Update best practices page for policy changes (mozilla#1139)

src/content/documentation/develop/best-practices-for-collecting-user-data-consents.md

@@ -6,8 +6,8 @@ topic: Develop
 tags:
   [add-ons, extensions, how-to, privacy, ui, user-interface, ux, webextensions]
 contributors: [rebloor]
-last_updated_by: rebloor
-date: 2019-04-24 14:35:04
+last_updated_by: kewisch
+date: 2021-12-01
 ---
 
 <!-- Page Hero Banner -->
@@ -16,13 +16,13 @@ date: 2019-04-24 14:35:04
 
 # Prompt users for data and privacy consents
 
-If your extension uses cookies or collects user data, it needs to comply with the requirement of the [Data Disclosure, Collection and Management](/documentation/publish/add-on-policies/#data-disclosure-collection-and-management) section of the [Add-on Policies](/documentation/publish/add-on-policies/).
+If your extension collects user data, it needs to comply with the requirement of the [Data Disclosure, Collection and Management](/documentation/publish/add-on-policies/#data-disclosure-collection-and-management) section of the [Add-on Policies](/documentation/publish/add-on-policies/).
 
-A common developer question about these policies is how to translate them into web extension features that can pass the addons.mozilla.org reviews. This how-to is the result of those requests and offers advice on implementing prompts to meet the data collection and add-on policies. This article suggests how you can implement suitable prompts but it doesn’t replace or supersede the policies; you still need to confirm that your extension complies with the policies.
+A common developer question about these policies is how to translate them into browser extension features that are compliant to [Mozilla’s Add-on policies](/documentation/publish/add-on-policies/). This how-to is the result of those requests and offers advice on implementing prompts to meet the data collection and add-on policies. This article suggests how you can implement suitable prompts but it doesn’t replace or supersede the policies; you still need to confirm that your extension complies with the policies.
 
 {% endcapture %}
 {% include modules/page-hero.liquid
-	content: page_hero_banner_content
+    content: page_hero_banner_content
 %}
 
 <!-- END: Page Hero Banner -->
@@ -33,11 +33,13 @@ A common developer question about these policies is how to translate them into w
 
 ## Know your privacy settings
 
-To create the consent flow and consent dialogues your extension needs, you should first answer these questions:
+To create the consent flow and consent dialogs your extension needs, you should first answer these questions:
 
-1. Does my extension use cookies?  If so, you’ll need to get user consent to store cookies.
-2. Does my extension collect technical or interaction data? (If you’re unsure what technical and interaction data is, check out the definition in [Data Disclosure, Collection and Management](/documentation/publish/add-on-policies/#data-disclosure-collection-and-management).) If so, offer the user the opportunity to opt-out of this data collection, although you can always offer opt-in consent if you prefer.
-3. Does my extension collect personally identifying information? If so, get the user’s opt-in consent before collecting any of this data. Remember that personally identifying information includes technical or interaction data tagged with the user’s identity or information that can be used to identify the user, such as an IP address.
+
+1. Does my extension collect technical or interaction data? If so, offer the user the opportunity to opt-out of this data collection, although you can always offer opt-in consent if you prefer.
+2. Does my extension collect personally identifying information? If so, get the user’s opt-in consent before collecting any of this data. Remember that personally identifying information includes technical or interaction data tagged with the user’s identity or information that can be used to identify the user, such as an URL.
+
+If you are unsure if your add-on collects personal data, technical data, or interaction data, check out the definition in [Data Disclosure, Collection and Management](/documentation/publish/add-on-policies/#data-disclosure-collection-and-management).
 
 {% endcapture %}
 {% include modules/column-w-toc.liquid
@@ -53,10 +55,10 @@ To create the consent flow and consent dialogues your extension needs, you shoul
 
 ## Get prepared
 
-Before designing the data collection and use of cookies consents for your extension, you should:
+Before designing the data collection consent for your extension, you should:
 
-- eliminate any unnecessary data collection or cookies.
-- design your extension to offer as much functionality as possible if the user declines the collection of data or the use of cookies.
+- eliminate any unnecessary data collection.
+- design your extension to offer as much functionality as possible if the user declines the collection of data.
 - create a privacy policy.
 
