
Ask HN: Maintainers of OSS projects, how to you deal with GDPR? - pvorb
The GDPR changed how service providers need to proclaim how they are using data.<p>I&#x27;m interested in how Open Source projects for end-users are dealing with the issue. Are you including cookie banners, privacy statements or EULAs in your product, so it&#x27;s easier for your users to deploy the software legally to their audience? Do you leave it to your users to collect and provide the information about your product?<p>What&#x27;s your approach?<p>And also: How do operators handle the issue if the Open Source product they are hosting did not prepare for GDPR?
======
dozzie
> Are you including cookie banners,

Those were never necessary for operational purposes. If you were selling your
users to get Google's analytics, that's a different matter.

> privacy statements or EULAs in your product, so it's easier for your users
> to deploy the software legally to their audience?

Don't collect user's data, then you don't need privacy statements nor EULAs
about that.

> Do you leave it to your users to collect and provide the information about
> your product?

Are you Microsoft or Homebrew team that you steal users' data unless opted
out?

> And also: How do operators handle the issue if the Open Source product they
> are hosting did not prepare for GDPR?

Open source that doesn't steal users' data is already GDPR-compatible.

~~~
pvorb
> Those were never necessary for operational purposes. If you were selling
> your users to get Google's analytics, that's a different matter.

What about simple session cookies? You need to give end-users the information
on how your service uses cookies, if I understand it correctly.

> Don't collect user's data, then you don't need privacy statements nor EULAs
> about that.

That would be optimal, of course – and I'm not even sure if it saves you from
having a privacy statement – but if you have something like a login form,
you'll need to collect email addresses (or something else users can use to
reset their lost passwords). This is personal information, which is subject to
GDPR.

> Are you Microsoft or Homebrew team that you steal users' data unless opted
> out?

GDPR mandates opt-in to almost everything. And you need to be explicit about
what you are doing with the data, in order to be able to provide opt-in.

> Open source that doesn't steal users' data is already GDPR-compatible.

I don't think it's that simple.

~~~
dozzie
>> Those were never necessary for operational purposes. If you were selling
your users to get Google's analytics, that's a different matter.

> What about simple session cookies? You need to give end-users the
> information on how your service uses cookies, if I understand it correctly.

No, from what bigger half of the internets says, you don't need consent for
session cookies (the ones that are necessary for login form).

> if you have something like a login form, you'll need to collect email
> addresses (or something else users can use to reset their lost passwords).
> This is personal information, which is subject to GDPR.

Nope. For keeping login (especially if you don't _require_ logging in) you
don't need separate explicit consent.

>> Open source that doesn't steal users' data is already GDPR-compatible.

> I don't think it's that simple.

I think it is.

