Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Analyzing developer discussions on EU and US privacy legislation compliance in GitHub repositories

Georgia M. Kapitsaki, Maria Papoutsoglou, Christoph Treude, Ioanna Theophilou

TL;DR

This study analyzes 32,820 GitHub issues to understand how Open Source Software developers discuss privacy-law compliance (GDPR, CCPA, CPRA, DPA). It combines automated keyword-based analysis with manual coding to identify a 24-category taxonomy of 6 concern clusters (features/bugs, consent, documentation, data storing/sharing, adaptability, general compliance) and to assess the presence of user rights and principles in discussions. Key findings show frequent focus on consent and certain rights (erasure, opt-out, access) but limited explicit attention to many rights and to formal privacy principles; discussions around law violations and design-for-law are particularly active. The taxonomy and insights offer practical guidance for practitioners, educators, and researchers to prioritize law-related issues, inform curricula, and motivate automated tools for improving privacy compliance in OSS.

Abstract

Context: Privacy legislation has impacted the way software systems are developed, prompting practitioners to update their implementations. Specifically, the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have forced the community to focus on users' data privacy. Despite the vast amount of data on developer issues available in GitHub repositories, there is a lack of empirical evidence on the issues developers of Open Source Software discuss to comply with privacy legislation. Method: In this work, we examine such discussions by mining and analyzing 32,820 issues from GitHub repositories. We partially analyzed the dataset automatically to identify law user rights and principles indicated, and manually analyzed a sample of 1,186 issues based on the type of concern addressed. Results: We devised 24 discussion categories placed in six clusters: features/bugs, consent-related, documentation, data storing/sharing, adaptability, and general compliance. Our results show that developers mainly focus on specific user rights from the legislation (right to erasure, right to opt-out, right to access), addressing other rights less frequently, while most discussions concern user consent, user rights functionality, bugs and cookies management. Conclusion: The created taxonomy can help practitioners understand which issues are discussed for law compliance, so that they ensure they address them first in their systems. In addition, the educational community can reshape curricula to better educate future engineers on the privacy law concerns raised, and the research community can identify gaps and areas for improvement to support and accelerate data privacy law compliance.

Analyzing developer discussions on EU and US privacy legislation compliance in GitHub repositories

TL;DR

This study analyzes 32,820 GitHub issues to understand how Open Source Software developers discuss privacy-law compliance (GDPR, CCPA, CPRA, DPA). It combines automated keyword-based analysis with manual coding to identify a 24-category taxonomy of 6 concern clusters (features/bugs, consent, documentation, data storing/sharing, adaptability, general compliance) and to assess the presence of user rights and principles in discussions. Key findings show frequent focus on consent and certain rights (erasure, opt-out, access) but limited explicit attention to many rights and to formal privacy principles; discussions around law violations and design-for-law are particularly active. The taxonomy and insights offer practical guidance for practitioners, educators, and researchers to prioritize law-related issues, inform curricula, and motivate automated tools for improving privacy compliance in OSS.

Abstract

Context: Privacy legislation has impacted the way software systems are developed, prompting practitioners to update their implementations. Specifically, the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have forced the community to focus on users' data privacy. Despite the vast amount of data on developer issues available in GitHub repositories, there is a lack of empirical evidence on the issues developers of Open Source Software discuss to comply with privacy legislation. Method: In this work, we examine such discussions by mining and analyzing 32,820 issues from GitHub repositories. We partially analyzed the dataset automatically to identify law user rights and principles indicated, and manually analyzed a sample of 1,186 issues based on the type of concern addressed. Results: We devised 24 discussion categories placed in six clusters: features/bugs, consent-related, documentation, data storing/sharing, adaptability, and general compliance. Our results show that developers mainly focus on specific user rights from the legislation (right to erasure, right to opt-out, right to access), addressing other rights less frequently, while most discussions concern user consent, user rights functionality, bugs and cookies management. Conclusion: The created taxonomy can help practitioners understand which issues are discussed for law compliance, so that they ensure they address them first in their systems. In addition, the educational community can reshape curricula to better educate future engineers on the privacy law concerns raised, and the research community can identify gaps and areas for improvement to support and accelerate data privacy law compliance.

Paper Structure

This paper contains 26 sections, 4 figures, 12 tables.

Table of Contents

  1. Introduction
  2. Related work
  3. Privacy laws and compliance
  4. Privacy topics analysis
  5. Repository analysis on GitHub
  6. Relation to previous works
  7. Methodology
  8. Privacy laws selection
  9. Rights and principles in privacy laws
  10. Keywords creation for rights and principles
  11. Privacy laws issues collection
  12. Initial data filtering
  13. Manual verification and binary classification
  14. Data analysis overview
  15. Empirical process and results
  16. ...and 11 more sections

Figures (4)

  • Figure 1: Examples of privacy law compliance discussions in issues (usernames are hidden): user story on privacy policy, relevant to the right to information (left) zitmall6, and problem with storing customer IP addresses, relevant to the purpose limitation principle (right) nopCommerce7155.
  • Figure 2: Methodological process.
  • Figure 3: Issues per year in dataset.
  • Figure 4: Privacy law compliance concerns taxonomy. Color bars on the right of each category refer to overlaps with categories from prior work (dots show partial overlap).