Support Team, RE: Telemetry -- How can we better advocate for customers?

Edit 2019-11-04:

This issue is meant for the support team at GitLab to get alignment and be prepared to advocate on behalf of customers when the telemetry discussion continues. This is about collaborating and communicating so as the discussion evolves we are prepared. Please add your comments to the product issue on this subject as the community is discussing thoughts there.

I am working with the team on the second take of the telemetry roll out. Let's use this issue to catalog and discuss any concerns and questions we have.

Support Team members, Please start posting questions/thoughts/concerns as possible.

Reference:

  1. Implementation issue
  2. Follow-up issue
  3. Retrospective
  4. Slack channel #tos_telemetry_update
  5. Rollback email

/cc @gitlab-com/support

Assembled list from the top to: #1926 (comment 239855532)

  • How does one opt-in (or opt-out)?
  • Why is the data being collected?
  • Why should a user or customer opt-in (or not opt-out) to this data collection?
  • What benefits are there to our users or customers who opt-in to telemetry?
  • How can customers contribute to the telemetry implementation and decision-making process for our SaaS and EE offerings?
  • Where should we collect user and customer feedback (issue #)?
  • Who will have data collected?
  • What data will be collected?
  • When will the data be collected?
  • Where will the data be collected from?
  • Where will the telemetry data be stored?
  • Will the telemetry data be anonymized or will it track data that can be used to identify individual users? (eg, IP addresses)
  • Can users/customers access or view the data we collect?
  • Can users/customers review the code that we use to collect this data?
  • How is a GDPR data erasure request handled? See https://gdpr-info.eu/art-17-gdpr/
  • How is right of access handled? See https://gdpr-info.eu/art-15-gdpr/
  • How could we enter into a DPA with your telemetry vendor and why would we do so? The proposed solution seems to be a JS snipped sending telemetry data from our employees' browser to your vendor. That isn't allowed without a DPA and a DPA between you and us won't help because you are not participating in the data exchange.
  • Will any data from service desk requests be send to your vendor? If so we need your list of sub-processors and a way to keep it current on our end. Same problem as in the previous topic (missing DPA) also.
  • If we as a customer accept sending telemetry data but an employee decides to make use of her right to not giving consent - how is that handled?
Edited by Lee Matos