[minusf]

the apps i work on don't collect "behavioural data", so i don't have a strong opinion about it. however i think there are some crucial differences here.

1. sentry.io breadcrumbs are just a nicer interface to one's own log messages, and log messages are useful and necessary to have a well functioning app. where do log messages end and profiling/behaviour data begin? that's a rather fuzzy line.

2. even if one "logs" every breath the user takes (probably covered in the ToS), it's still only limited to one app and one service, while cookies are trivial to abuse for cross-site/cross-app tracking both inside and outside a company.

[Jon_Lowtek]

concerning the fuzzy line: log messages shouldn't include personal data (and in sentries defense they are trying to be helpful when it comes to that) Yet many people prefer to throw everything into the logs, arguing that much helps much and debugging without data is horrible. And suddenly the logs become a rich data swamp, and all that is needed is a nicer interface. So a lot of analysis that would otherwise require specific implementations or even user consent instead becomes data analysis of debug logs. That creates more incentive to throw everything into the swamp. And it makes it easier to forget its personal data: "If it's in the logs, i am not accessing the database i need permission to access." A lot of questionable personal data processing can be moved to the backroom of the backend, but that doesn't make the processing less questionable, just makes it easier to hide it from those subject to it, making it more illegal. Which is what i am warning about.

EU privacy regulations focus the purpose of personal data processing. If a company makes a contract with their users that says they log personal data for the purpose of debugging, and then they use it for web analytics, that is not allowed, its a violation of the contract. And like you stated many just write consent into the ToS. But let us look at the privacy friendly case where the users are asked if they agree to other behavior analytics not related to debugging. And suddenly the log interface isn't so nice anymore.

In a perfect world personal data is labeled with the purposes it can be used for.

If such issues are not relevant to the company you work for, be grateful, and don't take the warnings personal. But by all that is holy to you don't tell people the log interface is a great substitute to web analytics.

[Jon_Lowtek]

How can you claim it is limited to one app, if section 6.2 of the ToS of the service you and thousands of other companies use to manage logs says you allow them to create aggregations and summaries and distribute them to third parties?