The European privacy rights organization noyb has filed a formal complaint against Mozilla for enabling a new feature in its Firefox browser that allegedly tracks users without their consent.
The feature in question, called Privacy-Preserving Attribution (PPA), is designed to measure the effectiveness of online advertisements while minimizing data collection, but noyb claims it violates user rights under the GDPR by being activated without informed consent.
The complaint filed earlier today with Austria’s Data Protection Authority (DSB) alleges that Firefox’s PPA feature was turned on by default with a recent update without notifying users or offering a clear opt-in mechanism. This move has raised concerns, especially given Mozilla’s reputation as a privacy-focused alternative to Google Chrome and other Chromium-based browsers.
The PPA feature, which Mozilla claims is a less invasive method for advertisers to track ad interactions, places Firefox in control of ad performance measurement, bypassing the use of traditional cookies. While Mozilla argues that this setup protects privacy, noyb asserts that it still constitutes tracking—just done by the browser rather than the website.
Felix Mikolasch, a data protection lawyer at noyb, criticized Mozilla’s approach, stating that while the feature may reduce the level of invasiveness compared to cookies, it is still a form of tracking that users were not adequately informed about.
“It’s a shame that an organization like Mozilla believes that users are too dumb to say yes or no. Users should be able to make a choice, and the feature should have been turned off by default.”
Felix Mikolasch, noyb
Mozilla introduced the PPA feature in Firefox version 128, framing it as an experimental measure to help advertisers gauge the success of their ads without resorting to traditional tracking methods. PPA works by allowing websites to request Firefox to store information about ad interactions—known as “impressions.” If a user later engages with the ad by visiting a relevant website, Firefox generates an anonymized report that is sent to an aggregation service. Mozilla claims that the entire process preserves user privacy, as the aggregated data does not include any individual identifying information.
However, the complaint suggests otherwise, accusing Mozilla of violating several GDPR articles, including those requiring transparency and user consent for data processing. Specifically, noyb argues that Mozilla failed to provide any information about PPA in its privacy policies and did not allow users to make an informed choice before activating the feature. The complaint further calls for Mozilla to delete all data processed without user consent and to switch to an opt-in system for features like PPA.
The complaint comes amid broader debates over the future of online advertising and user privacy, with Google recently announcing its decision not to remove third-party cookie tracking from the Chrome browser as previously planned, citing “immature market conditions.”
Privacy-focused browser Brave also criticized Mozilla’s PPA feature via a post on its privacy blog space last week, suggesting that ad measurement should be simple, transparent, and limited to parties trusted by users. Brave’s critique highlighted that Mozilla’s approach still involves third-party aggregators, introducing privacy risks. In contrast, Brave promotes a model that eliminates third-party tracking altogether, centering ad systems around user privacy.
Firefox users worried about PPA can manually opt out of the new feature through the browser’s settings > Privacy & Security > Website Advertising Preferences > uncheck “Allow websites to perform privacy-preserving ad measurement.”
For other privacy-focused browsers, check our guide on private and secure browsers here.
BoBeX
Dear RP Community,
Where the article is fair and reasoned, I only see one serious contention arising:
That Mozilla did not inform clearly;
All I hope is that Mozilla takes the message on board and fixes that.
Wouldn’t no Mozilla mean – no FireFox, no LibreWolf, no Mulvad browser, no Tor browser?
Borat
Firefox has an incredibly low market share, and frustrated users are venting their anger at Google for planning to wipe out MV2 extensions in 2025, claiming they’ll switch to Firefox.
Once a powerhouse, Firefox still has its [limited] strengths, but enabling all custom security features can limit its performance. Chrome dominates the browser landscape, yet many IT admins and web developers fail to optimize their sites for it, instead favoring Edge. The market share disparity between Chrome and Edge is staggering—it’s time for Edge to go too
John
I see this as the final nail given the current measurement .
For those who have not tried it yet : Mullvade is a pretty good browser ; it even kinda feels like Firefox .
Brannmtr1
I have no choice but to try it. I don’t know what happens, but when they update they put everything to the browsers, this looks like windows with the updates, to say an example
Christopher
Excellent update… Seems like an era is ending. I have been thinking about FF like one of the commentators here that there is some things not quite right about mozilla recently. IMHO It is in the best interest of the fans to move towards FF forks like LibreWolf and Mullvad and ditch FireFox Mozilla. Even Vivaldi is a better option than FireFox it seems in these days. I even stopped using Thunderbird. Supported Betterbird for a while but I am too old to wait issues to be fixed. Life is short and I gave up. I was very critical of Vivaldi until recently but I am now using Vivaldi mail client that works like a polished engine. When certain brands are all of a sudden hyped and favored in tech arena, I get suspicious and never buy that hype. Same for Signal for instance. I stopped using Signal 2 years ago and never installed it again. I have telegram just because my entire family is on telegram so, embarrassingly I can’t get rid of it completely but I was done with it last year just like FireFox Mozilla. Same with Proton. All of a sudden I feel drawn to Tuta.com’s simplicity compared to favored Proton’s bells and whistles. My rant is over. Thanks for this timely update
John Smith
It’s not “Firefox”, it’s not “Mozilla”. Its all those women running the organizasion. As long as those people run these two Mozilla organisations, then nothing will change. I haven’t forgotten what they were saying in the past. Just because people in this “clique” change, the are still from the same “clique”. Money into their own pocket is the priority. They draw their salaries and nothing else matters. These people are not working in the interest of the public. Their status should be changed. The last Mozilla CEO was earning 4.000.000 USD a year while she was the reason of Firefox market share dropping to literally ZERO. When I heard what she was publicly saying, I instantly knew, she is lefties and we are in trouble. Over years the list of Firefox changes grew to enourmous list when even arkenfox doesn’t know about or understand; constant addition of telemetry, more code to track and over and over and over again over all those years. This is nothing new. They don’t care and are very bad for the organisation and us. Unless we take over Mozilla, nothing will change. It may as well be run by Google, Apple, Microsoft, Faceboork or Amazon. Their legal status of “software for public interest” and legal “foundation status” should be taken away. New organisation created by develepers who know what KISS principle is needs to take over on the ashes of Mozilla. Mozilla: R.I.P.
