First – let me say upfront that I am not a lawyer – and so you should not take anything I say as a direct answer to your question. On the other hand, I don’t think any lawyer would ever answer this question in this context (given all of
the unknowns) – and so it’s possible that people like me (non-lawyers with an opinion) may be the only kinds of answers you’re going to find here.
In the continued spirit of full disclosure, I’m with PreEmptive, the makers of the analytics technology that you are using, and, in my role here, I have given this a lot of thought, consulted lawyers, and have the benefit of monitoring patterns and
practices across a fairly broad array of development use cases.
Having backpedaled as much as I can, here are some factoids that I believe to be accurate and relevant.
The laws governing the collection and exploitation of user derived data vary widely by jurisdiction and, in some notable cases, are even contradictory. Without knowing who your users are (do they work for an employer who installs your software?) –
where they are (what legal jurisdictions do they fall under?) – what your application does, in what context (is it running inside a hospital?) – it would be impossible to evaluate the legality of what you are doing. Having said that, i would say
that in every case, you err on the side of over communication in everything that you do.
It sounds like you are letting people opt-out rather than asking them to opt-in to your data collection. I do know of a number of companies that have consulted their legal counsel and have taken this approach with evaluation software, beta software, and
community edition (free) software. In all of these cases, they still take steps to ensure that users are aware that this is their policy and give the user at least two choices – opt-out or, in some cases, stop using the software.
So, in my experience, I have never heard of anyone specifically saying that what (I think) you are doing is illegal and I know of some companies that believe that it is legal (this is different than my saying it is legal of course).
If you are using the community edition of Dotfuscator (the free version that comes with Visual Studio 2010), then I am of the strong opinion (guided by legal advice) that you are not gathering what is defined as “personally identifiable information.”
I am not going to try to give a legal definition of what personally identifiable information is here (since there are probably numerous definitions anyhow), but this is often something that lowers user resistance to opting in (or not opting out). I am in no
way suggesting that this lowers your obligation to disclose that you are indeed collecting some usage (not user) information, but some people are more comfortable sharing information when they know this.
Lastly, in your disclosure statement – you may want to point users to the runtime data you are collecting (via the codeplex site). This should both assure them that they are not being identified but also give them some valuable (or at least interesting)
information. In short, you are giving them a reward for opting in (and for using your software).
On a slightly related topic, I wrote a short article on what I call “open analytics” – essentially the value of publishing usage analytics to both the development and user communities simultaneously. It can be found here -
http://www.crm-daily.com/story.xhtml?story_id=74008 Feel free to follow-up with additional questions if you like and i will do my best to give you a useful reply.