On 7/12/23 19:21, Demi Marie Obenour wrote:

1. The GDPR and similar regulations are 100% clear that consent must
   be opt-*in*.  Opt-*out*, as is proposed here, is not consent.
   Therefore, this change is proposing collecting telemetry *without
   user’s consent*.

I seems to me that there are two slightly different understanding of 'opt-in':

1. data collection is happening automatically, but there is a way to 'opt-out' and turn it off.
2. the user is asked for permission, and the default answer is preselected as 'yes'

I think GDPR prohibits the first option, but the second one must be allowed because it's like pretty much all GDPR-compliant implementations i've seen

I understand that Michael's Telemetry proposal uses the second method.

Perhaps a criticism of the opt-out approach (even in the second form) results from people believing that the consent at the installation time is not fully informed---that somehow people don't understand the ramifications and amount of data being shared. This is actually makes sense.

Such concern could be mitigated by scheduling a system notification after several weeks or months, with a rough summary of the collected data ( 'we shared X anonymized reports about Y,Z and W'), and offering a link to a telemetry consent dialog.