Hi everyone, thanks for all the enthusiasm about this change. We are happy to have removed cookie banners from GitHub, and not to participate in third-party tracking of user behavior.
Our privacy policies and subprocessor list will be updated next week following our customary 30 day user notice period. We do this in the open in a pull request, so you can see the changes now:
> We are happy to have removed cookie banners from GitHub
I'm a regular visitor to GitHub from the EU, most of the time not logged in and in private browsing mode, so I usually appear like a completely new entity that hasn't consented to anything. I only started noticing cookie banners on GitHub in the last month or two.
So... in the past, did you not have cookie banners because you didn't have tracking cookies until recently, and all this is a big publicity stunt? Or were you breaking the law up until a month or two ago by having tracking cookies but not asking for my consent?
Hi! Please also look into the collector.githubapp.com analytics endpoint, the request does not seem to be compatible with GDPR in its current form. Either unique IDs tied to the user will have to be removed, or express consent will have to be requested.
This is just not true. See my comment elsewhere in this thread:
Why is it not GDPR compliant. You do not need consent under the GDPR. You need a (documented) "lawful basis for processing" personal information. Consent is just one of several lawful bases and honestly it's the most useless one, if you need consent your business model is screwed.
It's perfectly possible for GitHub to process personal information without explicit consent while not violating the GDPR. Several options come to mind:
1) consider analytics part of the "contract legal" basis, arguing that analytics to improve the usability of the website is a fundamental part of running a website.
2) The "legitimate interest" lawful basis, which states:
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Arguing that improving the accessibility/usability is in the legitimate interest of both company and user.
I'm fairly confident that, depending on which and what detail of personal information, both of these justifications will be accepted by EU courts.
1) consider analytics part of the "contract legal" basis, arguing that analytics to improve the usability of the website is a fundamental part of running a website.
Sure, you can argue that, but it has no merit.
The only reason that you can write that sentence with a straight face is due to the current affairs of the web. You know the thing that GDPR tries to rectify.
And analytics do not need personally identifiable information.
Hi everyone, thanks for all the enthusiasm about this change. We are happy to have removed cookie banners from GitHub, and not to participate in third-party tracking of user behavior.
Our privacy policies and subprocessor list will be updated next week following our customary 30 day user notice period. We do this in the open in a pull request, so you can see the changes now:
https://github.com/github/site-policy/pull/336