Removing Google Analytics is a good thing, thanks for that.
I also appreciate that you use DoNotTrack to give users a choice (even if this is not available on Safari any more).
In section "3.1.3 Granularity" paragraph #44.
"If the controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom. [...] When data processing is done in pursuit of several purposes, the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose"
You grouped cookies together and removed granularity of choice. I think this is against the spirit of the regulation.
Overall I think the the change is positive, but grouping cookies to avoid a banner is still against the regulation.
I know it is not a site wide issue and is probably a minor thing, but have you also looked into tracking done by embedded media, like embedded Youtube videos?
In case of Youtube there is a no-cookie domain that can be used for embedding and then, while client still sends the request to them, no additional cookie is set.
Thanks for responding Nat. My interpretation from the PR:
You've stopped using cookies as a mechanism for marketing/tracking. But you're still doing it by other means.
Rationale:
1. You are still tracking and may share the data with 3rd parties. Justification: privacy statement [0] line 147. It states that data are "aggregated, non-personally identified" which might mean it's GDPR compliant. OTOH: you're presumably holding the non-aggregated data for aggregation purposes in the first place. IANAL but I think that needs consent. I don't know CCPA well enough to comment.
2. The sub-processors statement [2] says this includes Google (and Google Analytics specifically), LinkedIn and Eloqua (marketing analytics firm) among others.
3. Cookies and - possibly? - other client-side technologies are only used for running and improving the service. Justification: Line 238 in the privacy statement. (There's a typo in there btw: "complie" should be "compile" I think).
3. You respect DNT - line 244. Which, presumably, means you do not track user behaviour on any sites other than github? i.e. those in which you are a 3rd party.
4. However, the privacy statement line 31 [1] states: "GitHub may also collect User Personal Information from third parties." Interpretation: whilst you're not collecting 3rd party personal information using cookies, you are (or "may") do so through other means.
> OTOH: you're presumably holding the non-aggregated data for aggregation purposes in the first place. IANAL but I think that needs consent.
I believe this is actually fine if they can show they don't hold this data longer than necessary and have a process for destroying it in a timely fashion.
to downvoters: can you explain why? That's not passive-aggressive, just desire to understand. The intent was an objective analysis of the revised privacy wording from the perspective of tracking. Do you disagree with the conclusions? Something else? Thanks.
