The European privacy rights organization noyb has filed a formal complaint against Mozilla for enabling a new feature in its Firefox browser that allegedly tracks users without their consent.
The feature in question, called Privacy-Preserving Attribution (PPA), is designed to measure the effectiveness of online advertisements while minimizing data collection, but noyb claims it violates user rights under the GDPR by being activated without informed consent.
The complaint filed earlier today with Austria’s Data Protection Authority (DSB) alleges that Firefox’s PPA feature was turned on by default with a recent update without notifying users or offering a clear opt-in mechanism. This move has raised concerns, especially given Mozilla’s reputation as a privacy-focused alternative to Google Chrome and other Chromium-based browsers.
The PPA feature, which Mozilla claims is a less invasive method for advertisers to track ad interactions, places Firefox in control of ad performance measurement, bypassing the use of traditional cookies. While Mozilla argues that this setup protects privacy, noyb asserts that it still constitutes tracking—just done by the browser rather than the website.
Felix Mikolasch, a data protection lawyer at noyb, criticized Mozilla’s approach, stating that while the feature may reduce the level of invasiveness compared to cookies, it is still a form of tracking that users were not adequately informed about.
“It’s a shame that an organization like Mozilla believes that users are too dumb to say yes or no. Users should be able to make a choice, and the feature should have been turned off by default.”
Felix Mikolasch, noyb
Mozilla introduced the PPA feature in Firefox version 128, framing it as an experimental measure to help advertisers gauge the success of their ads without resorting to traditional tracking methods. PPA works by allowing websites to request Firefox to store information about ad interactions—known as “impressions.” If a user later engages with the ad by visiting a relevant website, Firefox generates an anonymized report that is sent to an aggregation service. Mozilla claims that the entire process preserves user privacy, as the aggregated data does not include any individual identifying information.
However, the complaint suggests otherwise, accusing Mozilla of violating several GDPR articles, including those requiring transparency and user consent for data processing. Specifically, noyb argues that Mozilla failed to provide any information about PPA in its privacy policies and did not allow users to make an informed choice before activating the feature. The complaint further calls for Mozilla to delete all data processed without user consent and to switch to an opt-in system for features like PPA.
The complaint comes amid broader debates over the future of online advertising and user privacy, with Google recently announcing its decision not to remove third-party cookie tracking from the Chrome browser as previously planned, citing “immature market conditions.”
Privacy-focused browser Brave also criticized Mozilla’s PPA feature via a post on its privacy blog space last week, suggesting that ad measurement should be simple, transparent, and limited to parties trusted by users. Brave’s critique highlighted that Mozilla’s approach still involves third-party aggregators, introducing privacy risks. In contrast, Brave promotes a model that eliminates third-party tracking altogether, centering ad systems around user privacy.
Firefox users worried about PPA can manually opt out of the new feature through the browser’s settings > Privacy & Security > Website Advertising Preferences > uncheck “Allow websites to perform privacy-preserving ad measurement.”
For other privacy-focused browsers, check our guide on private and secure browsers here.