Starting next month, Mozilla will require Firefox extension developers to disclose whether their add-ons collect or share user data with third parties.
The devs will be required to disclose any new extension’s data practices in the manifest.json file using a dedicated browser_specific_settings.gecko.data_collection_permissions key beginning November 3, 2025. Mozilla will also require all extension developers to adopt this framework in the first half of 2026.
Personally identifiable information that can be obtained through extension APIs or provided by the user includes, but is not limited to, names, email addresses, search terms, and browsing activity data (e.g., domains, URLs, or categories of viewed pages).
Extensions that don’t collect any personal data must also explicitly state this to ensure complete transparency for users about the data practices they can expect.
This information will appear during the installation prompt, along with any permissions requested. It will also be displayed on the extension’s listing page on addons.mozilla.org and in the Permissions and Data section of Firefox’s about:addons management page.
”Developers can specify what data they wish to collect or transmit in their extensions manifest.json file. This information will be parsed by the browser and shown to the user when they first install the extension,” Mozilla explains.
“A user can then choose to accept or reject the data collection, just like they do with extension permissions. The developer can also specify that the extension collects no data.”
This requirement applies exclusively to newly submitted Firefox extensions. Existing add-ons won’t need to comply until they update to use the new framework.
However, extensions that fail to properly declare their data collection practices will be blocked from submission to Mozilla’s add-on repository, and their developers will receive explanatory error messages.
Last month, Mozilla also announced that it will allow Firefox extension devs to roll back to previously approved versions to address critical bugs and issues quickly.
In June, it introduced a security feature for its add-on portal designed to block malicious extensions that drain cryptocurrency wallets.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