Kathy
@JS would you agree in part?
Simply greed! Not human identity of any sex orientation…
Our capacity for both sane and insane acts of responsibility stems from the complex interplay between human cognition, emotions, experiences, and environmental factors. This duality is a fundamental aspect of human nature, influencing our decisions and actions in multifaceted ways.
Facts to ones environmental, such as upbringing, social norms, and life events, shape an individual’s perception of responsibility. These influences can lead to varying degrees of accountability, resulting in both sane and insane acts.
These factors collectively contributed to the erosion of privacy in Web1 interactions, paving the way for the more invasive data collection and tracking practices seen in later web eras (Web2 and beyond).
This lack of standardization and regulation in the early internet allowed for the widespread collection and use of user data without explicit consent. including the increased use of cookies, JavaScript, and server-side scripting, all contributed to the erosion of human privacy.
The era of Web1 was characterized by the dominance of digital communication, storage, and transmission, making it a digital era for the internet.
Several programming languages, when used as a base for building systems, frameworks, and applications, can potentially invade user privacy.
A usage nightmare for the personal user!
BoBeX
Free speech is one thing – sexism is another.
I could not read this comment past the first sentence.
shr
How to opt out in android Firefox sir?
eSheI
What strikes me is that this tor and mullvad are making a browser, just that. It’s like if I were hidemyass, I don’t know if I understand. Maybe I’m totally wrong because I didn’t try it, it’s just a look at what I see. Sorry, the translator is shit.
eSheI
If it is shown to use Brave or Mullvad 😛 (?)
Henry
Brave is great for streaming, Mullvad browser for better privacy and firgerprinting. Their proxy is really good.
eSheI
The truth is that no browser can be trusted anymore. Mullvad is in Sweden means that it belongs to the “Fourteen Eyes” the vpn is not very popular with Internet users and neither with the reviews made by restoreprivacy. the truth is that they leave me with certain doubts about using it…..
colage34
@eSheI Stop being paranoid, you sound like a kook. Mullvad browser is one of the best private browsers right now. Being from Sweden doesn’t mean anything. The browser is open-source so we can PROVE it’s private and secure.
“the vpn is not very popular with Internet users” Hahaha, I wonder where you read that ?? It’s one of the best no-log vpns out there, so much for your theory. Stop making dumb, false claims. I bet you believe in Santa Clause.
John Smith
basically the main and only gripe I have with Mullvad on Android is that I get a ton of captchas sometimes. aside from that I really don’t know if I do have another complaint with Mullvad. I used it in late 2018, didn’t really like it, then used ExpressVPN. Then a bunch of stuff came about Express VPN so I cancelled and tried Mullvad again. haven’t switched since. (I have had Surfshark and Nord VPN subscriptions as backups though)
o\-/o hohoho
Wow this kaleidoscope34 wants own view understood but not allow others to have their view if different…yes if you have kids you believe santa because of them.
If you don’t – what lets you buy into the privacy hype of compaines and the web in general? Hightops or lowtops, black or blue denim, that-this browser yada yada yada !
Belittling to make a point gets no votes and shows insecurity and turmoil within excaping cultivation of rationale control.
Kathy
I like the little bits of nut meal your articles hull feeds the reader, ‘brain food’, once the nutcracker of thought kicks in, sir…
Like –
“future of online advertising and user privacy”.
With so many recent comments about NFV and SDN transforming wired devices connectivity, by decoupling the network functions from hardware, enabling software-based control and forwarding planes.
And
Shifting from the static PC-centric systems to the dynamic, mobile-friendly infrastructure it is today.
Cloud-based computing – Cloud-based application – Cloud-based data storage – AI-enabled network automation.
All without any talk of these tech companies wanting to encourage our public safety in their leads of progress, and for other corporate tech’s, to have social responsibility programs, as we see the red flags written against the user privacy in realizing the true digital transformation – of our personal cost!
Gee, what a load of craplola being “immature market conditions” from G.
Google recently announcing its decision not to remove third-party cookie tracking from the Chrome browser as previously planned, citing “immature market conditions.”
As in the earlier mentioned tech advancements being still raw or green to where G does not loose what it gained from the continued use of third-party tracking cookies.
Like how is that to work? Say I did click-on an ad from a site, but did the same on 3 other sites over a period of months, in and of research about the same item. Ok with me…? Still ? Brand X say.
Who gets paid when I buy the brand x item months later?
The first ad period, or the 1st ad gets the big portion, of a paylola split in all four of the ads I had viewed from different sites?
See these costs in older analog days where part of the brand x items cost in retail. Say brand x costs $1.00 retail, .05 cents went to loss prevention, .05 cents went to maintenance and rest of .30 or .35 cents was overhead costs related, leaving .50 cents profits for one brand x item. So it was figured into what you paid. Not being part of a charge owed against the loss of a persons sensitive information!
Outlandish, outrageous violations, exceeding proper or reasonable limits as lacking our own valid consent! How is this not rape, robbing or despoiling us by carrying away a person personal information by force in the use the internet that has no other options in-built?
Henry
This is very disappointed coming from an organization which claims protecting our privacy. The reason I used them was to avoid Chromium-based browsers. However, I will start using other forks, but not Firefox. How can we trust them now?