Google is becoming more transparent about how major corporations like Capital One and PayPal harvest consumer data through browser extensions. Within the past week, Google quietly updated its Chrome Web Store to include a “privacy practices” tab for extensions, shining a new light on one of the most aggressive ways that companies have been tracking online behavior. Users willingly install these popular web extensions to their browsers since they provide benefits like applying discount codes while shopping online, but privacy advocates warn that users may not be aware of just how much data they can be giving away.

“You’re essentially allowing an outside entity access to information that you would otherwise consider private within your browsing window,” says Brian Bartholomew, principal security researcher, Kaspersky.

On February 6, Google added a “privacy practices” tab to the Chrome Web Store after Ad Age inquired about the practices of major financial firms that operate browser extensions. Last year, Google promised it would adopt the in-depth labels, but the changes were quietly implemented last week. In response, Google said: “Starting February 6, every extension is able to publicly display its ‘privacy practices’ which use clear visuals and simple language to explain the data they collect and use. We’ve also limited what developers can do with the data they collect.” Google says the timing of the rollout is coincidental.

Companies have been turning to browser extensions to collect user data as other sources run dry, fueled by a privacy backlash and recent legislation. Third-party cookies are increasingly restricted by most popular browsers. Apple sparked a wave of privacy labeling, beginning with new notices in its App Store. Meanwhile, Google is working on a replacement for third-party cookies that complies with guidelines it calls the Privacy Sandbox.

Browser extensions, specialized programs that can be installed into browsers, are in many ways the middle child of ad tech. They provide a trove of personally identifiable user information, but their usage remains niche because they require a user to actively install and consent to their use. They're not as widely used as third-party cookies, yet they are capable of collecting just as much, if not more data, than cookies. Extensions can collect everything from websites visited to keystrokes and mouse clicks, an especially important concern as everything from work to online shopping is done on browsers. By requiring user installation, they’re not considered as invasive as cookies, but users can be  unaware of the information they’re trading for discounts and deals.

The capabilities of browser extensions as data-harvesting machines have set off alarm bells among privacy watchdogs.

“Browser extensions have access to essentially everything that’s on your browser screen,” says Ashkan Soltani, former chief technologist for the FTC.

Bartholomew says there aren’t enough warnings about the breadth and scope of information the extensions collect from either the extension or the browser. “There’s nothing in your face saying this is what we’re asking to access. I don’t know if it would come across to the normal internet user," he says. "Most users want cool whizz-bangs. Talking about GDPR and privacy issues, most people don’t really care about that, unfortunately.”

Changes to the Chrome Web Store could affect millions of users that use browser extensions offered by major corporations. Honey, which was purchased by PayPal in 2019, has more than 10 million users according to the Chrome Web Store. In its privacy policy, Honey says it does not collect information from search engine history, emails or websites that are not retail sites. On Honey’s Chrome Web Store page, the extension reportedly collects information in three categories: personally identifiable information, financial and payment information, and location.

Capital One—which was formed after the bank purchased and rebranded the Austin, Texas-based online shopping tool Wikibuy in 2018—has more than four million users according to the Chrome Web Store. “The Capital One Shopping extension does not collect all browser activity,” says a Capital One spokesperson. “Data collection is limited to sites with e-commerce experiences and where the data is used to create customer value.” On Capital One’s Chrome Web Store page, the extension reportedly collects information in three categories: personally identifiable information, location, and user activity. 

Shopping data is particularly useful in gaining a deeper knowledge of customers at a time when platforms like Google, Amazon and Facebook act as gatekeepers to their digital information.

Nirish Parsad, marketing technologist at Tinuiti, an online ad performance and marketing agency, says web extensions give users a direct transactional value for giving up their privacy. Banks are interested in this space because it gives them a way to keep up with the tech giants, Parsad says.

“Tech companies are encroaching on financial services,” Parsad says. “Every tech company now has a financial product; that’s what’s motivating PayPal, Capital One, and I’m sure other banks, to find where’s the audiences.” A bank with its own set of customer data could better defend against tech companies like Amazon, who are also racing to build an intimate knowledge of their users.

Granular user information is valuable to banks, says Ross Cosner, VP and analyst at Gartner for Marketers. “Having the amount of data, that type of data from customers, looking at purchasing behaviors, buying power, that stuff is incredibly valuable,” Cosner says, especially when combined with what banks already know about customers.

Although Google says it has been working on the new transparency labels for months, one privacy expert says the implementation seems abrupt.

“The changes are kinda wild,” says Zach Edwards, founder of Victory Medium, a data supply researcher and boutique analytics agency. “Google is rushing to keep up with Apple’s privacy labels, and businesses who have extensions would be wise to approach this process cautiously to ensure they don’t provide users inaccurate information about their practices via this new public disclosure field,” says Edwards.