data relates to the extension’s stated purpose, and developers must notify users if practices change at any point after installation.

Expect more in-extension notices and updated permission screens over the coming weeks, as developers rewrite disclosures to match the new standard. Not every category caught by this update is about data collection, though.

Google is also targeting extensions built to jailbreak AI tools

The Malicious and Prohibited Products Policy addresses a category of extension Google has not explicitly named before. The new rule bans extensions designed to circumvent safety guardrails, usage restrictions, or other protective measures built into AI powered services.

Google did not name specific extensions, but the timing lines up with a rise in browser tools marketed around bypassing content filters or usage limits on AI chatbots and assistants. The policy gives Google clear grounds to remove that category going forward.

Predictive markets got their own explicit ban in the same update. Extensions that let users place real money bets on prediction outcomes directly inside the browser are now barred from the store, closing a category that had been operating in a gray area. Nobody gets a warning before either category disappears, which is exactly why checking your own installed extensions now is worth ten minutes.

What to check on your own extensions before August 1

Enforcement begins August 1, 2026, a little over three weeks after the announcement. Google has not said it will remove extensions automatically the moment the deadline passes, but it has confirmed enforcement action is coming for anything still out of line.

The most useful thing to do in the meantime is open chrome://extensions, look at what each installed extension can access, and ask whether that access matches what the extension actually does. If you rely on Chrome ad blocker extensions or anything else that touches every page you visit, this is a reasonable moment to review permissions rather than waiting for a forced update notice.

Extensions that update their disclosures correctly should not disappear from the store. The ones most likely to face removal are tools that have been quietly overreaching for a while, with no clean way to narrow their data collection without breaking their own business model.

Leave a Reply

Your email address will not be published. Required fields are marked *