Openshot-qt: OpenShot and the GDPR?

Thank you for pointing this out. I have just posted this on the slack channel. Hope this will be addressed before v2.4.2.

So, it seems that the metrics to not have any personal identifiable info and the ip is also anonymyzed. And an opt-out is provided during the first launch of OpenShot (the checkbox in the tutorial window). So, that is that. But Mr. Thomas said he is going to look into updating the privacy policy, if that is needed.

Hope that answers this question. :)

Hi, I recently had to deal with this, so my 2c:
In general, you need the consent of the user by informing him upfront who you are exactly, what exact data you collect, whom the user can reach in case he wants it to be send to him or deleted, how he can get out.
This needs to be opt-in and is the privacy policy.
On the other side, there can be the "eligible/justificable interest" (berechtigtes Interesse, I translated literally) of the company. You have your reasons to collect this data and you have a privacy policy (stating above things), anonymized IPs and an opt-out. So it should be the case that your interest has a higher weight than the one of the user. This balance is here is very similar to Google Analytics or other tracking, so it should be fine.
But those details have to be ruled by the courts, no one knows currently how this turns out.

@ferdnyc - Hope you don't mind me closing this as answered. I'm sure Mr. Thomas will action this in his own time if he needs to do something.

@philiplb - Thanks for providing your 2 cents on the matter.

Yeah, that's fine. I mean, ultimately it's really only a concern for OpenShot Studios the company, I just wanted to be sure the issue was brought up.

@philiplb touched on my main concerns, which were

1. That we're opt-out rather than opt-in, but it sounds like that's justifiable given that we don't retain any user identifiable data.
   (It's incorrect to say we don't _collect_ any personally identifiable info, because the network connection that delivers the metrics is made from the user's IP address, and the EU considers IP addresses to be personally identifiable information. The metrics can't be received without also receiving the user's IP address. But, if that address is not retained in non-anonymized form in a way that's associated with the collected metrics, then there shouldn't be an issue.)
2. That the privacy policy isn't presented to the user when they're given the choice to opt out. In fact, it isn't really ever _presented_ to them at all. The user has to take the initiative to seek it out themselves, if they want to examine the privacy policy.

For # 2, I'd feel a lot better about the collection-by-default-with-opt-out behavior being compliant if the Tutorial window where we show the opt-out checkbox _included_ the Privacy Policy right there with it. (Maybe embedded inside a scrolling textbox, it doesn't need to be huge enough to display the whole thing.) Or, failing that, if it at least showed a link to https://www.openshot.org/privacy/ so that the user has the option to read it before deciding whether to opt out or not.

AIUI, and @philiplb 's comments seem to confirm, the GDPR hinges on the notion of "informed consent", meaning you not only have to ask the user's permission but to make them aware of what they're agreeing to. I'm not convinced that OpenShot is really covering the second half of that, as things stand, but like I said it's not really an issue for anyone except those on the business side of OpenShot.