Open Eideren opened 1 year ago
There's actually per country requirements for opt-in vs opt-out and EU for example requires opt-in by GDPR I believe. I founds this article that summarizes the cases for opt-in/opt-out https://termly.io/resources/articles/opt-in-vs-opt-out/
I was wondering, if we have to make it opt-in, does it still make sense to use since we won't be able to track proper installation counts?
I'm thinking - while the collection of personal data requires explicit opt-in, things like non-personal telemetry are exempt. So we can still send the metrics on install provided we cannot differentiate the users (no system related identifiers, IP, etc). And if users don't want to send us even this then it's their choice. So if we ensure we only collect non-personal metadata I think having opt-out would still be correct.
I think there won't be many users that would disable metrics, knowing that their data is only used to increase some counters.
I assume it may make sense to still use metrics, since we can estimate that ~90 % of users have metrics turned on?
Yes if it's default on and only few users opt-out it, stats should be fine (as opposed to default off and opt-in).
Here are two things I can think of that might problematic privacy-wise:
InstallGuid
(source). Ideally I was hoping it could be kept, otherwise it will be difficult to understand who is an active user vs a new user.Another note: we had our own system, frontend and server for metrics. If you know of any other option/library to make maintenance easier, I am open to suggestions!
Sorry, I have just remembered a last one: the crash report system.
I am not even sure it is working still (backend is probably off), but when we used it at Silicon Studio it was receiving stacktrace and some env variables.
I think we did our best to hide sensitive info at the source before sending it, i.e. by hiding USERNAME/USERPROFILE directories https://github.com/stride3d/stride/blob/6a2e29b6aa4aeaf852631f9466b05b201d182142/sources/editor/Stride.GameStudio/CrashReportHelper.cs#L181
There is probably a bit more we could do (i.e. a toggle to hide stacktrace that doesn't start with Stride
for user code privacy in case it's irrelevant?).
However it is opt-in (user has to explicitly accept sending the crash info), and probably no backend running right now.
Opting out during installer
Option to opt out on first run of the editor
I think it may be enough if an user could opt out from the installer.
Do we need to update the privacy policy for those changes @xen2 ?