Generally, there are two main sorts of metadata. There is metadata about the data you’re holding and, and there is metadata about how your users use your product.
If you are a SaaS processor, then you will want to analyse how users use your service so you can improve, develop and personalise your products. You may also want (and be expected to) analyse user data to keep your products secure and prevent fraud. Regulators have long been comfortable with using user data to keep products secure and prevent fraud, but some (notably the French data protection authority, the CNIL) have had misgivings about the use of this data for the (self-interested) purpose of improving products.
Most SaaS providers now either – not wishing for this to become another issue to be discussed with customers – don’t bother to raise this issue in their T&Cs (but use the user data anyway) or, increasingly, call it out specifically. Most customers now expect user data to be used to improve products, and don’t see it as an issue. For GDPR regulators, it also seems to have fallen off their priority list.
Metadata about the data you’re holding (even if the base data is not your data) can also be extremely valuable if it forms part of a dataset across a number of customers: at this point you are starting to get a sector-wide, possibly industry-wide, view of consumer behaviour. Anonymising it allows you to sidestep GDPR, but you still have the issue of whether or not you need your customer’s consent to this use of their data.
There are two basic approaches here. The first is to say nothing in the contract and do it anyway on the “act now, apologise later” principle. This can be an effective strategy where your customers are very risk averse, provided that the data which is anonymised is not seen as particularly sensitive.
The second approach is to be upfront about it in the contract. Compared to a few years ago, companies are becoming increasingly relaxed about this kind of metadata (provided that you can guarantee anonymity), especially if you can point to some benefits flowing back to them. These benefits can be indirect (for example, particularly where AI is part of your product, access to a larger pool of data allows for more insightful analysis and better performance of the AI element), or direct (e.g. we will provide you with reports across the customer base as a whole).