Technical answer: You can use Differential Privacy[1] to collect such data (“what percentage of users used this feature?”, “What is the distribution of time between visits?”, etc) without collecting any data about individuals. Some projects already do this and there are open source libraries that do the math for you.
However, I don’t think the regulations have an explicit safe harbor along the lines of “You’re fine as long as the math checks out”. Perhaps if it did, we wouldn’t be in such a mess.
(A passive observer that sees a JSON POST wouldn’t know that you’re using differential privacy. It would look like typical telemetry. They’d have to read your code or look at multiple samples and notice that the data looks random)
However, I don’t think the regulations have an explicit safe harbor along the lines of “You’re fine as long as the math checks out”. Perhaps if it did, we wouldn’t be in such a mess.
(A passive observer that sees a JSON POST wouldn’t know that you’re using differential privacy. It would look like typical telemetry. They’d have to read your code or look at multiple samples and notice that the data looks random)
https://en.m.wikipedia.org/wiki/Differential_privacy