search

extesy / DeckTracker

Universal Deck Tracker for collectible card games such as The Elder Scrolls: Legends and Eternal
Other
95 stars 26 forks source link

Make online data/stats collection opt-in only #215

Closed MarioLiebisch closed 6 years ago

MarioLiebisch commented 6 years ago

I'm aware that the program collects stats and uploads those to an Azure website. I'm not 100% sure whether it's anonymized (i.e. no unique ID or originating IP stored; considering we don't know the server side structure), but either case this might be in violation of the new EU GDPR, which will be in effect starting 25th May 2018, basically affecting all users from within the EU and their gameplay stats/data. (This might sound a bit over the top, but it will at least – in theory – allow tracking of who/when/where plays, so could be considered personal data.)

I'm no lawyer and this is just my layman interpretation, but I don't think the current data collection fulfills any of the points listed in the article linked above (especially considering it's nowhere exposed that this is happening when just using the tool itself):

Lawful basis for processing

Data may not be processed unless there is at least one lawful basis to do so:

  • The data subject has given consent to the processing of personal data for one or more specific purposes.
  • Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Processing is necessary to protect the vital interests of the data subject or of another natural person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.

Just to mention it, I don't mind it (I could just add the domain to my hosts file, redirecting it into nowhere), but I'm pretty sure we all know there are people who either wouldn't want this or who might even push this a bit further using legal steps or whatever they can.

extesy commented 6 years ago

FYI, only companies doing business in EU are subject to EU laws, including GDPR. I'm not doing any business in EU and I don't have time or resources to adopt their laws.

extesy commented 6 years ago

I might add a switch later at some point, but in any case it won't be related to GDPR in any way.

MarioLiebisch commented 6 years ago

If it's really just for companies, fine. :)