GDPR Art. 5(1)(c) codifies data minimization as a legal obligation, not a guideline — collecting more data than your declared function requires is itself a violation. Chrome extensions that request history, cookies, or webRequest permissions for features that do not use them expand the blast radius of any future compromise and invite rejection from store reviewers performing permission audits. CCPA §1798.100 gives users the right to know what data is collected; collecting data not mentioned in your listing undermines that right and exposes you to regulatory action. Overpermissioned extensions are also a primary signal in automated Chrome Web Store policy enforcement.
High because unnecessary permissions and extraneous data collection expand the attack surface of every future vulnerability — a bug in an extension with `history` access is far more damaging than the same bug without it.
Audit your manifest.json permissions against actual API call sites. Remove any permission without a matching chrome.* API call in your codebase:
// BEFORE — overpermissioned
"permissions": ["history", "cookies", "storage", "tabs", "webRequest"]
// AFTER — scoped to actual usage
"permissions": ["storage", "tabs"]
Also remove background telemetry not disclosed in your store listing:
// Remove if not disclosed in privacy policy
chrome.tabs.onActivated.addListener((info) => {
analytics.track('tab_switched'); // DELETE
});
If you find permissions you intend to use later, remove them now and re-request when the feature ships.
ID: extension-data-privacy.data-collection.minimal-collection
Severity: high
What to look for: Compare the extension's declared purpose (manifest description, store listing, privacy policy) with what data is actually collected. Check manifest permissions — do they exceed what the extension needs? Examine background scripts and content scripts for any telemetry, logging, or analytics that goes beyond the stated feature set.
Pass criteria: Count every permission in the manifest and list all code references to each permission's API. Requested permissions match the stated functionality with at least 90% actively used. Data collection is narrowly scoped — background scripts only collect what is needed for the declared feature. No extraneous telemetry or analytics beyond what's disclosed to the user.
Fail criteria: Manifest requests permissions for features that don't exist (e.g., tabs permission but extension never reads active tab). Extensive telemetry or analytics collected that is not mentioned in the privacy policy or store listing. Background script logs global browsing data unrelated to extension functionality.
Skip (N/A) when: Never — minimal collection principle applies to all extensions.
Detail on fail: Name the unnecessary permissions or collections. Example: "Manifest requests 'history' permission but extension never accesses browsing history. Adds unnecessary attack surface." or "Background script collects all visited URLs hourly but feature only requires processing current page URL."
Remediation: Remove unused permissions from manifest:
// BEFORE (overpermissioned)
"permissions": ["history", "cookies", "storage", "tabs", "webRequest"]
// AFTER (minimal)
"permissions": ["storage", "tabs"]
Remove telemetry unrelated to core functionality:
// Remove this if not disclosed
chrome.tabs.onActivated.addListener((activeInfo) => {
analytics.track('tab_switched');
});