Analyzing developer discussions on EU and US privacy legislation compliance in GitHub repositories

TL;DR

This study analyzes over 32,000 GitHub issues to understand how open source developers discuss privacy legislation compliance, revealing key focus areas and creating a taxonomy to aid practitioners and educators.

Contribution

It introduces a taxonomy of privacy-related discussions in GitHub issues and provides empirical insights into developer concerns regarding GDPR and CCPA compliance.

Findings

Developers focus on user rights like erasure, access, and opt-out.

Main concerns include user consent, bugs, and cookies management.

Six discussion categories identified to guide compliance efforts.

Abstract

Context: Privacy legislation has impacted the way software systems are developed, prompting practitioners to update their implementations. Specifically, the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have forced the community to focus on users' data privacy. Despite the vast amount of data on developer issues available in GitHub repositories, there is a lack of empirical evidence on the issues developers of Open Source Software discuss to comply with privacy legislation. Method: In this work, we examine such discussions by mining and analyzing 32,820 issues from GitHub repositories. We partially analyzed the dataset automatically to identify law user rights and principles indicated, and manually analyzed a sample of 1,186 issues based on the type of concern addressed. Results: We devised 24 discussion categories placed in six clusters: features/bugs, consent-related, documentation, data storing/sharing, adaptability, and general compliance. Our results show that developers mainly focus on specific user rights from the legislation (right to erasure, right to opt-out, right to access), addressing other rights less frequently, while most discussions concern user consent, user rights functionality, bugs and cookies management. Conclusion: The created taxonomy can help practitioners understand which issues are discussed for law compliance, so that they ensure they address them first in their systems. In addition, the educational community can reshape curricula to better educate future engineers on the privacy law concerns raised, and the research community can identify gaps and areas for improvement to support and accelerate data privacy law compliance.