| layout | title | permalink | topic | tags | contributors | last_updated_by | date | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
sidebar.liquid |
Best practices for collecting user data consents |
/documentation/develop/best-practices-for-collecting-user-data-consents/ |
Develop |
|
|
mkaply |
2023-01-11 |
{% capture page_hero_banner_content %}
If your extension collects user data, it needs to comply with the requirement of the Data Disclosure, Collection and Management section of the Add-on Policies.
A common developer question about these policies is how to translate them into browser extension features that are compliant to Mozilla’s Add-on policies. This how-to is the result of those requests and offers advice on implementing prompts to meet the data collection and add-on policies. This article suggests how you can implement suitable prompts but it doesn’t replace or supersede the policies; you still need to confirm that your extension complies with the policies.
Note: If your extension is installed in an enterprise via the force_installed or normal_installed options in the ExtensionSettings enterprise policy, you must still implement the disclosure and consent experience in the add-on.
You can set a value via the 3rdparty enterprise policy and read it with storage.managed in the add-on to determine if consent is granted. You must display the disclosure and consent experience if the value is not set in storage.managed.
{% endcapture %} {% include modules/page-hero.liquid, content: page_hero_banner_content %}
{% capture content_with_toc %}
To create the consent flow and consent dialogs your extension needs, you should first answer these questions:
- Does my extension collect technical or interaction data? If so, offer the user the opportunity to opt-out of this data collection, although you can always offer opt-in consent if you prefer.
- Does my extension collect personally identifying information? If so, get the user’s opt-in consent before collecting any of this data. Remember that personally identifying information includes technical or interaction data tagged with the user’s identity or information that can be used to identify the user, such as an URL.
If you are unsure whether your add-on collects personal, technical, or interaction data, refer to the definition in Data Disclosure, Collection and Management.
"Data” includes all information the extension collects, regardless of the manner of collection or the reason for collection. This also includes data collected as part of the extension’s primary functionality.
Data sent to native applications using NativeMessaging must be declared in the data collection consent and categorized in the appropriate consent model (whether opt-in or opt-out).
{% endcapture %} {% include modules/column-w-toc.liquid, id: "know-your-privacy-settings" content: content_with_toc %}
{% capture content %}
Before designing the data collection consent for your extension, you should:
- eliminate any unnecessary data collection.
- design your extension to offer as much functionality as possible if the user declines the collection of data.
- create a privacy policy.
{% endcapture %} {% include modules/one-column.liquid, id: "get-prepared" content: content %}
{% capture content %}
When your users arrive at your data and privacy consent dialog, they need to know what they're consenting to and this is where your privacy policy comes in. The privacy policy section of the Add-on Policies provides clear guidelines on what the policy should include. If you’re collecting significant quantities of data and making significant use of it, taking legal advice may be prudent. However, your first strategy should be to reduce or eliminate the collection of user data where possible. If your data collection and use is fairly low-level, it’s possible that a privacy policy generator may be helpful. You may also want to take a look at Mozilla's privacy policy as a model to follow.
{% endcapture %} {% include modules/one-column.liquid, id: "create-a-privacy-policy" content: content %}
{% capture content %}
As part of your extension’s onboarding flow, include information about your privacy policy and data collection and seek any necessary user consent. Any privacy information and settings should be clear and unmissable. Separating these details from general information about your extension can help. Using a new tab in the focused window is recommended.
For more information on how to implement a post-install page or dialog, see Best practices for onboarding, upboarding, and offboarding users.
As mentioned in the Add-on policies, if your extension collects user data in association with features that run in the background, such as ad blocking, you need to make sure the data collection is not activated until you have obtained user consent.
If an update to your extension collects new personally identifying information, existing users must consent to the new data collection (opt-in) when your extension updates.
We have talked about how you could let users opt-out of collecting technical and interaction data but must have users opt-in to collecting personally identifying information. Before you design your extension features around your consent requests, it is important to understand how these options affect your design.
Where you provide the user with an opt-in option, the related feature must be turned off by default and only turned on once the user has actively agreed to use that feature.
Where you provide the user with an opt-out option, the related features can be turned on by default but must be turned off if the user indicates they want to opt-out.
If the main functionality of your extension doesn't work without collecting user data, provide an option in the data collection consent to uninstall it if your users don't consent to the data collection. The management.uninstallSelf() API can be used to uninstall your extension. Name the consent decline button appropriately, such as "Decline and uninstall".
{% endcapture %} {% include modules/one-column.liquid, id: "prompt-after-install" content: content %}
{% capture content %}
It is important to classify data into its right category and set defaults accordingly. Mozilla's add-on policies require an opt-in data collection consent for personally identifiable data and opt-out for technical and user interaction data.
Incorrect classification of data on the data collection consent will result in a review rejection.
{% endcapture %} {% include modules/one-column.liquid, id: "data-classification" content: content %}
{% capture content %}
Before designing your consent dialogs, you should determine the privacy consent flow for your extension, based on the data it collects. Here is an example of a consent flow where an extension collects personally identifying information and technical data:
In this example:
- Your extension should start up with all data collection functionality disabled.
- Immediately after installation, present them with a consent dialog. (See Best practices for onboarding, upboarding, and offboarding users for more.) On this dialog:
- The option for collecting personally identifying information must default to disabled so that the user has to actively opt-in.
- The options for technical data may default to enabled, so that the user may choose to opt-out.
- If the user:
- accepts mandatory and optional data collection → continue with data collection enabled enabled.
- declines optional data collection → disable optional data collection and continue running the extension.
- declines mandatory data collection → uninstall the extension with
management.uninstallSelf().
{% endcapture %} {% include modules/one-column.liquid, id: "determine-your-consent-flow" content: content %}
{% capture content %}
Once you understand your privacy consent flow, you can add a suitable consent dialog. The following are suggestions on how to present a data collection consent dialog. We recommend that all of the data collection controls and actions (toggles and confirmation buttons) be present within the same view. A summary of the data collected and how it is used must be present for each type of data collected within the consent dialog.
Where the mockups include the linked text “our Privacy Policy”, this should go to your extension’s privacy policy page. Privacy policy page should be self-hosted for unlisted extensions or hosted on AMO for listed extensions.
The default option is not to collect personally identifying information. If you do, the user needs to actively opt-in. Remember to list the data you’re collecting; don’t make the user read your privacy policy to determine what data you are collecting and why.
Data collected does not include user identifiers. The option to collect technical data can be set as the default response.
The add-on is requesting both types of data collection. Please ensure the choices are separate.
The extension requires personal or technical data collection to provide its main functionality and cannot be used without. The consent decline option uninstalls the extension using management.uninstallSelf().
{% endcapture %} {% include modules/one-column.liquid, id: "your-consent-dialogs" content: content aside: "" %}