Prompt users for data and privacy consents

If your extension uses cookies or collects user data, it needs to comply with the requirement of the Data Disclosure, Collection and Management section of the Add-on Policies.

A common developer question about these policies is how to translate them into web extension features that can pass the reviews. This how-to is the result of those requests and offers advice on implementing prompts to meet the data collection and add-on policies. This article suggests how you can implement suitable prompts but it doesn’t replace or supersede the policies; you still need to confirm that your extension complies with the policies.

Know your privacy settings

To create the consent flow and consent dialogues your extension needs, you should first answer these questions:

  1. Does my extension use cookies?  If so, you’ll need to get user consent to store cookies.
  2. Does my extension collect technical or interaction data? (If you’re unsure what technical and interaction data is, check out the definition in Data Disclosure, Collection and Management.) If so, offer the user the opportunity to opt-out of this data collection, although you can always offer opt-in consent if you prefer.
  3. Does my extension collect personally identifying information? If so, get the user’s opt-in consent before collecting any of this data. Remember that personally identifying information includes technical or interaction data tagged with the user’s identity or information that can be used to identify the user, such as an IP address.

Get prepared

Before designing the data collection and use of cookies consents for your extension, you should:

  • eliminate any unnecessary data collection or cookies.
  • design your extension to offer as much functionality as possible if the user declines the collection of data or the use of cookies.
  • create a privacy policy.

Create a privacy policy

When your users arrive at your data and privacy consent dialogue, they need to know what they're consenting to and this is where your privacy policy comes in. The Data Disclosure, Collection and Management section of the Add-on Policies provides clear guidelines on what the policy should include. If you’re collecting significant quantities of data and making significant use of it, taking legal advice may be prudent. However, your first strategy should be to reduce or eliminate the collection of user data where possible. If your data collection and use is fairly low-level, it’s possible that privacy policy generator—such as Cooley LLP or iubenda—may be helpful. You may also want to take a look at Mozilla's privacy policy as a model to follow.

Prompt after install or on first use

As part of your extension’s onboarding flow, include information about your privacy policy and data collection, and seek any necessary user consents. Any privacy information and settings should be clear and unmissable, separating these details from general information about your extension can help.

For more information on how to implement a post-install page or dialog, see Best practices for onboarding, upboarding, and offboarding users.

As mentioned in the Add-on policies, if your extension uses cookies or collects user data in association with features that run in the background, such as ad blocking, you need to make sure the cookies or data collection are not activated until you have user consent.

We have talked about how you could let users opt-out of collecting technical and interaction data but must have users opt-in to collecting personally identifying information. Before you design your extension features around your consent requests, it is important to understand how these options affect your design.

Where you provide the user with an opt-in option, the related feature must be turned off by default and only turned on once the user has actively agreed to use that feature.

Where you provide the user with an opt-out, option the related features can be turned on by default but must be turned off if the user indicates they want to opt-out.