 {% endcapture %}
@@ -73,7 +75,7 @@ Before designing the data collection and use of cookies consents for your extens
 
 ## Create a privacy policy
 
-When your users arrive at your data and privacy consent dialogue, they need to know what they're consenting to and this is where your privacy policy comes in. The [Data Disclosure, Collection and Management](/documentation/publish/add-on-policies/#data-disclosure-collection-and-management) section of the [Add-on Policies](/documentation/publish/add-on-policies/) provides clear guidelines on what the policy should include. If you’re collecting significant quantities of data and making significant use of it, taking legal advice may be prudent. However, your first strategy should be to reduce or eliminate the collection of user data where possible. If your data collection and use is fairly low-level, it’s possible that privacy policy generator—such as [Cooley LLP](https://www.cooleygo.com/documents/privacy-policy/) or [iubenda](http://www.iubenda.com)—may be helpful. You may also want to take a look at [Mozilla's privacy policy](https://www.mozilla.org/privacy/) as a model to follow.
+When your users arrive at your data and privacy consent dialog, they need to know what they're consenting to and this is where your privacy policy comes in. The  [privacy policy](/documentation/publish/add-on-policies/#privacy-policy) section of the [Add-on Policies](/documentation/publish/add-on-policies/) provides clear guidelines on what the policy should include. If you’re collecting significant quantities of data and making significant use of it, taking legal advice may be prudent. However, your first strategy should be to reduce or eliminate the collection of user data where possible. If your data collection and use is fairly low-level, it’s possible that privacy policy generator may be helpful. You may also want to take a look at [Mozilla's privacy policy](https://www.mozilla.org/privacy/) as a model to follow.
 
 {% endcapture %}
 {% include modules/one-column.liquid
@@ -87,23 +89,23 @@ When your users arrive at your data and privacy consent dialogue, they need to k
 
 {% capture content %}
 
-## Prompt after install or on first use
+## Prompt after install
 
 As part of your extension’s onboarding flow, include information about your privacy policy and data collection, and seek any necessary user consents. Any privacy information and settings should be clear and unmissable, separating these details from general information about your extension can help.
 
 For more information on how to implement a post-install page or dialog, see [Best practices for onboarding, upboarding, and offboarding users](/documentation/develop/onboard-upboard-offboard-users/).
 
-As mentioned in the [Add-on policies](/documentation/publish/add-on-policies/), if your extension uses cookies or collects user data in association with features that run in the background, such as ad blocking, you need to make sure the cookies or data collection are not activated until you have user consent.
+As mentioned in the [Add-on policies](/documentation/publish/add-on-policies/), if your extension collects user data in association with features that run in the background, such as ad blocking, you need to make sure the data collection is not activated until you have obtained user consent.
 
 We have talked about how you could let users opt-out of collecting technical and interaction data but must have users opt-in to collecting personally identifying information. Before you design your extension features around your consent requests, it is important to understand how these options affect your design.
 
-Where you provide the user with an opt-in option, the related feature must be turned off by default and only turned on once the user has actively agreed to use that feature.
+Where you provide the user with an opt-in option, the related feature **must be turned off by default** and only turned on once the user has actively agreed to use that feature.
 
-Where you provide the user with an opt-out, option the related features can be turned on by default but must be turned off if the user indicates they want to opt-out.
+Where you provide the user with an opt-out, option the related features **can be turned on by default** but **must be turned off if the user indicates** they want to opt-out.
 
 {% endcapture %}
 {% include modules/one-column.liquid
-  id: "prompt-after-install-or-on-first-use"
+  id: "prompt-after-install"
   content: content
 %}
 
@@ -115,21 +117,21 @@ Where you provide the user with an opt-out, option the related features can be t
 
 ## Determine your consent flow
 
-Before designing your consent dialogs, you should determine the privacy consent flow for your extension, based on the data it collects and whether it uses cookies. Here is an example of a consent flow where an extension collects personally identifying information and technical data and uses cookies:
+Before designing your consent dialogs, you should determine the privacy consent flow for your extension, based on the data it collects. Here is an example of a consent flow where an extension collects personally identifying information and technical data:
 
 ![Illustrating an example of the application flow for handling privacy consents.](/assets/img/documentation/develop/MDN_Privacy_Flags_Flow_Diagram.png)
 
 In this example:
 
