Mozilla is introducing mandatory data collection disclosures for Firefox extensions, aiming to strengthen transparency and user control. The new requirements activate on November 3, 2025, with full enforcement across the add-on ecosystem in the first half of 2026. This change affects how developers declare the types of data their extensions access and how users grant consent during installation.
New data disclosure requirements for Firefox add-ons: manifest.json and consent UI
Extension authors will need to include a new field in manifest.json: browser_specific_settings.gecko.data_collection_permissions. This field must enumerate the categories of personal or behavioral data the add-on processes, such as name, email address, search queries, visited websites, and browsing activity. If an extension does not track users or collect data, that must be stated explicitly.
Firefox will read these metadata at install time and present them alongside permission prompts, allowing users to accept or decline data collection. The same disclosures will appear on the add-on’s page at addons.mozilla.org and within the Permissions and Data section of about:addons. This mirrors familiar patterns used for runtime permission requests and places data-use information directly in the user’s decision flow.
Timeline, rollout, and add-on review implications
Initially, the policy applies to new add-ons submitted after the effective date. Existing extensions will need to comply when they migrate to the updated framework and release a new version. Packages missing the required disclosures—or providing incomplete or inaccurate information—will fail review and be returned to developers with remediation guidance.
Why it matters: transparency, user control, and risk reduction
Browser extensions operate with elevated access to web content, history, and UI, creating a non-trivial attack surface for data leakage, tracking, and permission abuse. Explicit data-category declarations and consent improve visibility into data flows and support informed choice. These measures align with privacy-by-design principles and regulatory expectations to inform data subjects prior to processing, including frameworks like GDPR and state privacy laws.
How this compares to Chrome Web Store and app privacy labels
Mozilla’s move is consistent with broader market trends. Google introduced data usage disclosures for Chrome extensions in 2021, and Apple’s App Store privacy labels arrived in 2020. Such disclosures help users evaluate risk without dissecting code or permissions. In the extension ecosystem—where capabilities are powerful and diverse—structured, standardized disclosures narrow the information gap and deter over-collection.
Practical guidance for users and enterprise security teams
For users: review the extension’s installation screen and its listing on addons.mozilla.org. If an add-on requests access to browsing history or search queries, ensure the data need directly supports its functionality and understand whether data are shared with third parties. A simple rule: if the declared categories do not match the feature set, consider declining installation.
For security and IT teams: update extension governance policies to include auditing of the data_collection_permissions field during review. Define acceptable data categories by role and business use case, and inventory installed add-ons using enterprise browser management tools. Where possible, enforce allowlists and implement continuous monitoring to detect extensions that expand data collection over time.
Real-world incidents underscore the stakes: past cases like the DataSpii scandal (2019) and the removal of malicious or compromised extensions (e.g., The Great Suspender, 2021) demonstrate how over-permissioning and opaque data practices can lead to exposure and reputational harm. Clear disclosures, coupled with least-privilege design and regular audits, materially reduce these risks.
Impact on the Firefox ecosystem and what to watch next
For developers, the policy incentivizes data minimization and tighter alignment between permissions, data collection, and declared functionality. For users and enterprises, it adds an intelligible checkpoint that improves risk assessment at install time and during routine reviews. Over the long term, standardized transparency requirements tend to shrink the attack surface and discourage covert profiling.
Monitor Mozilla’s developer documentation and moderation guidelines in the coming months for detailed schemas and examples. Users should periodically review their installed add-ons in about:addons → Permissions and Data and remove those that request excessive access or collect sensitive categories without clear justification. Adopting these habits now will ease the transition when enforcement becomes universal in 2026.
