powerplatform-vscode-lab icon indicating copy to clipboard operation
powerplatform-vscode-lab copied to clipboard
verified publisher icon microsoft

Telemetry in pcf-scripts appears to violate GDPR (no opt-out or consent)

Open 5cover opened this issue 8 months ago • 0 comments

Hello,

I'm reporting a concern regarding the pcf-scripts package (published on npm by Microsoft), which is used in the PowerApps Component Framework (PCF) development workflow.

While working on a PCF project, I noticed that pcf-scripts sends telemetry events automatically via Application Insights — including build events, exceptions, and environment data — without any prompt for user consent, configuration flag, or documentation on how to disable it.

This behavior occurs even during local development, and without any indication to the user.

Why this is problematic

As an EU-based developer (France), this practice raises serious GDPR (RGPD) concerns:

  • Consent is required for collecting and sending telemetry or analytics that are not essential to core functionality.
  • Users must be informed about what data is collected and how it's used.
  • There is no opt-in, no opt-out, and no disclosure provided by pcf-scripts before telemetry is sent.

The only way to stop this appears to be manually overriding telemetry environment variables (APPINSIGHTS_INSTRUMENTATIONKEY, etc), which is undocumented and not an acceptable GDPR-compliant solution.

Expected behavior

To comply with GDPR and respect developer privacy, I suggest the following:

  1. Clearly document telemetry behavior on the npm page or linked documentation.
  2. Provide a flag or config to disable telemetry entirely (e.g. --no-telemetry).
  3. Ideally: disable all telemetry in pcf-scripts by default, or only enable it with explicit opt-in.

Context

  • pcf-scripts version tested: 1.42.1
  • Used as instructed in the official tutorial: https://learn.microsoft.com/en-us/power-apps/developer/component-framework/create-custom-controls-using-pcf
  • No mention of telemetry or opt-out in the documentation

Please advise how this issue will be addressed to bring the tool into compliance with privacy regulations.

Thank you.

Side note:
I also noticed that the package.json in your tutorial projects and related templates use outdated dependencies (e.g. @typescript-eslint v4 with eslint@^7, which conflicts with modern versions of pcf-scripts requiring eslint@^8).
This causes broken builds for anyone following the tutorial today.
Updating the template would greatly improve the onboarding experience.

5cover avatar Apr 22 '25 14:04 5cover