Mozilla, the organization behind the Firefox web browser, is under scrutiny after privacy group noyb filed a complaint with the Austrian Data Protection Authority. Mozilla is accused of secretly enabling a tracking feature called “Privacy Preserving Attribution” (PPA), which noyb argues violates the EU’s General Data Protection Regulation (GDPR).

The PPA feature, introduced in recent Firefox updates, aims to help websites measure ad interactions without traditional tracking cookies. Instead, it stores bundled information about users’ interactions directly in the browser. While Mozilla claims this approach is less invasive than traditional methods, noyb argues, “While this may be less invasive than unlimited tracking, it still interferes with user rights under the EU’s GDPR.”

The main concern is that PPA is enabled by default without explicit user consent or clear notification. The only way to disable this tracking is through a hidden opt-out setting within Firefox. To add to the fire, Mozilla has not mentioned PPA in its data protection policies. A Mozilla developer has defended this approach, suggesting that users might not be able to make informed decisions if prompted.

Felix Mikolasch, a data protection lawyer at noyb, criticizes this approach: “Mozilla has just bought into the narrative that the advertising industry has a right to track users by turning Firefox into an ad measurement tool.” He adds, “It’s a shame that an organization like Mozilla believes that users are too dumb to say yes or no.”

Noyb is demanding Mozilla be transparent about its data processing and switch to an opt-in system, where users must actively consent to tracking. The group also urges the deletion of any unlawfully processed data.

While Mozilla’s PPA feature may aim to balance privacy with ad measurement needs, noyb highlights that it currently doesn’t replace other tracking methods like cookies — it simply adds an additional layer.

Mozilla is just one of the many companies currently under fire for their use of user data without consent. In a similar recent story, Microsoft’s LinkedIn silently started harvesting user data to train its AI models.