Mozilla introduces TOS to Firefox

On February 26th 2025, Mozilla announced they were introducing terms of service and updating their privacy policy for the Firefox web browser. Until February 2025, Mozilla always relied on Firefox's open source license (the Mozilla Public License version 2.0) for the browser and their public commitments. They say that by adding these terms, they want to make their commitments "abundantly clear and accessible."^[1] However, concerns arose regarding whether Firefox itself, rather than just Mozilla's online services (such as Firefox Sync or Mozilla VPN), would be subject to the company's Acceptable Use Policy, which restricts certain types of content. Mozilla's Acceptable Use Policy includes prohibitions on graphic depictions of sexuality, violence, and hate speech, which are standard for services like Firefox Sync but were not previously associated with the Firefox browser itself. While Mozilla later removed references to the Acceptable Use Policy in a revision, this initial concern fueled distrust.^[2]

The new terms contained phrasing that has caused concern by users of Firefox and the reasoning for its inclusion in the privacy focused browser.^[3][4][5][6] Concerns center especially around the phrasing of terms outlined in the section titled "You Give Mozilla Certain Rights and Permissions".^[7]

This is what that section originally said:

You give Mozilla all rights necessary to operate Firefox, including processing data as we describe in the Firefox Privacy Notice, as well as acting on your behalf to help you navigate the internet. When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox.

The vagueness of the terms resulted in users questioning how much of their data they were granting Mozilla a license to use, especially since the company puts a lot of emphasis on transparency and privacy on their manifesto.^[8] One notable concern is the possibility that license to user input could be used to train artificial intelligence tools. This became a concern since Mozilla has recently been working on AI tools.^[9]

AI training concerns edit

Mozilla's original TOU could have allowed AI training on user input. Mozilla's wording in their first round of TOS changes granted Mozilla a "nonexclusive, royalty-free, worldwide license" to "use" user input, without specifying clear limitations.^[10] Mozillla's vague writing caused concern among Firefox users that their input could be used for artificial intelligence training, especially given Mozilla's AI-related projects.^[9] After backlash, Mozilla revised the TOU to clarify that data usage is restricted to user-requested actions.^[11]

Date of effect edit

It is also worth noting that the announcement of the introduction of the TOS and new privacy policy was made in a blog post one day after the terms and privacy policy were originally set to take effect.^[12] No other communication was made to users of the browser as of February 27th 2025. The terms of use page was then edited to read "Effective February 28, 2025"^[7] following the update in the language.

Change of Firefox's FAQ edit

Mozilla's Terms of Use no longer explicitly state that the company does not and will never sell user data. Previously, Mozilla's FAQ included the statement, "Nope. Never have, never will," when addressing whether they sell user data. The section promising not to sell personal data^[13] was quietly removed from their documentation.^[14]

Before its removal, the section said:

Does Firefox sell your personal data?

Nope. Never have, never will. And we protect you from many of the advertisers who do. Firefox products are designed to protect your privacy. That's a promise.

Another section Mozilla changed is removing part of the answer to the question "Is Firefox free?". This section concluded with the phrase "and we don't sell your personal data.".

Both of these were present in the FAQ until at least January 30th 2025.^[15][16]

Mozilla justified this change by pointing to evolving legal definitions of "data selling," particularly under the California Consumer Privacy Act (CCPA), which defines "sale" broadly to include certain data-sharing arrangements. However, the revised Terms of Use do not explicitly prohibit Mozilla from selling user data in the future, leaving open the possibility of future monetization.^[11] Mozilla justified this by pointing to broad legal definitions under the California Consumer Privacy Act (CCPA), which define "selling data" as any transfer of data for "valuable consideration," even if anonymized.^[17] However, the new Terms of Use do not explicitly prohibit Mozilla from selling user data in the future, meaning they could legally do so if they chose.^[11]

Initially, Mozilla added an update to their initial blog post in an attempt to clarify the language of the terms of use.^[1]

This is what the update says:

UPDATE: We've seen a little confusion about the language regarding licenses, so we want to clear that up. We need a license to allow us to make some of the basic functionality of Firefox possible. Without it, we couldn't use information typed into Firefox, for example. It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice.

