European privacy group, None of Your Business (NOYB), has raised a formal complaint against Mozilla, the organisation responsible for the Firefox web browser, over its recent introduction of a tracking feature.
NOYB accuses Mozilla of breaching the European Union’s General Data Protection Regulation (GDPR) by enabling this feature by default, without obtaining user consent.
The feature, called Privacy-Preserving Attribution (PPA), is designed to allow advertisers to measure the success of their ads without gathering identifiable personal data.
However, NOYB argues that it still involves tracking user behaviour across websites, which they claim is a violation of users’ privacy rights under GDPR. The complaint has been lodged with the Austrian Data Protection Authority.
Mozilla, often recognised for its standpoint on privacy, is now facing accusations for this update, as users were not explicitly informed or given the option to opt-in to the new tracking mechanism.
Instead, PPA was turned on automatically following a software update. According to NOYB, this move undermines user autonomy and transparency, which are key pillars of GDPR compliance.
Commenting on the matter, Felix Mikolasch, a data protection lawyer at NOYB, criticised Mozilla’s approach, stating, “Users should have the right to choose whether they want to be tracked, and this feature should never have been enabled by default.”
Mozilla responded by defending the introduction of PPA, asserting that the feature was part of a goal to reduce more invasive forms of tracking that rely on cookies.
The company emphasised that PPA is a more privacy-friendly solution that avoids identifying individual users, instead relying on aggregated data to provide advertisers with insight. Mozilla also clarified that users can manually disable the feature through the browser settings.
NOYB’s request includes a demand that Mozilla switch to an opt-in system and delete any data collected thus far through the PPA feature.
Should the complaint succeed, Mozilla could face some penalties under GDPR, which allow fines of up to 4% of global revenue.