Hi! Please also look into the collector.githubapp.com analytics endpoint, the request does not seem to be compatible with GDPR in its current form. Either unique IDs tied to the user will have to be removed, or express consent will have to be requested.
This is just not true. See my comment elsewhere in this thread:
Why is it not GDPR compliant. You do not need consent under the GDPR. You need a (documented) "lawful basis for processing" personal information. Consent is just one of several lawful bases and honestly it's the most useless one, if you need consent your business model is screwed.
It's perfectly possible for GitHub to process personal information without explicit consent while not violating the GDPR. Several options come to mind:
1) consider analytics part of the "contract legal" basis, arguing that analytics to improve the usability of the website is a fundamental part of running a website.
2) The "legitimate interest" lawful basis, which states:
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Arguing that improving the accessibility/usability is in the legitimate interest of both company and user.
I'm fairly confident that, depending on which and what detail of personal information, both of these justifications will be accepted by EU courts.
1) consider analytics part of the "contract legal" basis, arguing that analytics to improve the usability of the website is a fundamental part of running a website.
Sure, you can argue that, but it has no merit.
The only reason that you can write that sentence with a straight face is due to the current affairs of the web. You know the thing that GDPR tries to rectify.
And analytics do not need personally identifiable information.
https://news.ycombinator.com/item?id=25461825