[Bug 550198] Enabling Google Analytics for the OpenJ9 project
| Bugzilla Link | 550198 |
| Status | NEW |
| Importance | P3 normal |
| Reported | Aug 19, 2019 05:50 EDT |
| Modified | Oct 22, 2021 18:38 EDT |
| Reporter | Sue Chaplain |
Description
We would like to enable Google Analytics for the OpenJ9 project website (https://www.eclipse.org/openj9/), following the guidelines and restrictions included in https://www.eclipse.org/org/documents/eclipse-foundation-hosted-services-privacy-and-acceptable-usage-policy.pdf.
I've cut and pasted the directions in this document, with my comments in asterisks. Please confirm what is needed to proceed with enabling GA.
If your service stores Personally Identifiable Information (PII) data you must subscribe to eclipse.org-gdpr@eclipse.org , and respond within 30 days to requests to delete accounts or make user data available to the specific user in question. The IP address of a client request is considered PII.
Google Analytics IP data will be anonymized. We are not storing any other PII data.
You are required to produce a Data Protection Impact Assessment (DPIA) for your
services, describing what kinds of PII data you will be collecting and for what purposes. This will have to be updated as your services evolve.
We are not storing any PII. Do we still need to create a DPIA to assert this? If so, is this form available to compelete?
To collect only as much information as required to process the user’s request and to securely dispose of it when no longer required.
We are not collecting any information from the user.
If you want to retain information for longer than 1 year, you must produce a Data
Retention Plan that indicates how long you plan to keep the pieces of PII data you have collected and why you need to keep them that long.
No PII stored, therefore no data retention rules apply.
To take reasonable security precautions to prevent unauthorized access, and to notify the Eclipse Foundation (via privacy@eclipse.org ) immediately if you suspect a security breach of any kind. Be sure to include the nature and scope of the suspected breach.
We agree to this
To ensure explicit consent has been given by the user before you start using cookies. This requirement also includes cookies used by 3rd party services such as, but not limited to: Google Tag Manager, and social media widgets.
The cookie consent pop up is already implemented for the OpenJ9 site.
In addition, we use twitter web intent to encourage readers to tweet the latest news about our releases directly from the What's new page.
From https://developer.twitter.com/en/docs/twitter-for-websites/privacy.html:
** >You may choose whether Twitter widgets on your site help to tailor content and suggestions for Twitter users. You can opt out of having information from your website used for personalization by following the instructions below.**
** >Include the following snippet within the and elements on your pages that include Twitter for Websites widgets: **
This meta data is present on the page that uses web intent.
Google Analytics is the only approved tool for collecting user data. Use of any other tool for collecting user data requires the explicit consent of the Eclipse Foundation, which can be sought by sending a request to privacy@eclipse.org. To use use Google Analytics, you must ensure:
a) All committers on a project must have access to the data collected for that project upon request Eclipse Foundation Hosted Services Privacy and Acceptable Usage Policy v1.0 - October 18, 2018
b) Eclipse Webmaster (webmaster@eclipse-foundation.org) must be an administrator on all Google Analytics properties
c) The Eclipse Foundation has right to audit the use of Google analytics and the
data collected, and the project must support the Eclipse Foundation in performing
the audit and adjust their analytical tooling if required
d) A user must be requested to give their consent, and explicit consent must be
given by the user before data is collected regarding that user
e) Google Analytics IP Anonymization feature must be turned on
f) Projects must ensure that they are not transmitting PII to Google Analytics
g) Projects must accept and follow Google Analytics Terms of Service
We would ensure we meet these criteria and would not use any other data collections tools.
To make the contents of any virtual server available for auditing by Webmaster should the need arise, and to provide support as required in order to carry out the audit process.
We agree to this.
To ensure all web pages related to operation of the server use either the standard
Eclipse.org footer template, or a footer that prominently contains a copyright notice, and the following set of links:
Main Eclipse Foundation website (https://www.eclipse.org)\ Privacy policy (https://www.eclipse.org/legal/privacy.php)\ Website terms of use (https://www.eclipse.org/legal/termsofuse.php)\ Copyright agent (https://www.eclipse.org/legal/copyright.php)\ Legal
We already comply with these requirements.