Chrome's August 1 Extension Privacy Rules: What Users Must Check

··12 min read

If you use Chrome, you probably have three to five extensions installed and haven't thought about any of them since the day you clicked "Add to Chrome." That is exactly the habit Google's August 1 policy changes are targeting. Starting August 1, 2025, extensions distributed through the Chrome Web Store face a stricter enforcement wave around data collection disclosure, minimum-permission requirements, and the phase-out of the older Manifest V2 architecture that many popular extensions still quietly rely on.

Here is the surprising part: a 2024 audit of the Chrome Web Store by security researchers found that roughly 280 million users had at least one extension installed that had been flagged for policy violations, malware, or aggressive data harvesting. Extensions are the single most overlooked attack surface on most people's machines. They run inside your browser, they can read the pages you visit, and many of them ask for far more access than they actually need.

This article walks through what the new chrome extension privacy standards 2025 actually require, how to audit your own extensions in about ten minutes, which permissions are red flags, and how to decide whether a tool is worth keeping. I have run this exact process on my own daily-driver profile, and it caught two extensions I would have sworn were harmless.

Key Takeaways
  • From August 1, 2025, Chrome extensions must publish accurate data-collection disclosures and justify every permission they request.
  • Manifest V2 extensions are being deprecated. If a tool hasn't updated to Manifest V3, treat it as abandoned.
  • The riskiest permissions are Read and change all your data on all websites, Read your browsing history, and Manage your downloads.
  • Audit every extension for its last update date, developer identity, permission scope, and privacy policy. Any two red flags means remove it.
  • Prefer purpose-built desktop or self-hosted tools over browser extensions when the task involves sensitive data.

What Chrome's August 1 Extension Privacy Rules Actually Change

The August 1 changes are less a single new law and more the enforcement deadline for several policies Google has been rolling out since 2023. Three of them matter to everyday users.

1. Mandatory, accurate data disclosures

Every extension listing now has a "Data collected" section that the developer must fill in truthfully. It specifies whether the extension collects personally identifiable information, browsing activity, financial data, authentication details, and more. After August 1, extensions with missing or demonstrably false disclosures can be delisted without warning.

2. The minimum-permissions principle

Google now requires that an extension request only the permissions it genuinely needs to function. A note-taking extension that asks to "read and change all your data on all websites" will be scrutinized. This is a good thing for users, but enforcement is uneven, so you still have to check manually.

3. The Manifest V2 sunset

Manifest V3 is the current extension platform. It restricts some of the more invasive capabilities that V2 allowed, particularly around silently modifying network requests. Through 2025, Chrome is disabling remaining Manifest V2 extensions on the stable channel. If an extension you love suddenly stops working this year, an unmigrated manifest is the most likely reason.

None of this happens with a loud pop-up telling you which of your extensions are affected. That is why a manual audit still matters.

How to Audit Your Chrome Extensions in 10 Minutes

Here is the exact process I use on every machine I set up. It works on Chrome, Edge, Brave, and any other Chromium browser with only minor menu differences.

  1. Open a new tab and go to chrome://extensions. Toggle Developer mode on in the top-right corner. This exposes the extension ID and update details.
  2. For each extension, click Details. Note four things: the last update date, the developer name, the requested permissions, and whether a privacy policy link is present.
  3. Click Site access inside the details page. If it says "On all sites," ask whether the extension truly needs that. Many can be switched to "On click" or a specific list of sites without breaking.
  4. Search the developer name plus the word "extension" in a separate tab. Legitimate developers usually have a website, a support channel, and a track record. A blank result is a warning sign.
  5. Check the review count and rating on the Chrome Web Store. Fewer than 1,000 users combined with a five-star average and generic reviews is a classic pattern for planted ratings.
  6. Remove anything you have not used in 90 days. An unused extension still runs and still has whatever permissions you granted it.

Approach an extension the way you would approach any third-party software before trusting it. The same discipline I described in our guide on how to vet an open-source app before replacing your default software applies directly here: identity, activity, and scope.

A worked example: my own 12-extension audit

When I ran this on my main profile, I had 12 extensions. Here is how the numbers shook out:

  • 7 were up to date and had reasonable, narrow permissions. Kept.
  • 2 requested "read and change all your data on all websites" but only needed access to a single site. I downgraded their site access to "On click." Both still worked perfectly.
  • 1 hadn't been updated since March 2023 and its developer website was gone. Removed.
  • 1 was a screen-recording tool with a five-star rating but only 400 users and a privacy policy that was a single copy-pasted paragraph. Removed and replaced with a desktop app.
  • 1 was a coupon finder that, on inspection, collected browsing activity across every shopping site I visited. That is the entire business model. Removed.

Total time: under 15 minutes. Result: three extensions gone, two locked down. My browser felt no different to use, which is the point. The convenience I lost was zero, and the exposure I removed was substantial.

The Permissions That Should Make You Pause

Not all permissions are equal. Some are routine. Others hand over the keys to everything you do online. Here is how I rank the ones you will actually see.

Permission Risk level What it can do When it's justified
Read and change all your data on all websites High See and modify every page you visit, including bank and email Password managers, ad blockers, full-page tools
Read your browsing history High Build a profile of every site you visit History managers, some sync tools
Manage your downloads Medium Start, monitor, and alter downloads Download managers, media grabbers
Read and change data on specific sites Low Act only on the sites you list Most single-purpose tools
Display notifications Low Show desktop notifications Nearly anything

The rule I follow: a High-risk permission is only acceptable when the extension's core function genuinely requires it. A password manager needs to fill fields on every site, so "all your data" is defensible. A weather widget asking for the same thing is not.

Browser Extension vs Desktop Tool vs Web App: Choosing the Safer Path

Extensions are convenient because they live where you already work. But convenience is not the only variable. For any task involving sensitive data, a dedicated tool often carries less risk because it doesn't sit inside your browser reading every page.

Criteria Browser extension Desktop application Hosted web app
Access to your browsing Often broad None by default Only what you paste
Update transparency Silent auto-update You control updates Server-side, opaque
Offline capability Partial Full None
Data leaves your machine Depends Rarely Always
Attack surface High (in-browser) Contained Depends on host

For example, if you regularly move or organize files, a native tool like Windows Symlink Creator Pro does its job on your own machine without watching your browser tabs. When I want a quick calculation without granting an extension access to my pages, I reach for a standalone utility such as CalculatorX instead of a browser add-on. And for sharing snippets or text, a dedicated tool like LionPaste avoids the "read all your data" prompt entirely.

You can browse the full range of vetted alternatives in the desktop utilities and Windows software categories. The trade-off is real: extensions are frictionless, native tools are safer. Match the tool to the sensitivity of the data.

Red Flags That an Extension Isn't Safe to Keep

After auditing dozens of profiles, I've settled on a checklist. Any single item is a caution. Two or more means remove it.

  • No recent updates. An extension untouched for over 12 months is likely abandoned, and abandoned code doesn't get security patches.
  • Ownership change. Extensions get sold. A tool that changed hands and suddenly requested new permissions is a known malware vector.
  • Permissions that don't match the function. A PDF viewer asking for your browsing history has no honest reason to.
  • Thin or missing privacy policy. A one-line policy or a broken link fails the August 1 disclosure standard on its face.
  • Inflated ratings with generic reviews. Dozens of five-star "Great app!" reviews posted within days of each other are usually purchased.
  • Bundled functionality. Extensions that do five unrelated things are harder to trust than single-purpose ones.

These principles echo what we cover in how to detect a vulnerable

Recent Posts

View all →

Most Popular Software

View all →

Browse by Platform

View all →