From the Package Control documentation:

submit_usage

If installs, upgrades and removals should be logged to the reporting URL. This data will be used to power the community package listing and will be displayed in aggregate only. No user-identifiable information is sent, just the: package name, operation, package version, package control version, sublime version and sublime platform.

Personally, I have no problem with this setting and used its default for as long as I’ve been using Package Control. However, it’s not compliant with the EU GDPR, making it technically illegal to use in the EU. In a nutshell, Package Control should ask for the user’s consent before sending any data, even if fully anonymised. It should also contain a link to a page which lists the exact data being sent (like the one linked above).

Here is how GitHub is doing it in their Atom editor:

Screenshot 2018-11-04 at 11.49.10.png1572×899 190 KB

I don’t intend to start a discussion how stupid or great the GDPR is, I just wanted to save @wbond from potential legal trouble.

How is it not compliant with the GDPR?

There’s no dialog asking whether a user agrees or disagrees to sending usage data.

In particular I don’t think the fact that there is a documented setting that does it counts as consent; it has to tell you specifically. Also if I recall correctly, the user also has to have the power to not only ask for their data (which I think is what the above is showing) but also ask for it to be removed as well.

I could be wrong though; my brain rebelled at all of the courses I had to take as a part of at work, so at some level I stopped paying attention.

No, I mean what part of the GDPR am I violating since so don’t deal with personally identifiable information?

If you have someone familiar with European and US legal issues who is willing to provide some advice, I’d be happy to listen.

@wbond is correct, the consent is only required when dealing with personal data.

This site gives a good explanation:

Beyond that, I am not an “enterprise” with regards to the GDPR. The project is a personal hobby and not part of a commercial entity. Additionally the data collected is for statistical purposes only, which is another exemption.

Even private blogs with Google Ads will be classified as commercial entity, even if the income from those ads just covers the operations costs. So it depends on whether you receive payments for placing the Sublime Text Book ad on the Package Control website.

I hope this is true, but I’d probably double-check. Also, I wonder why any website using Google Analytics (even with anonymizeIp setting) needs to mention it used. It’s probably the cookies.

While we’re talking about the GDPR, I’d like to bring attention to this topic.

Because Google tracks user behavior. Where do people go when how often… What links to they click etc. to build a sophisticated dataset for each internet user. Same is done with google ads. Each page using them is therefore a frontend part of that global tracking beast and hence must mention it.

This goes far far beyound sending a ping to increment a counter for installed/removed packages of a software which is used for the packagecontrol.io stats only.

There have been a couple of privacy discussions in the past. As a result I can say the world would be much better if only one big software company of the silicon valley would take privacy so serious.

In my understanding of the GDPR, services can collect data (when it doesn’t contain personal data) and that data is needed to make the service work without an consent. Example statistics what features people use from a service is ok to collect without a consent, if example administrator needs that information to run the services.

@deathaxe already explains that quite well why, but to complement, Google Analytics obtains hundreds of personal info about the user that even is accessible to the site owner, like the user ISP, their interests, their behaviour, they can even show cross-device tracking.

That’s not a fully correct example, it’s not if the admin needs the information for the service, is if the service requires the information to fulfill the execution of the service. For example, you don’t need to ask consent to obtain the user credit card number if that’s exactly one step to actually buy the service.