-1. Your extension should start up with all cookie and data collection functionality disabled.
-2. Either shortly after installation (see [Best practices for onboarding, upboarding, and offboarding users](/documentation/develop/onboard-upboard-offboard-users/)) or when the user first attempts to uses an extension feature, present them with a consent dialog.
+1. Your extension should start up with all data collection functionality disabled.
+2. Shortly after installation (see [Best practices for onboarding, upboarding, and offboarding users](/documentation/develop/onboard-upboard-offboard-users/)), present them with a consent dialog.
    On this dialog:
 3. The option for collecting personally identifying information must default to disabled so that the user has to actively opt-in.
-4. The options for technical data and cookies may default to enabled, so that the user may choose to opt-out.
-5. If the user opts:
-6. IN to all features, continue with all extension features enabled.
-7. OUT of any feature that cannot be disabled, offer them the option to remove the extension. If they choose not to remove the extension present the consent dialog again.
-8. OUT only from features that can be disabled, disable those features and continue running the extension.
+4. The options for technical data may default to enabled, so that the user may choose to opt-out.
+5. If the user:
+    - opts IN to all features &rarr; continue with all extension features enabled.
+    - opts OUT of any feature that cannot be disabled &rarr; offer them the option to remove the extension. If they choose not to remove the extension present the consent dialog again.
+    - opts OUT only from features that can be disabled &rarr; disable those features and continue running the extension.
 
 {% endcapture %}
 {% include modules/one-column.liquid
@@ -145,18 +147,24 @@ In this example:
 
 ## Your consent dialogs
 
-Once you understand your privacy consent flow, you can add suitable consent dialogues. The following are suggestions on how to present data collection and cookie consent dialogs. Where the mockups include the linked text “our Privacy Policy”, this should go to your extension’s privacy policy page on AMO. If you choose to follow these mockups, remember to modify them appropriately for your extension.
+Once you understand your privacy consent flow, you can add a suitable consent dialog. The following are suggestions on how to present a data collection consent dialog. Where the mockups include the linked text “our Privacy Policy”, this should go to your extension’s privacy policy page on AMO. If you choose to follow these mockups, remember to modify them appropriately for your extension.
+
+### Only personally identifying information
+The default option is not to collect personally identifying information. If you do, the user needs to actively opt-in. Remember to list the data you’re collecting; don’t make the user read your privacy policy to determine what data you are collecting and why.
 
-- Only Cookies. The option to add cookies can be set as the default response.
-  ![Mockup of a prompt that could be used when an extension requires user consent to use cookies alone.](/assets/img/documentation/develop/privacy_prompt_mockup_cookies_only.png)
-- Only personally identifying information. The default option is not to collect personally identifying information. If you do, the user needs to actively opt-in. Remember to list the data you’re collecting; don’t make the user read your privacy policy to determine what data you are collecting and why.
   ![Mockup of a prompt that could be used when an extension requires consent for processing personal data only.](/assets/img/documentation/develop/privacy_prompt_mockup_personal_data.png)
-- Only technical data, (no user identifiers). The option to collect technical data can be set as the default response.
+### Only technical or interaction data
+Data collected does not include user identifiers. The option to collect technical data can be set as the default response.
+
   ![Mockup of a prompt that could be used when an extension requires consent for processing technical data only.](/assets/img/documentation/develop/privacy_prompt_mockup_anonymous_data.png)
-- Combination: Cookies, Personal, and Technical Data.
-  ![Mockup of a prompt that could be used when extension requires consent for cookies and processing personal and technical data.](/assets/img/documentation/develop/privacy_prompt_mockup_all_three.png)
-- The extension won’t work without data or cookies. The default option is your choice.
-  ![Mockup of a prompt that could be used when the user provide insufficient permission for privacy related features so that the extension cannot work. Gives the user the option to uninstall the extension or review their privacy settings.](/assets/img/documentation/develop/privacy_prompt_mockup_remove_extension.png)
+### Combination: Personal and technical data.
+The add-on is requesting both types of data collection. Please ensure the choices are separate.
+
+  ![Mockup of a prompt that could be used when extension requires consent for processing personal and technical data.](/assets/img/documentation/develop/privacy_prompt_mockup_combined.png)
+### Required data collection
+The extension requires personal or technical data collection to provide its functionality, it cannot be used without. The default option is your choice.
+
+  ![Mockup of a prompt that could be used when the user provides insufficient permission for privacy related features so that the extension cannot work. Gives the user the option to uninstall the extension or review their privacy settings.](/assets/img/documentation/develop/privacy_prompt_mockup_remove_extension.png)
 
 {% endcapture %}
 {% include modules/one-column.liquid
@@ -166,5 +174,3 @@ Once you understand your privacy consent flow, you can add suitable consent dial
 %}
 
 <!-- END: Single Column Body Module -->
-
-

src/data/pages.json

@@ -255,8 +255,8 @@
                     "id": "create-a-privacy-policy"
                   },
                   {
-                    "title": "Prompt after install or on first use",
-                    "id": "prompt-after-install-or-on-first-use"
+                    "title": "Prompt after install",
+                    "id": "prompt-after-install"
                   },
                   {
                     "title": "Determine your consent flow",