描述
This plugin is not GDPR-compliant and the same might be true for other privacy regulations, e.g. the CCPA. I will continue to use the GDPR as an umbrella term for similar regulations.
At the time of this writing, the authors assume that consent is given through the consent for GitHub's metric package. This is problematic in many ways. Let's take a look at these simple definitions:
- Consent must be freely given
- Consent must be specific
- Consent must be informed
- Consent must be unambiguous
I think these definitions are easy enough to understand for non-lawyers and it should be clear that all of these are violated. When accepted, each of these definitions is fulfilled between GitHub and the user. However, GitHub cannot be made liable for everyone else jumping the train – they don't know anything about what your code does, why would they vouch for it? Also, GitHub sends user data to its own servers, while this package sends it to a different party: Google Analytics.
Here's a simple example to illustrate the problem: A user installs Atom on January 1st, on the first startup he accepts the privacy policy between him/her and GitHub Inc. Nine months later, the user installs atom-beautify. GitHub's policy is specific to the data collection of the metrics package, the user is uninformed about the data collection of atom-beautify — because GitHub's privacy policy is unambiguous that it applies to the collection by the metrics package.
It should be enough, if this package pops up a notification with "Accept" / "Reject" buttons and a link to your privacy policy. Or better, replicate the consent page used by the metrics package. However, since I'm not a lawyer, you might want to read about this online. There are plenty of free resources that provide guidance, including here on GitHub.