The sole additional information this tracking tool gathers is things like internal state of the application. There is zero additional personal information disclosure.
As far as the tracking tool knowing nothing that the site doesn't already know, in real time that is true, but the GDPR addresses your site's 'memory' and in that case it is obviously false - which is actually sort of the whole purpose of the logging tool isn't it?
So, as an easy to understand example, in my current work at a telecom we have a map where the user can add in address information and find if there is any outage happening in their area.
We were logging the addresses entered. For GDPR reasons we removed these addresses from the log. We have set up temporary logging of the addresses that raise certain kinds of errors so that we can examine those addresses later - this is a reasonable usage and we inform the user 'We may save the addresses you enter here for a short time for the purposes of improving the performance of the application' (not exact message).
The tracking tool would retain the data we have decided not to retain, admittedly in a more difficult to extract format, but the GDPR does not make allowances for that and really it would be silly if they did.
Furthermore, for our site and service (and for any services that could be argued that people need to use) I believe stating if you're not okay with us keeping your data don't use the site would run into non-GDPR legal problems but would also be contrary to GDPR requirements and is as such a no-go for anyone wanting to remain in business - and anyway it would probably piss off customers.
I could give other examples, but as I said your argument seems based on philosophical grounds that I believe if they were accepted by a European court would render the GDPR effectively useless, and as such I doubt it would be accepted.
1 - I'm unaware of non-gdpr legal problems -- I only have to pay attention to UK and DACH. The GDPR is (imo) mostly aimed at intent: see the distinction between processing and profiling. If you log user actions to profile, it's pretty clear you would have to allow them to disclose and allow opt out. But internal application logging is not profiling as defined by the gdpr. The restrictions I'm aware of for processing are 'adequate, relevant and limited to what is necessary'. I'm pretty confident -- as are our attorneys -- that the courts will be ok with internal debugging tools. Particularly because these tools do not make decisions.
2 - It's definitely my opinion the customers liable to throw a fit about you recording transient application state are customers you don't want.
3 - The gdpr does not require sites to allow ad-hoc opt-out of processing for the same purpose; in our case, operating the site. See recitals 32,42.
3a -- Your address example isn't (imo) relevant. Your purpose -- instantaneous lookup -- has expired. Operating a site or diagnosing bugs has no time limit except (possibly) the time limit to reasonably have a bug reported, diagnosed, and fixed.
I agree that the GDPR is mainly aimed at intent, but it is also aware that you may intend to get something for purpose X and repurpose it some years later for purpose Y. Therefore you should also be ready to demonstrate that the processing is 'adequate, relevant and limited to what is necessary'. I think people could argue that tracking everything a user does is not limited to the purpose of identifying bugs. But by limiting the time of data retention it would be limited for that purpose. But I guess we disagree on this matter.
2. People might not want to be tracked. And if you don't do it they might be willing to give you lots of money for your service. We get paid lots of money by some of our customers, and I don't think we want to piss them off. I guess we have disagreed on this matter also.
3. True, but you have to tell people what you're recording. And I don't think the purpose here is definable as operating the site.
3a. that's my point about the diagnosing bugs having an intrinsic time limit. I would say 3 weeks to report a bug. The purpose of the recording is not operating a site, it is diagnosing bugs (although it could be used in a hotjar way also to run through how people use the site for UX analysis, and considering that when using Hotjar you should probably take steps to make sure you are in GDPR compliance https://www.hotjar.com/gdpr I suppose the same sort of minimum steps should apply here [and IIRC hotjar doesn't associate the data it retains with a particular user])
I suppose other than that they need to allow for deleting all video of sessions related to a particular customer if requested (as part of a larger request to delete data you have collected regarding that particular customer)
