Privacy Policy URL is valid and publicly accessible

ab-001347 · extension-store-readiness.policy-compliance.privacy-policy-valid

Severity: criticalactive

Why it matters

Chrome Web Store requires a privacy policy for any extension that handles user data, and GDPR Article 13 mandates disclosure of data collection at the point of data gathering. A broken or missing privacy policy URL causes store rejection. Beyond compliance, a placeholder policy ("To be determined") exposes you to regulatory action in the EU and UK — regulators treat a published placeholder as a misrepresentation, not an absence. Users who can't find your privacy policy are far more likely to uninstall or leave negative reviews flagging trust concerns.

Severity rationale

Critical because a missing or broken privacy policy causes Chrome Web Store rejection and creates GDPR Article 13 compliance exposure for EU users.

Remediation

Publish a real privacy policy at a stable URL and reference it in manifest.json. A minimal honest policy is better than a detailed placeholder.

{
  "homepage_url": "https://yoursite.com/privacy"
}

Minimum content required in the policy:

# Privacy Policy
This extension does not collect personal data. User preferences are stored locally in browser storage and are never transmitted to external servers.

If you do collect data, disclose what, why, and the legal basis (GDPR Art. 6). Test the URL returns HTTP 200 before submitting to the store.

Detection

ID: privacy-policy-valid
Severity: critical
What to look for: Count every privacy policy reference in the project (manifest homepage_url, README links, documentation). Verify at least 1 URL is valid (accessible, not a 404 or redirect loop), publicly readable (not behind authentication), and contains actual privacy disclosure (not a generic or placeholder policy).
Pass criteria: At least 1 valid privacy policy URL is provided in the manifest's homepage_url or documented elsewhere. The URL is accessible and contains a real, specific privacy policy.
Fail criteria: 0 privacy policy URLs found, the URL is broken (404), returns an error, or the policy is clearly placeholder text.
Skip (N/A) when: Never — privacy policies are required by Chrome Web Store.
Detail on fail: "No privacy policy URL found in manifest or documentation" or "homepage_url points to 404" or "Privacy policy is placeholder text ('To be determined')".

Remediation: Create a privacy policy and add it to your manifest:

{
  "homepage_url": "https://yoursite.com/privacy"
}

Write a clear policy explaining what data you collect, why, and how users can control it. At minimum:

# Privacy Policy

This extension does not collect personal data. It stores user preferences locally on their device using browser storage.

No data is sent to external servers.

External references

gdpr · Art. 13 — GDPR — Information to be provided where personal data are collected from the data subject
external · chrome-cws-privacy-policy — Chrome Web Store — Privacy Policy Requirement
gdpr · Art. 6 — Lawfulness of processing

Taxons

regulatory-conformance privacy-consent

History

2026-04-18·v1.0.0·Initial import from extension-store-readiness·automated