Chrome extensions operate inside the browser with elevated trust, making them a uniquely dangerous collection point for PII. Collecting names, emails, or browsing patterns without explicit opt-in consent violates GDPR Art. 6 and Art. 7, CCPA §1798.100, and the Chrome Web Store User Data Policy — each of which requires a lawful basis before processing. CWE-359 captures the failure mode precisely: exposing private information without authorization. Beyond compliance, extensions that silently harvest PII expose users to identity theft and damage developer reputation irreparably if discovered by a store reviewer or security researcher.
Critical because silent PII collection without consent is the defining privacy violation regulators and app store reviewers flag first — it enables data harvesting at browser-scale with zero user awareness or recourse.
Gate every PII collection call behind a stored consent flag. Add an explicit opt-in toggle to your options page before any data leaves the device:
<label>
<input type="checkbox" id="enableTracking" />
Allow anonymous usage statistics to improve this extension
</label>
Then in your background script, read the flag before sending:
chrome.storage.local.get(['consentGiven'], ({ consentGiven }) => {
if (consentGiven) {
sendAnalytics(data);
}
});
Default the flag to false (opt-in, not opt-out) so unconfigured installs never transmit PII.
ID: extension-data-privacy.data-collection.pii-consent
Severity: critical
What to look for: Examine popup/options UI and background script for consent mechanisms. Check whether collection of personally identifiable information (name, email, account identifiers, browsing patterns linked to identity) requires explicit user interaction or opt-in before any data is sent or stored. Look for consent UI, confirmation dialogs, or consent storage flags.
Pass criteria: Count all PII data points collected by the extension. Any PII collection is preceded by explicit user consent (opt-in checkbox, button click, permission dialog) covering 100% of PII types. User can enable/disable PII collection in extension options. Consent is logged or tracked before data is processed. Do not pass when consent covers only some PII types but not all.
Fail criteria: PII is collected or sent without prior explicit user consent. Collection happens automatically on install or during background script execution without confirmation. No consent UI or mechanism found. Quote the specific code pattern that collects PII without consent.
Skip (N/A) when: The extension does not collect any PII — e.g., it only processes public content, does not interact with user accounts, does not send any user data externally.
Detail on fail: Specify which PII is collected without consent. Example: "User email collected and sent to external API without consent mechanism. No opt-in prompt found in options UI." or "Background script automatically logs user's active tab history without user confirmation."
Remediation: Implement explicit consent for any PII collection. In your options page, add a toggle:
<label>
<input type="checkbox" id="enableTracking" />
Allow anonymous usage statistics to improve this extension
</label>
Then in your background script, check consent before collecting:
chrome.storage.local.get(['consentGiven'], (result) => {
if (result.consentGiven) {
// Collect PII
}
});