Notably, this update doesn't address the concerns relating to the broadness that can be attributed to the wording of the terms.

Mozilla's privacy policy contains fairly extensive and clear statements on how Mozilla uses user data. It does not explicitly mention artificial intelligence tools other than the ability to use third party chat assistants. The privacy policy clarifies that Mozilla has no access to these chats.

On February 28th, Mozilla updated the terms of use to address the concerns people were having. The section about rights and permissions given to Mozilla was reworded to be more clear:

You give Mozilla the rights necessary to operate Firefox. This includes processing your data as we describe in the Firefox Privacy Notice. It also includes a nonexclusive, royalty-free, worldwide license for the purpose of doing as you request with the content you input in Firefox. This does not give Mozilla any ownership in that content.

As well as this, the new terms have removed the reference to the acceptable use policy.

Mozilla have also provided an explanation for why they changed their FAQ.^[11] They say this is because different legislation has different definitions of "sale of data"and this makes it uncertain on whether a business is legally considered to be selling data. Mozilla explicitly cites the California Consumer Privacy Act^[17] with regards to how existing privacy legislation defines the sale of data. ^{[footnotes 1]}

Before the Terms of Use update, Mozilla publicly stated that it did not & would never sell user data. However, under the California Consumer Privacy Act (CCPA), some of Mozilla's existing business practices may have legally qualified as "selling data." While there is no confirmed evidence that Mozilla violated the CCPA, their data-sharing practices placed them in a legally gray area.

Potential CCPA Compliance Issues Before the TOU Update edit

The CCPA defines "selling data" as:

“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.^[17]

• Search Engine Partnerships (Google, Bing, Yandex, etc.): Mozilla's largest revenue source comes from deals with search engines like Google, which pay Mozilla to be Firefox's default search provider.^[18]

These deals involve sending search query data to search partners. Under the CCPA, if Mozilla transmitted search data in exchange for financial compensation, this could be classified as a "sale of data." This is a practice that Mozilla had already been openly taking part in.

Mozilla's Sponsored Ads & Potential CCPA Implications edit

How Mozilla’s Sponsored Ads Work edit

Mozilla monetizes Firefox through advertising programs:

• Pocket Sponsored Stories: Mozilla owns Pocket, which provides content recommendations. Mozilla shares aggregated data with ad platforms (such as Adzerk) so advertisers can track engagement.^[19]

• Sponsored Shortcuts: Mozilla displays paid website shortcuts on the New Tab page. Mozilla gets paid per user click & routes click data through a Mozilla-owned proxy service.^[20]

• Sponsored Suggestions in Search: Mozilla processes search queries & shares de-identified interaction data with partners, including search engines and ad networks.^[21]

Mozilla says all data shared with advertisers is anonymized, aggregated, or de-identified before being disclosed.

How this relates to Mozilla’s Privacy Policy edit

Mozilla’s Privacy Policy states that user data is only shared in an aggregated or de-identified form.^[22] The Firefox Privacy Notice also confirms:

Mozilla processes interaction data (such as ad clicks) & shares de-identified information with partners. Partners cannot associate these interactions with an individual user.^[21]

This lines up with Mozilla's claim that it does not sell personal data under the CCPA.

Potential CCPA Compliance Issues edit

Mozilla's ad system does not clearly violate the CCPA, but it exists in a gray area because of:

• Valuable Consideration Clause: Mozilla earns money from clicks on Sponsored Shortcuts, which may be considered a sale under the CCPA if user data has "value."

• Lack of a Clear "Do Not Sell" Option: The CCPA requires an explicit "Do Not Sell My Data" button, but Mozilla bundles opt-out settings under "technical and interaction data." Mozilla's privacy policy page states "You can opt out of having your data processed for personalization or advertising purposes by turning off “technical and interaction data” on Desktop and Mobile at any time".^[21] Firefox does have this option in the privacy and security section of the settings as of version 135 (4th February 2025).^[23]

• Potential Re-identification of Data: CCPA states that anonymized data can still be personal information if it can be linked to a user.^[17]

While Mozilla tells users that advertisers cannot directly identify users, regulators may argue that user interactions still hold monetary value, which could require Mozilla to revise its privacy policy for full compliance.

