Personal Data policy: formal compliance vs user value

Does the Personal Data policy allow any flexibility depending on how a particular addon affects personal data?

In my plugin, which only extends Twitter with extra features, users can send a message to addon developers, which is basically a structured feedback on its core feature (highlighting suspicious Twitter accounts).

Previously we accepted those feedback as pre-filled direct message (which is Twitter equivalent of private instant messaging between Twitter users). The addon did not request any consent on personal data from user as he never left Twitter. However, effectively we always knew who is author of any feedback–without explicit consent from user for sharing of his personal data.

Recently we switched to sending those feedback with Google Forms, for which the addon pre-filled form values with user’s name on Twitter, which is available on any Twitter page. From user’s perspective, it’s completely the same: he sends feedback without need to manually type in his username; we know who sent each feedback. Moreover, now the user can remove his prefilled name from the form and submit it anonymously–which was not possible in the earlier setup. But now we, addon developers, are required to ask for user consent for “collecting and sending personal data”–which is always a red flag for a non-tech user, no matter how well the consent text is written.

The only difference from a user perspective is that a (reputable) external service, Google Forms, now act as intermediary–which only formally may log requests for opening pre-filled form with username as part of URL parameters.

Despite that minor difference, we’re asked to request user consent on data collection which we effectively don’t do now, equally as we did not before. Not any more “collection” than if an addon collects feedback by email, which also discloses user’s email address in FROM: field. Keep in mind that users are typically more resistant to share their email with other Twitter user than their Twitter username–but the latter case is effectively considered more “dangerous” for user, per current policies.

So my question: can the personal data policy be more flexible towards cases like mine? As, if applied formally, they can destroy the value for users instead of adding it.

How can I bring it up to attention of Mozilla staff?

We read this forum :). In particular, I think @TheOne will be interested in your question. I don’t think you need any particular opt-in or disclosure if you’re opening up a Google Form, since users should understand what’s going on, but I could be wrong about that.

Then looking forward to hearing @TheOne on this :wink: