GDPR Art. 5(1)(e) (storage limitation) and Art. 13(2)(a) (right to information) together require that users are told how long their data is retained and that data is not kept longer than necessary. A privacy policy silent on retention gives users no way to exercise their GDPR Art. 17 right to erasure — they cannot request deletion of data if they do not know how long it is held or where. CCPA §1798.100 similarly obligates disclosure of retention practices. For extensions, where users often forget they have installed a tool that is still collecting data, indefinite-retention silence compounds the harm.
Low because absent retention disclosure is a compliance gap rather than an immediate data exposure — but it undermines user rights under GDPR Art. 17 (right to erasure) and blocks users from making informed decisions about keeping the extension installed.
Add a "Data Retention" section to your PRIVACY.md or hosted policy that specifies a concrete period for each data type collected:
## Data Retention
| Data type | Retention period |
|------------------|-----------------------------------------------|
| User preferences | Until extension is uninstalled |
| Usage logs | 30 days, then automatically deleted |
| Error reports | 7 days, used only for debugging |
| Cached page data | Session only — cleared when extension closes |
If your code already enforces deletion (e.g., via a scheduled chrome.alarms cleanup), reference the code behavior in the policy. If it does not, add the cleanup logic to match whatever period you document.
ID: extension-data-privacy.third-party-sharing.retention-periods
Severity: low
What to look for: Read the privacy policy for sections on data retention. Check whether it specifies how long user data is retained (e.g., "30 days", "until user deletes", "permanently"). If no explicit retention policy exists, check code for any automatic deletion logic.
Pass criteria: Count all data types collected and enumerate their retention periods. Privacy policy includes clear retention periods (e.g., "30 days", "until uninstall") for at least 100% of data types collected. If retention varies by data type, different periods are specified.
Fail criteria: Privacy policy is silent on retention. No mention of how long data is kept or whether it is ever deleted.
Skip (N/A) when: The extension does not collect any persistent user data, or only stores transient in-memory data.
Detail on fail: Example: "Privacy policy does not specify retention period for stored user activity logs" or "No information provided on when user data is deleted from servers." or "Policy mentions data collection but not data deletion procedures."
Remediation: Add a "Data Retention" section to your privacy policy:
## Data Retention
- User preferences: Stored indefinitely until user deletes the extension
- Usage logs: Retained for 30 days, then automatically deleted
- Error reports: Stored for 7 days for debugging purposes