Google Chrome – Rate Limits and Policy Updates
Google has recently introduced a series of user-centric safeguards in Google Chrome designed to curb notification spam and elevate the overall quality of notifications for both users and developers. These changes include automatic revocation of web push notification permissions for sites that send low-value or excessive alerts with little user engagement, and intelligent spam protection mechanisms that mute or block unwanted notifications while preserving essential messages. Chrome’s enhanced Safety Check updates also proactively strip notification access from dormant or spammy origins, giving users greater control over what they receive and encouraging publishers to focus on high-value engagement. Collectively, these developments help reduce clutter and nuisance for subscribers while strengthening trust and relevance in the push ecosystem, ultimately benefiting legitimate web push customers who prioritize meaningful communication.
To make the ecosystem better Google has now begun rolling out a new Push API rate limiting mechanism in Chrome, designed to protect users and improve the quality of web push notifications across the open web. According to the official Chrome Developers blog, this change targets abusive or low-value notification volumes while preserving effective and valuable web push delivery for legitimate sites and engaged users. Here are all the details.
Why This Matters
Web push notifications are among the most powerful tools in a website owner’s engagement toolbox, they allow sites to reach users with timely alerts even when the user doesn’t have the website open. For subscribers, that means being informed about breaking news, chat messages, transactional alerts, reminders, and other updates without actively opening a site or app.
However, like any powerful communication channel, push notifications can be misused, whether due to poor site practices, changed behaviors after permission was granted, or malicious intent. With some sites sending numerous notifications that add little value to users’ workflows, it became clear that a mechanism was needed to ensure notifications remain meaningful and welcome.
What the New Rate Limits Do
Chrome’s new rate limiting introduces a smart, engagement-based control system. Instead of imposing a flat technical quota for all websites, the browser evaluates how users actually interact with a site and adjusts notification delivery permissions accordingly.
How the Limits Are Determined
Chrome assesses three core engagement criteria daily for each site:
- Push messages sent relative to users’ time spent on the site
- Permission prompts shown relative to time on site
- User engagement levels, including site engagement scores and foreground duration
If a website consistently sends a high volume of push messages with very low engagement, Chrome considers this potentially disruptive and applies rate limits.
Specifics of the Rate Limit Logic
Under these rules:
A rate limit is triggered when a site’s notifications appear disproportionate to genuine user engagement.
Once limited, the site can continue delivering up to 1,000 push messages per minute, a generous threshold that accommodates most legitimate use cases, but additional requests above that rate will receive an HTTP 429 “Too Many Requests” response.
The enforcement duration escalates if a site repeatedly meets disruptive criteria:
- First day of disruptive behavior → rate limit applied for 1 day
- Second consecutive day → 7-day rate limit
- Third and further days → 14-day rate limit
A site regains normal behavior status after 42 consecutive days of non-disruptive activity. This tiered approach is intentional, ensuring that rate limits are not arbitrary but tied to patterns of user engagement. The idea is to encourage sites to review and improve their push strategies if they generate unnecessary notifications.
How would I know if my site is affected
Google has categorically mentioned “Nearly all websites will be unaffected by this change“. It is targeted at a very small number of sites that send excessive notifications. For PushAlert customers, we will proactively inform you if your site has been rate limited via your registered email address. You will also be able to check your total sent analytics which will reduce as a result of the rate limitation.
Other recent changes to Google’s Policy on Web Push Notifications
Spam Protection using Machine Learning
Chrome has also begun leveraging machine-learning-based spam protection on web push notifications to enhance user safety and signal quality. As part of its ongoing efforts, Chrome uses on-device machine learning models to analyze incoming notification content in real time and identify alerts that exhibit patterns typical of spam, scams, or malicious intent – such as sensational text or phishing cues – before they reach the user’s screen.
When a notification is flagged as potentially unwanted, Chrome can warn the user with clear choices (for example, to unsubscribe or view the message), helping prevent disruptive or deceptive messages from cluttering notification trays while preserving user privacy because the analysis runs locally on the device rather than being sent to remote servers. This ML-powered filtering builds a smarter, safer push ecosystem, reducing noise for subscribers and encouraging developers to craft higher-quality notifications that are more likely to engage users positively.
For publishers, you can subscribe to your notifications and check if they are getting flagged. Improve your notification copy and keep a check on your CTR. If you see a huge drop then verify if the content is still being flagged.
Automatic Permission Revocation for Low-engagement Sites
Chrome has also rolled out automatic permission revocation for web push notifications as part of its broader Safety Check and spam mitigation efforts, giving users relief from constant, low-value alerts. Under this system, Chrome detects websites that send a high volume of push notifications while exhibiting very little user engagement, for example, sites that users rarely visit but still deliver frequent alerts and then automatically disable that site’s notification permission to reduce distraction and clutter.
When this happens, the user receives a clear notice that Chrome has “unsubscribed” them from notifications, and they can easily restore permissions through Chrome’s Safety Check settings or by revisiting the site and granting permission again. Importantly, installed Progressive Web Apps (PWAs) retain their notification access, and users can disable the auto-revocation behavior entirely if they prefer full manual control from Chrome’s settings. The goal of this automatic revocation mechanism is to help users keep only notifications they actually care about, thereby improving the relevance and value of web push messaging across the ecosystem.
Why This Is Good for Web Push Customers
1. Better Subscriber Experiences
For users, this translates to fewer irrelevant, spammy notifications, preserving attention for messages they actually want and value. Rather than overwhelming subscribers, sites will be encouraged to design push campaigns that respect user engagement patterns.
2. Encourages Healthier Engagement Practices
Developers and marketers benefit because notifications that do land are more effective. When your messages are meaningful and correlated with real user interest, they’re more likely to be clicked and less likely to prompt unsubscribes or permission revocations.
3. Minimal Impact on Legitimate Senders
Google explicitly notes that most legitimate sites will not be affected by this change. The rate limit is targeted at a small subset of sites that send large volumes of low-value notifications. We do not recommend sending more than 4-5 notifications in a day. Your push strategy should focus on relevant, timely messages tied to user behavior, you’ll continue delivering notifications without disruption.
4. Protection Against Abuse and Spam
By discouraging notification spam and abusive patterns, this mechanism protects the entire ecosystem. Users are more likely to keep notification permissions enabled when they trust the channel, which benefits all publishers who use push thoughtfully.