Legitimate Reasons for Mozilla Updating Its Terms of Use edit

Mozilla's sudden change to its Terms of Use & Privacy Policy can be viewed as hedges to Mozilla's legal risks & exposure under the California Consumer Privacy Act (CCPA), rather than an admission of wrongdoing.

• Legal Definitions of "Selling Data" Under the CCPA Are Broad: As noted above, the CCPA's definition encompasses many data-sharing practices that may not align with common understanding of "selling data".^[17] Even if Mozilla was not directly selling user data, its search partnerships, telemetry data sharing, & sponsored content could have been interpreted as data sales if Mozilla received any financial benefit from them, all of which were actions that Mozilla has already been transparent & upfront about.

• Mozilla's Search Engine Deals Could Be Considered Data Sales: As mentioned earlier, these partnerships could legally qualify as data sales under the CCPA definition, despite being an existing part of Mozilla's business model that consumers are already aware of.^[1]

• Sponsored Content in Firefox's New Tab Page Involves Data Exchange: Mozilla dReferencesisplays sponsored content and ads on the Firefox New Tab page, which may involve user interaction data being shared with advertisers.^[11] Even if the data is anonymized, the CCPA considers certain types of aggregated data as personal information if it can be linked back to users.^[17]

By removing explicit guarantees such as "we never sell your data" & rewriting the Terms of Use, Mozilla eliminated legal ambiguity while maintaining its existing business model.

While the new terms of use does not confirm that Mozilla intends to sell user data, & puts its current practices in-line with California's Consumer Privacy Act, it no longer explicitly prohibits it, leaving open the possibility for future monetization.

Mozilla's Terms of Use & Privacy Policy update led to loud public protest over them. Here is an analysis of the primary concerns raised by the Firefox community:

Valid Concerns edit

Vague licensing language in the TOU edit

Initially, Mozilla's TOU granted the company a "nonexclusive, royalty-free, worldwide license" to user input, which raised concerns about potential data ownership and usage rights.^[10] This was later revised after backlash.^[11]

Mozilla removed explicit language about not selling user data edit

Mozilla's FAQ previously stated, "We don't and never will sell your personal data," but this was quietly removed from its website and documentation.^[14] Mozilla later stated that different legal jurisdictions, such as the California Consumer Privacy Act (CCPA), had vague definitions of "data selling," which led them to revise this wording.^[11]

Users were not notified before the TOU changes took effect edit

Mozilla announced the new terms on February 26, 2025, but they had already taken effect by February 25, 2025.^[1]

Lack of clarity on why Mozilla needs a license to user input edit

Users questioned why Mozilla needed licensing rights over user input when browsers have worked for 25+ years without these terms.^[10] While the new TOU does not confirm that Mozilla intends to sell user data, it no longer explicitly prohibits it, leaving open the possibility for future monetization.

Concerns Likely Based on Misinterpretation edit

Mozilla will log & track all user browsing data edit

Some users assumed the TOU granted Mozilla unlimited access to browsing history.^[10] However, Mozilla's privacy policy still states that it does not store user browsing history or personal data beyond necessary telemetry.^[1]

Mozilla's telemetry data collection doesn't seem to constitute a "sale" under the CCPA edit

Firefox collects telemetry data by default, including interaction metrics (such as the number of open tabs, visited webpages, & search partner referrals) & technical data (such as OS version, hardware specs, and crash reports).^[24] However, Mozilla clearly says that this data is only sent to Mozilla & does not explicitly mention sharing this with third parties^[21] Under the California Consumer Privacy Act (CCPA), a "sale" requires data to be transferred to a third party in exchange for monetary or other valuable consideration.^[17] Since Mozilla does not explicitly transfer telemetry data to third parties, it is unlikely to be classified as a "sale" under the CCPA. Users can opt out of telemetry data collection, and Mozilla deletes previously collected data within 30 days of opting out.^[24]

Mozilla tried to clarify where they stand on data privacy, but the way they've written their terms as well as the manner in which they communicated them has resulted in user protest & distrust.

• Mozilla