At Mozilla we are best known for our Firefox browser, which launched into the world in 2004 when we challenged the dominant position of Internet Explorer. Nearly 15 years on, we not only offer Firefox Quantum as a fast, powerful portal to the web, we have other mobile browsers (like Firefox Focus), clever extensions (like Facebook Container) and useful apps (like Pocket) available, plus a number of experiments in the works for our users. And at our backs, a widely ingrained privacy philosophy has long guided how we develop products, manage data collection and, ultimately, serve the people who use our stuff.

We hold these five principles for a couple of reasons. First, they are our promise to you, our users, that you can trust us. And second, they set an example for other organizations to follow. Here’s how our privacy principles work:

1. No surprises

This means we’re up-front and obvious about how and when we’re collecting and using sensitive information. This doesn’t mean that we never collect data; it means we use and share it in a way that is transparent and meets our promise.

Take our Test Pilot experiment Advance, for example, where we’re exploring new ways for people to get real-time recommendations based on their current page and their most recent web history. We believe browser history is sensitive information. Before people install the experiment, we want them to clearly understand that Laserlike, our partner in this experiment, will receive their web browsing history. We have also included controls so that participants can pause the experiment, see what browser history Laserlike has, or request deletion of that information. And Advance is completely optional; if you’re not interested, you don’t have to try it. So no matter how much beautiful language an attorney can write, we’re not the kind of company who would just ship a privacy eroding feature and assume you’ll love it. We don’t want you to be surprised, so we’ll be upfront about things.

2. User control

This means we develop products and advocate for best practices that put users in control of their data and online experiences. Some companies think it’s adequate to bury what you consent to behind an “Agree” button. Or that it’s fine to give you control using obscure settings deep within a product. For us, user control should offer clear and meaningful consent and user agency. For example, you can easily opt-in or opt-out of data sharing any time. Just click on those three bars (we call it the “hamburger” menu) in your browser and change whatever you want.

3. Limited data

This is about the data collection itself, and it has three parts.

We collect only what we need.

We de-identify the data whenever possible so that it can’t be tied back to you personally. We avoid collecting explicit identifiers, like names and email addresses, using random identifiers instead.

We delete data when it’s no longer necessary.

At Mozilla, we collect an extremely limited amount of data in order to make the Firefox browser work for people. We collect technical data about the browser itself, such as the operating system it is running on and details about errors or crashes. We collect data about an individual’s use of Firefox, such as the number of tabs, the status of preferences, or number of times certain browser features were used, like screenshots or containers. When we can, we tie this information to a random identifier, rather than a name or email address because we design our products to minimize the data we collect about individuals.

And this principle applies beyond our products; it also applies to user research, experiments and surveys where we use Lean Data Practices.

We recognize that in some cases, companies need to collect identifiable data to make a good product, and they may need to hang onto it for a while. But some organizations have also collected vast amounts of identifiable data in excess of what they really need. We urge them to consider the alternatives.

4. Sensible settings

This design principle helps us strike a thoughtful balance between safety and user experience. We build our products so that it’s easy for people to be in control of their settings rather than making it hard and confusing.

Tracking Protection is a good example that works just like it sounds. It prevents advertising networks from following you across websites, which has the added benefit of making sites load faster. Some people find it creepy to be followed around the web by ads, so we made Tracking Protection a full-time option in Firefox. Our settings make it easy for you to turn Tracking Protection on all the time, in Private Browsing only or not at all.

5. Defense in depth

This means we build in security. We’ve put multiple layers of security controls in place, within the products we produce and our day-to-day business practices. We use basic security mechanisms to protect our users, and if we don’t, we’re not doing our job right. Right in the browser, Firefox includes built-on phishing and malware protection to alert about deceptive sites, harmful malware and risky scripts.

These five Data Privacy Principles are embedded in our day-to-day thinking. We don’t do things without your permission. You’re in control. So no matter what products we create, what information we collect, what partners we have or what policies we advocate, we believe that your personal information belongs to you, not us.

This post is also available in: Deutsch (German) Français (French)