We are only a few days away from May 25th, when the European General Data Protection Regulation (GDPR) will go into full effect. Since we were founded, Mozilla has always stood for and practiced a set of data privacy principles that are at the heart of privacy laws like the GDPR. And we have applied those principles, not just to Europe, but to all our users worldwide. We feel like the rest of the world is catching up to where we have been all along.

GDPR has implications for many different parts of Mozilla. Rather than give you a laundry list of GDPR stuff, in this post, we want to focus specifically on Firefox and drill down specifically into how we think about privacy-by-design and data protection impact assessments within our browser product.

Privacy By People Who Care About Privacy

Firefox, the web browser that runs on your device, is your gateway to the internet. Your browser will manage a lot of information about the websites you visit, but that information stays on your device. Mozilla, the company that makes Firefox, doesn’t collect it unless you give us permission.

Mozilla does collect a set of data that helps us to understand how people use Firefox. We’ve purposely designed our data collection with privacy protections in mind. So while the browser knows so much about you, Mozilla still knows very little.

Building a browser that is so powerful yet still respectful of our users takes a lot of effort. At Mozilla, we have teams of privacy and security engineers who are responsible for building a trustworthy browser. More than that, we have a workforce and a volunteer community that takes Mozilla’s responsibility to protect you seriously and personally. This responsibility cuts across all areas of Mozilla, including our security engineers, platform and data engineers, data scientists, product managers, marketing managers and so on. We basically have an army of people who have your back.

Rather than Privacy By Design, we do Privacy By People Who Care About Privacy.

It is important to keep this in mind when we think about the GDPR’s privacy-by-design requirements. Regardless of any regulatory requirement, including GDPR, if an organization and its people aren’t rooted in a commitment to privacy, any privacy-by-design process will fail. It is our people’s commitment to the Mozilla mission that undergirds our design processes and serves as the most important backstop for protecting our users.

Our Process

Okay, enough throat clearing. At Mozilla, we do have plenty of design processes to identify and deeply engage on privacy risks; code reviews, security and privacy reviews, intensive product and infrastructure audits, and public forums for anyone to contribute concerns and solutions.

Our Firefox data collection review process is the cornerstone of our effort to meaningfully practice privacy-by-design and assess privacy impacts to our users. We believe it is consistent with the GDPR’s requirements for privacy impact assessments. Mozilla has had this process in place for several years and revamped it in 2017.

Here are a few key pieces of that process:

Before we look at any privacy risk, we need to know there is a valid analytic basis for the data collection. That is why our review process starts with a few simple questions about why Mozilla needs to collect the data, how much data is necessary, and what specific measurements will be taken. Mozilla employees who propose additional data collection must first answer these questions on our review form. Second, our Data Stewards – designated individuals on our Firefox team – will review the answers, ensure there is public documentation for data collection, and make sure users can turn data collection on and off. Third, we categorize data collection by different levels of privacy risk, which you can find in more detail here. The data category for the proposed collection must be identified as part of the review. For proposals to collect data in higher risk categories, the data collection must be default off. Complex data collection requests, such as those to collect more sensitive data or those that call for a new data collection mechanism, will escalate from our Data Stewards to our Trust and Legal teams. Further privacy, policy, or legal analysis will then be done to assess privacy impact and identify appropriate mitigations.

The results of this review process, as well as in depth descriptions of our data categories and the process itself, can be found publicly on the web. And you can find the full documentation for Firefox data collection here.

But Wait, There’s More!

This process is just one of the many tools we have to protect and empower the people who use our products. Last year, we completely rewrote our privacy notice to provide clear, simple language about the browser. The notice includes links directly to our Firefox privacy settings page, so users can turn off data collection if they read something on the notice they don’t like.

We redesigned those privacy settings to make them easier to use (check out about:preferences#privacy in the Firefox Browser). This page serves as a one-stop shop for anyone looking to take control of their privacy in Firefox. And we revamped Firefox onboarding by showing new users the Firefox privacy notice right on the second tab the very first time they use the browser.

It’s easier today than ever before to take control of your privacy in the Firefox browser. As you can see, limited data, transparency, choice – all GDPR principles – are deeply embedded in how all of us at Mozilla think about and design privacy for you.