Upholding the GDPR

Don’t track me: GitLab rolls back on third-party telemetry services

Sarah Schlothauer
© Shutterstock / Lightspring

GitLab recently rocked the boat with a proposed change for their Terms of Service, which included user level product usage tracking, which potentially went against GDPR guidelines. The community response was highly critical. Now, GitLab has rolled back on their decision and will not activate the changes. Keep up with the recent news and see what these proposed TOS changes were.

What happened recently at GitLab? The DevOps platform announced on October 23 that they have rolled back changes made to their TOS.

Their statement reads:

We’ve heard your concerns and questions and have rolled back any changes to our Terms of Service. We’re going to process the feedback and rethink our approach. We will not activate user level product usage tracking on or GitLab self-managed before we address the feedback and re-evaluate our plan. We will make sure to communicate our proposed changes prior to any changes to or self-managed instances, and give sufficient time for people to provide feedback for a new proposal.

These concerns refer to a change regarding free software and telemetry, originally posted on October 10, 2019.

Original plans

In the original post describing these changes, VP of Product Management Scott Williamson writes: “To make GitLab better faster, we need more data on how users are using GitLab.”

SEE ALSO: Can you trust a robot more than your manager? Oracle study says 64% already do

This data was originally intended to be collected using telemetry. Telemetry involves collecting data for monitoring at remote points and ranges in use cases from weather balloons RFID tags. In this instance, GitLab planned to introduce additional JavaScript snippets.

From the original blog: (GitLab’s SaaS offering) and GitLab’s proprietary Self-Managed packages (Starter, Premium, and Ultimate) will now include additional Javascript snippets (both open source and proprietary) that will interact with both GitLab and possibly third-party SaaS telemetry services (we will be using Pendo). We will disclose all such usage in our privacy policy, as well as what we are using the data for. We will also ensure that any third-party telemetry service we use will have data protection standards at least as strong as GitLab, and will aim for SOC2 compliance (Pendo is SOC2 compliant).

This would comply with Do Not Track (DNT) mechanisms in browsers.


The community responded to this decision negatively. Source.

According to a comment from Sytse Sijbrandij, the data collected would not be publicly accessible.

“Are we covered legally?”

Taking a look at the inner workings of the decisions shows some internal discussions regarding whether or not this decision would violate the GDPR consent requirements. On August 15, 2019 Paul Machle, GitLab CFO responded to concerns about being opt-in or opt-out and commented:

I don’t understand. This should not be an opt in or an opt out. It is a condition of using our product. There is an acceptance of terms and the use of this data should be included in that.

SEE ALSO: How AI assists in threat analytics and ensures better cybersecurity

In response, VP of Product Management Scott Williamson asked:

if we follow Paul’s guidance and just make this part of our terms and conditions, are we covered legally?

Candice Ciresi, Director of Blocal Risk and Compliance, responded to Scott Williamson with a rundown of how the proposed changes violate the GDPR.

Response and criticism

The response to this decision was overwhelmingly negative, and thus the plan was rolled back.

Social media comments from users claiming to have deleted their accounts were found on forums such as Reddit and Hackernews. One GitLab user called the decision “a slap in the face”.

In response to the recent events, open source tool suite SourceHut posted a blog titled “Our model is customer first, investors never“. Drew DeVault writes that this news follows a pattern of choices taken by GitLab:

This can naturally be frustrating to privacy-concious users of their service, and to free software enthusiasts alike. This follows closely on the news that GitLab updated official policy to state that they will do business with those who don’t share their values, which many see as a response to GitHub taking fire for accepting ICE contracts a few days prior. These kinds of changes are not implemented with the user in mind – these decisions are more easily explained by following the money. GitLab is trying to figure out how it can turn a profit that can support its $2.75B valuation. The nature of this business model leaves businesses like GitLab indebted to investors, who’ve sunk millions into the business and demand a return. An individual user’s investment is comparatively meaningless, and the incentives this creates easily leads to compromises like the ones we’re seeing in GitLab recently.

Next steps

Though the response from GitLab says that they will not activate user level product usage tracking, it also states that they will “re-think the approach”. What this means however, there is no word.

For now, we are keeping an eye on this news for future developments and what the company’s next steps will be.

You can keep track of the latest changes and feedback in this open issue.

UPDATE 10/30/19

GitLab responded to with an email, which went out to all GitLab users on October 29, 2019 from Co-founder and CEO Sid Sijbrandij.

On October 23, we sent an email entitled “Important Updates to our Terms of Service and Telemetry Services” announcing upcoming changes. Based on considerable feedback from our customers, users, and the broader community, we reversed course the next day and removed those changes before they went into effect. Further, GitLab will commit to not implementing telemetry in our products that sends usage data to a third-party product analytics service. This clearly struck a nerve with our community and I apologize for this mistake.

So, what happened? In an effort to improve our user experience, we decided to implement user behavior tracking with both first and third-party technology. Clearly, our evaluation and communication processes for rolling out a change like this were lacking and we need to improve those processes. But that’s not the main thing we did wrong.

Our main mistake was that we did not live up to our own core value of collaboration by including our users, contributors, and customers in the strategy discussion and, for that, I am truly sorry. It shouldn’t have surprised us that you have strong feelings about opt-in/opt-out decisions, first versus third-party tracking, data protection, security, deployment flexibility and many other topics, and we should have listened first.

So, where do we go from here? The first step is a retrospective that is happening on October 29 to document what went wrong. We are reaching out to customers who expressed concerns and collecting feedback from users and the wider community. We will put together a new proposal for improving the user experience and share it for feedback. We made a mistake by not collaborating, so now we will take as much time as needed to make sure we get this right. You can be part of the collaboration by posting comments in this issue. If you are a customer, you may also reach out to your GitLab representative if you have additional feedback.

I am glad you hold GitLab to a higher standard. If we are going to be transparent and collaborative, we need to do it consistently and learn from our mistakes.

Follow the issue and read responses from the community, as GitLab and its users work to figure out the next steps from here.

Sarah Schlothauer

Sarah Schlothauer

All Posts by Sarah Schlothauer

Sarah Schlothauer is the editor for She received her Bachelor's degree from Monmouth University, West Long Branch, New Jersey. She currently lives in Frankfurt, Germany with her husband and cat where she enjoys reading, writing, and medieval reenactment. She is also the editor for Conditio Humana, an online magazine about ethics, AI, and technology.

1 Comment
Inline Feedbacks
View all comments
Phillip Blanton
Phillip Blanton
2 years ago

What the hell is GitLab thinking? It was only two years ago that they accidentally deleted their database destroying the data of millions of their users. It’s a miracle that didn’t kill the company. Now, before rebuilding the trust of the broader user community they pull this shit!?!?

Is GitLab a front for some grad student’s dissertation on how NOT to run a tech company?