Lack of interest Contact Us form should require explicit consent

[Kirby]

When using the default contact us form, the entered data can be submit it without ever having read the privacy policy and giving explicit consent to processing the entered data, especially if done by a guest.

As this data does contain PII (emai) I suggest to add a checkbox to confirm that the user is giving consent for submitting and processing of the data, ideally with a link to the privacy policy with further information

 

[Slavik]

Under what circumstances are you ever going to be processing data from a contact form?

Do you capture their data and add them to an email list or something?

I mean, I get it if you have some form capturing data or similar to provide quotes or sign them upto an emailing list, but the default XenForo form?

 

[Kirby]

The entered data does get sent to the server, does get processed there and an E-Mail is being generated and sent to the configured E-Mail address.

There has been ruling in Germany (OLG Köln, Az. 6 U 121/15 dated 03/11/2016) that such processing of a contact form does need explicit consent and information on how this data is processed in the privacy policy.
https://www.e-recht24.de/news/abmahnung/10651-abwarnung-kontaktformulare-einwilligung.html

Though, as quite often when dealing with such questions, there are also different opinions:
https://www.datenschutz-guru.de/braucht-mein-kontaktformular-jetzt-eine-checkbox/

This a a very recent podcast dealing with this qeustion in regards do GDPR.
Bottom line of this one: A checkbox is not required nor recommended but it is necessary to have information about the contact form and how its data is procesed in the privacy policy and it is advised to explicity link to that from the form.

 

[Slavik]

I cant believe that any court would make a ruling, that after someone fills out a form for you to get in touch with them, that they then have to give permission for their data to be used, so you can reply to them.

Its so far beyond moronic it makes my head hurt.

Common use case: Using contact form because registration page isnt working and a user cant sign up or has account rejected because of false spam flag.

Scenario: User uses contact form, asks for site admin to take a look so they can register. But... doesnt want to consent to processing, so cant send the form?

I know the EU doesn't have a good track record with common sense, but this one really does seem so far-fetched its hard to believe.

 

[Kirby]

I cant believe that any court would make a ruling, that after someone fills out a form for you to get in touch with them, that they then have to give permission for their data to be used, so you can reply to them.

I don't disagree, nevertheless they did

Scenario: User uses contact form, asks for site admin to take a look so they can register. But... doesnt want to consent to processing, so cant send the form?

Yep.

 

[Sim]

A checkbox is not required nor recommended but it is necessary to have information about the contact form and how its data is procesed in the privacy policy and it is advied to explicity link to that from the form.

I think this is a perfectly reasonable approach. You're going to capture information about them for the purposes of handling their contact request. Simply link them to the privacy policy to let them know how the information is going to be used.

FWIW, IMO the act of adding people to your marketing newsletter list after simply using a contact form (or worse, adding anyone who has ever emailed you to your marketing newsletter list), are practices which need to stop.

 

[S Thomas]

FWIW, IMO the act of adding people to your marketing newsletter list after simply using a contact form (or worse, adding anyone who has ever emailed you to your marketing newsletter list), are practices which need to stop.

That's not legal in Germany anyways, even pre-GDPR. Don't know about other countries, though, I assume, it's pretty much the same, at least for EU.

 

[Sim]

That's not legal in Germany anyways, even pre-GDPR. Don't know about other countries, though, I assume, it's pretty much the same, at least for EU.

Pretty sure it's not even legal in Australia ... and yet people still keep doing it

 

[Kirby]

We've just finished a 4 hour IRL meeting with our lawyer in regards to GDPR compliance progress:
He reiterated that we should add a checkbox to agree to the privacy policy and confirm that the user is over 16 to the contact us form in order to make it fully compliant.

 

[Mr Lucky]

He reiterated that we should add a checkbox to agree to the privacy policy and confirm that the user is over 16 to the contact us form in order to make it fully compliant.

You could be the only compliant site in the world then!

 

[Martok]

We've just finished a 4 hour IRL meeting with our lawyer in regards to GDPR compliance progress:
He reiterated that we should add a checkbox to agree to the privacy policy and confirm that the user is over 16 to the contact us form in order to make it fully compliant.

You could be the only compliant site in the world then!

Well I've just checked the UK's ICO website and they don't have either of these.

https://ico.org.uk/global/contact-us/email/

I think I'll follow their lead, after all they should know what they are doing.

 

[Slavik]

Even better was the ICO statement this morning.

To sum it up

"we dont care about small sites and will only go after the big boys".

 

[Kirby]

@Martok
Well, the hessian data protection authority does:
https://datenschutz.hessen.de/service/beschwerde

So what does that tell us?

I think I'll follow their lead, after all they should know what they are doing

 

[Martok]

@Martok
Well, the hessian data protection authority does:
https://datenschutz.hessen.de/service/beschwerde

So what does that tell us?

I think I'll follow their lead, after all they should know what they are doing

It tells us that the GDPR regulations aren't explicit enough that different data protection authorities in different countries are interpreting it differently.

As it is the ICO in the UK that would come after any UK forum owners, I doubt they will be trying to fine us for not doing something they aren't doing either.

Arguably one isn't needed anyway as there isn't really any difference in filling in a contact form that simply sends an email to a site owner than there is in directly emailing a site owner, and we don't ask for any privacy policy to be read and ticked before people can email us.

 

[MySiteGuy]

Even better was the ICO statement this morning.

To sum it up

"we dont care about small sites and will only go after the big boys".

Let's forget for a moment that the statement isn't written into GDPR and is therefore "trust us, we're from the government".

Such a statement does little when it comes to forums, because a great many of them (probably the majority) use tools from the "big boys" and therefore must comply if they wish to continue using those tools. Doing without Analytics is one thing, but I'm quite sure no Adsense publisher wants to lose their Adsense account over this.

 

[Kevin]

It would be nice if in these kinds of threads it was clarified if something is an actual GDPR requirement versus something being a country specific requirement that goes above and beyond GDPR.

 

[Ozzy47]

It would be nice if in these kinds of threads it was clarified if something is an actual GDPR requirement versus something being a country specific requirement that goes above and beyond GDPR.

A lot of what you see being suggested lately is above and beyond the GDPR and country specific.

 

[Kevin]

A lot of what you see being suggested lately is above and beyond the GDPR and country specific.

Which is why it'd be nice if "GDPR" wasn't slapped on everything to try & get attention to it.

 

[webbouk]

@Kirby - 4 hours with a lawyer?? I'd get a new lawyer if I was you, as the time where you might need him he'll be on yet another holiday at your expense

 

[Kirby]

A lot of what you see being suggested lately is above and beyond the GDPR and country specific.

Actually this a a GDPR requirement, at least that is what we have been told by our lawyer:
The legal basis for lawful processing of personal data from the contact us form (eg. the email address) is Art. 6 (1) lit a GDPR

According to Recital 32:

This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.

Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

If the user just submits the form, there is no active consent given.

Again, I am not a lawyer - I can just repeat (in laymans terms) what has been told to us by our lawyer