They had to change this because newer laws like the CCPA classify some ways of transferring/processing data as a “sale”, even if no money is exchanged.
The reason we’ve stepped away from making blanket claims that “We never sell your data” is because, in some places, the LEGAL definition of “sale of data” is broad and evolving. As an example, the California Consumer Privacy Act (CCPA) defines “sale” as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by [a] business to another business or a third party” in exchange for “monetary” or “other valuable consideration.”
Similar privacy laws exist in other US states, including in Virginia and Colorado. And that’s a good thing — Mozilla has long been a supporter of data privacy laws that empower people — but the competing interpretations of do-not-sell requirements does leave many businesses uncertain about their exact obligations and whether or not they’re considered to be “selling data.”
In order to make Firefox commercially viable, there are a number of places where we collect and share some data with our partners, including our optional ads on New Tab and providing sponsored suggestions in the search bar. We set all of this out in our privacy notice. Whenever we share data with our partners, we put a lot of work into making sure that the data that we share is stripped of potentially identifying information, or shared only in the aggregate, or is put through our privacy preserving technologies (like OHTTP).
We’re continuing to make sure that Firefox provides you with sensible default settings that you can review during onboarding or adjust at any time.
As an example, the California Consumer Privacy Act (CCPA) defines “sale” as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by [a] business to another business or a third party” in exchange for “monetary” or “other valuable consideration.”
Yes. That is selling. If you exchange customer data for money or other valuables, that is the definition of “selling”.
As an example, Firefox has the option of sponsored results, which send anonymized technical data when a link is clicked, essentially just saying “hey, this got an ad click, add it to the total.” It doesn’t send info about you, your identity, or your other browsing habits.
This counts as a “sale” even though no actual identifying information about you was exchanged. They mention this in the paragraphs I attached, when they talk about data sent via OHTTP.
I don’t think any reasonable person would consider a packet being sent saying “some unknown user, somewhere in the world clicked your sponsored post” as “selling your personal information”, but that’s how the CCPA could be used to classify it, so to avoid getting in legal trouble, Firefox can’t technically say that they “never sell your data”, even if that’s the extent of it.
This counts as a “sale” even though no actual identifying information about you was exchanged. They mention this in the paragraphs I attached, when they talk about data sent via OHTTP.
I mean… it should count as a sale, because it’s a sale. They are selling information about browsing habits for money. Regardless of whether they include identifying information, it is still personal data that they are selling. They removed that line from their FAQs because they changed their minds about selling personal data. It has fuck all to do with weird legal definitions. They promised they wouldn’t ever sell personal data, and then they were like “wellll…”
Important context!
They had to change this because newer laws like the CCPA classify some ways of transferring/processing data as a “sale”, even if no money is exchanged.
See: this Firefox FAQ where they say:
Yes. That is selling. If you exchange customer data for money or other valuables, that is the definition of “selling”.
Not in all cases.
As an example, Firefox has the option of sponsored results, which send anonymized technical data when a link is clicked, essentially just saying “hey, this got an ad click, add it to the total.” It doesn’t send info about you, your identity, or your other browsing habits.
This counts as a “sale” even though no actual identifying information about you was exchanged. They mention this in the paragraphs I attached, when they talk about data sent via OHTTP.
I don’t think any reasonable person would consider a packet being sent saying “some unknown user, somewhere in the world clicked your sponsored post” as “selling your personal information”, but that’s how the CCPA could be used to classify it, so to avoid getting in legal trouble, Firefox can’t technically say that they “never sell your data”, even if that’s the extent of it.
I mean… it should count as a sale, because it’s a sale. They are selling information about browsing habits for money. Regardless of whether they include identifying information, it is still personal data that they are selling. They removed that line from their FAQs because they changed their minds about selling personal data. It has fuck all to do with weird legal definitions. They promised they wouldn’t ever sell personal data, and then they were like “wellll…”