Until now GitHub has sent client-side requests to Google Analytics with a client ID that was also sent in a second client-side request to an in-house analytics API at GitHub for augmenting and cross-referencing user data.
The client-side Google Analytics request no longer appears to be sent, but a request containing personal data is still sent to collector.githubapp.com.
The privacy policy page which lists third party data subprocessors and cookies used on GitHub [1] seems to be outdated. Does the announced change also mean that Google Analytics and other subprocessors have been eliminated, or has some of the tracking merely moved server-side?
Came here to say this. Eliminating Google analytics is unequivocally a good thing. A strong B+ assessment. But the blog doesn't say anything about eliminating _tracking_. Personally, I can live with analysis that's used solely for product improvement. If that's all github is doing, then the score goes up to an A.
But if they're siphoning off data for any other purposes - whether passing to the mother ship or otherwise - then the score is down to D-. The intent of EU cookie regulation is to make tracking and data collection transparent and opt in. Changing the implementation to server side might comply with the letter of the law but it violates the spirit.
It would be good if GitHub would clarify their position.
Removing Google Analytics is a good thing, thanks for that.
I also appreciate that you use DoNotTrack to give users a choice (even if this is not available on Safari any more).
In section "3.1.3 Granularity" paragraph #44.
"If the controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom. [...] When data processing is done in pursuit of several purposes, the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose"
You grouped cookies together and removed granularity of choice. I think this is against the spirit of the regulation.
Overall I think the the change is positive, but grouping cookies to avoid a banner is still against the regulation.
I know it is not a site wide issue and is probably a minor thing, but have you also looked into tracking done by embedded media, like embedded Youtube videos?
In case of Youtube there is a no-cookie domain that can be used for embedding and then, while client still sends the request to them, no additional cookie is set.
Thanks for responding Nat. My interpretation from the PR:
You've stopped using cookies as a mechanism for marketing/tracking. But you're still doing it by other means.
Rationale:
1. You are still tracking and may share the data with 3rd parties. Justification: privacy statement [0] line 147. It states that data are "aggregated, non-personally identified" which might mean it's GDPR compliant. OTOH: you're presumably holding the non-aggregated data for aggregation purposes in the first place. IANAL but I think that needs consent. I don't know CCPA well enough to comment.
2. The sub-processors statement [2] says this includes Google (and Google Analytics specifically), LinkedIn and Eloqua (marketing analytics firm) among others.
3. Cookies and - possibly? - other client-side technologies are only used for running and improving the service. Justification: Line 238 in the privacy statement. (There's a typo in there btw: "complie" should be "compile" I think).
3. You respect DNT - line 244. Which, presumably, means you do not track user behaviour on any sites other than github? i.e. those in which you are a 3rd party.
4. However, the privacy statement line 31 [1] states: "GitHub may also collect User Personal Information from third parties." Interpretation: whilst you're not collecting 3rd party personal information using cookies, you are (or "may") do so through other means.
> OTOH: you're presumably holding the non-aggregated data for aggregation purposes in the first place. IANAL but I think that needs consent.
I believe this is actually fine if they can show they don't hold this data longer than necessary and have a process for destroying it in a timely fashion.
to downvoters: can you explain why? That's not passive-aggressive, just desire to understand. The intent was an objective analysis of the revised privacy wording from the perspective of tracking. Do you disagree with the conclusions? Something else? Thanks.
Why do you think changing the implementation to the server side will comply with the letter of the law? Or perhaps I should ask which law.
GDPR doesn't differentiate between the client side or server side, you're simply not allowed to keep information on users unless they've consented to for it to be kept or it is required for a legitimate functionality to which they have consented.
I've been planning to post about this issue a couple of months ago, when I've noticed that GitHub was sending personal data collected on the client-side to Google Analytics without user consent.
Then recently they have introduced a consent popup, which was actually one of the most refreshing cookie consent popups I have ever seen: it contained two buttons, Accept and Reject. This popup has now been removed.
I think a lot of developers may have clicked on Reject, though removing tracking cookies will not absolve GitHub of the requirement to continue asking for informed and free consent under GDPR, if they will continue to process personal data, and share it with third-party services from their servers.
The current website code points to the same data still being sent to GitHub, only the implementation has changed.
The client-side Google Analytics request no longer appears to be sent, but a request containing personal data is still sent to collector.githubapp.com.
The privacy policy page which lists third party data subprocessors and cookies used on GitHub [1] seems to be outdated. Does the announced change also mean that Google Analytics and other subprocessors have been eliminated, or has some of the tracking merely moved server-side?
[1] https://docs.github.com/en/free-pro-team@latest/github/site-...