Back to articles

Extension privacy policies explained: what 'we may sell your data' actually means

LayerX found 82 Chrome extensions legally sell 6.5M users' data via buried privacy policies. Here's how the fine-print loophole works and how to check yours.

Maxim Kosterin
8 min read

You installed an ad blocker to stop being tracked. It's got great reviews, millions of users, and it does exactly what it says — blocks ads. The irony is that it might also be selling your browsing history to data brokers.

Legally. With your consent, technically.

That's the conclusion from LayerX Security's 2026 browser extension report, which identified 82 Chrome extensions collectively reaching 6.5 million users that openly disclose selling user data — in privacy policies almost nobody reads.

This isn't malware. There's no stealthy code, no hidden command-and-control server. The data collection is fully disclosed. It just happens to be disclosed in a way that makes it practically invisible.

How the "we may sell" clause works

Privacy policies for browser extensions aren't regulated the way app store privacy labels are. Google requires extensions to publish a privacy policy if they collect data, but doesn't verify the accuracy of claims in those policies — or verify whether store-page badges match what the policy actually says.

The typical legal language looks like this: "We may sell or share your personal information with third parties for marketing, analytics, or business purposes."

That phrase — "we may sell" — is a legal hedge. According to LayerX Security's analysis of this clause across extension privacy policies, it creates a blanket authorization: by installing the extension and clicking through to an implied acceptance of the policy, you've agreed that your data can be sold at any time, to any recipient, for any disclosed purpose. The developer doesn't need to notify you when they actually sell. They just do.

What makes this especially effective as a privacy risk is the word "may" — it sounds tentative. It doesn't sound like a certainty. But legally, "may sell" functions identically to "will sell when it's profitable." You've already consented to the transaction.

What these policies actually enable

The data types covered under these clauses vary by extension, but LayerX Security's research identified several recurring categories.

Browsing history. The most common. Every URL you visit, timestamped, often with referrer data attached. For someone with a productivity extension installed, that means every internal dashboard, SaaS tool, and research query they access during the day.

Streaming preferences and viewing habits. This is the specialty of a network of 24 extensions that LayerX Security identified targeting Netflix, Hulu, Disney+, Amazon Prime Video, and HBO Max users. The extensions collect what you watch, when, and for how long — along with demographic data used to build audience profiles.

Inferred sensitive characteristics. Some privacy policies LayerX Security analyzed permit selling data that includes inferred health conditions, religious beliefs, and sexual orientation — derived from browsing patterns rather than explicitly provided. This isn't data you typed in. It's data someone inferred from your browsing and then packaged for sale.

Corporate browsing data. Probably the most under-discussed risk in this research. LayerX Security identified 29 extensions operating as B2B "sales intelligence" tools, capturing employees' internal browsing across CRM systems, research tools, and SaaS platforms. That data feeds into commercial databases accessible to external customers — potentially including your competitors. No breach required. Just an extension your sales team installed two years ago.

Resume and job-application content. Some job-helper extensions capture the content of applications and resume uploads, which falls under the same "may sell" umbrella.

Real examples from the research

LayerX Security named specific extensions as illustrations of these practices.

Eight confirmed ad blockers with a combined 5.5 million users were identified as selling user data. The two largest — Stands AdBlocker (3 million users) and Poper Blocker (2 million users) — are covered in more detail in the ad blocker review I wrote earlier. According to LayerX Security's findings, Poper Blocker's policy disclosed selling data that included inferred health conditions and sexual orientation. Neither extension has publicly responded to these findings.

A network of 24 extensions tracked by LayerX Security under the name "QVI Empire," operated by HideApp LLC, targets streaming platform users and reaches approximately 800,000 people. More detail on that network is in the streaming extensions review.

There's also a mislabeling problem worth knowing about. One extension — Dashy New Tab — carries a "does not sell your data" designation on its Chrome Web Store listing. Its actual privacy policy, according to LayerX Security's research, states: "Sold or Shared: Yes."

As of the time of that report, the Chrome Web Store had not updated its verification process to catch this discrepancy. Google has not publicly responded to these findings.

That last case illustrates something important: the store listing page is not a reliable source of truth. It's self-certified. The privacy policy is the only document that has legal standing.

When this is a minor issue vs when it's a real problem

Not all data selling carries the same risk. Here's how I'd roughly stack the severity:

Lower concern: Aggregate, anonymized browsing data shared with general analytics providers for trend research — the kind that ends up in market reports. Real anonymization and aggregation genuinely reduce individual exposure.

Medium concern: Browsing history sold to advertising networks for retargeting. Still linked to you personally, still used to build a profile, but the practice is mainstream and most people vaguely expect it at this point.

High concern: Inferred sensitive characteristics — health, religion, sexual orientation — sold to unspecified third parties. You have no visibility into who buys this, and in many jurisdictions these categories carry heightened legal protections for good reason.

Highest concern: Corporate browsing data captured by B2B tools. This isn't really about individual privacy at all — it's a business intelligence leak. A competitor can buy data about which CRM, research tools, and competitive analysis platforms your team uses, with no security incident, no breach notification, and no legal obligation to tell you.

The core problem is that most users can't tell which category their extension falls into without reading the full privacy policy — which takes ten minutes and requires knowing what to look for.

How to actually check your extensions

Read the privacy policy, not the store badge. The Chrome Web Store's self-certification badges can contradict the actual policy text, as the Dashy New Tab case shows. The policy document is what governs legally.

Search for these specific phrases:

  • "we may sell"
  • "share with third parties"
  • "data buyers" or "data partners"
  • "inferred" or "derived" characteristics

Any of these in the policy means data can leave the extension and reach recipients you don't know.

Check whether the policy names specific recipients. Vague language like "trusted partners" is a warning sign. A policy worth trusting names categories of recipients and explains why.

For enterprise users: audit B2B tools specifically. If anyone on your team uses sales intelligence, research, or prospecting extensions, these are disproportionately represented in the data-selling category. The risk here isn't personal — it's competitive.

You can scan your installed extensions for privacy policy status, permissions, and data collection flags at Extenshi without reading thirty policies manually.

One broader context note: this is a different problem from the one I covered in the Arcanum study deep dive. That research was about 3,000 extensions collecting data with no privacy policy — a violation of Chrome Web Store policy. This LayerX finding is about extensions that do have privacy policies that do disclose data selling — the mechanism works exactly as designed, just not in your favor. Two failure modes, both worth knowing.

Common questions about extensions selling data

Do browser extensions actually sell your data? Some do, and they say so. LayerX Security identified 82 Chrome extensions, reaching 6.5 million users between them, whose own privacy policies disclose selling or sharing user data. The selling isn't hidden in code — it's hidden in fine print most people never open.

Is it legal for an extension to sell my browsing history? In most cases, yes. A privacy policy that says "we may sell or share your personal information" plus your install-time acceptance is, legally, consent. The developer doesn't have to ping you each time a sale happens. That's why the "we may sell" clause is so effective — it's disclosure that doubles as blanket authorization.

How do I know if an extension sells my data? Read the actual privacy policy, not the Chrome Web Store badge — the two can contradict each other. Search the policy text for "we may sell," "share with third parties," "data partners," and "inferred" or "derived" characteristics. Any of those means your data can leave the extension and reach recipients you'll never see.

Can I trust the "does not sell your data" badge on the store listing? Not on its own. The badge is self-certified by the developer, and Google doesn't verify it against the policy text. The Dashy New Tab case above carried that exact badge while its policy said "Sold or Shared: Yes." The policy is the document with legal standing; the badge isn't.

Check your extensions for data-selling permissions →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles