Last week Firefox released version 120, just in time for Black Friday. As part of the update Firefox released a number of new privacy enhancements, some of which will impact various analytics, marketing and compliance efforts.
Global Privacy Control Support
Firefox has had support for the Global Privacy Control (GPC) signal for some time, but it was locked behind configuration settings and wasn’t available in the main UI settings. With release 120 this has changed and support for the GPC signal can now be found under Privacy & Security. Mozilla details new change and what it means in a knowledgebase article and press release.
The GPC signal has long been considered to be a mandatory opt-out under California law, and with additional states considering the signal for their own opt-out mechanics (which we’ll find out more about in 2024). Sites would be well served to add in support for the GPC Signal in order to avoid possible enforcement actions by regulators.
It should be noted that the exact expected behavior when detecting a GPC signal may vary by State, and steps should be taken to ensure that proper handling occurs for the State(s) you may operate in. Generally however, this means that data stops being transferred to third parties (as legally defined) and will result in data loss for the affected systems.
Anti-Fingerprinting Technology Enhancements
Firefox will now apply Fingerprinting Protection to the HTML Canvas APIs when ran in Private Mode or ETP-Strict Mode. In effect this will cause the browser to add in noise to the Canvas APIs to reduce the ability for Canvas features to be used as a fingerprinting mechanic. Identity solutions which rely on fingerprinting should be evaluated to determine what impact this change may have.
Note that Firefox fights fingerprinting (all browsers do) and that fingerprinting a device may not be legal in your jurisdiction. Caution is advised.
Privacy Tests in Germany
Two major privacy changes are being tested in the German market.
Cookie Banner Blocking
Seeking to limit the annoyance of cookie banners, Firefox will now attempt two actions when running in Private Mode per the knowledgebase article.
First, the browser will attempt to inject a cookie on as part of the page load, which will be set to the ‘declined’ state. This should prevent the banner from opening, as it will believe you have already made a consent selection.
In cases where this isn’t possible, Firefox will instead search for and click the banner’s “decline” or “reject” button. This would dismiss the banner as if you are interacted with it yourself.
If you’re interested in how this works, you can check out the Github repo.
Consent Management Solutions impacted by the feature include TrustArc, OneTrust, Cookiebot, Didomi and others.
Sites impacted include some of the most popular sites in Germany, and a full list of vendors and sites can be seen here.
URL Query Parameter Stripping
The first of these, URL Tracking Protection by default in private windows – will remove query parameters that are often used to track users. This is testing promotion of a feature which is currently only enabled under the Strict security setting to be the default behavior in Private Mode.
With both of these features, while Germany is the initial market, based on performance Mozilla plans to roll out the features to additional areas.