Implemented GDPR: Contact us - Required fields & Usability

[Kirby]

As it is right now, the contact form has 4 fields

• Your Name
• Your email address
• Subject
• Message

If I try to submit this form without entering anything I do get the following error messages:

• Please enter a valid email
• Please complete all required fields

Okay, now I know that I have to enter a valid email address, so this field seems to be a required field but it doesn't tell me which other fields are required.

So this leaves a couple questions unanswered:
Are all fields required?
Do I have to give my real name?

If I only want to submit as much information as absolutely required, it is a bit of trial & error right now to find out that actually all fields are technically required.

In order to make this more clear, user friendly and GDPR compliant I suggest to make the following changes:

• Make Your Name optional and explain that it does not necessarily have to be the persons real name
  While this is nice to know, it is not absolutely required to process a request
• Optionally also make Subject optional
• Mark required fields as required

 

[DragonByte Tech]

Why stop there, why not also include instructions for how to set up and use disposable email addresses? But then you also have to list all the disposable email addresses the forum is banning, of course. But what if the user wants to read the emails later down the line, so they don't want it disposable, so you best also include instructions for how to set up an encrypted email account.

Of course, you're saying the forum should specify it doesn't have to be someone's real name, but you also have to clarify that it should be a completely unique alias not in use anywhere else, with a consent box to indicate that if the name entered is not a completely unique alias then it is PII.
The user should then be able to give consent to the server to receive the unique alias. Of course, the alias they chose shouldn't be included in the email received by the admin, because the email received may be stored on a server, and if the user did not use a completely unique alias not in use anywhere else on the internet, the contents of the email now constitutes PII that the user can't remove.



In all seriousness, while I do agree that marking required fields as required is a good idea for a form, I think you are going overboard by saying the forum should hold the user's hand and tell them the "Name" field doesn't need to be a real name.


Fillip

 

[Kirby]

Of course, you're saying the forum should specify it doesn't have to be someone's real name, but you also have to clarify that it should be a completely unique alias

The name in contact us does not have to be uniqe nor is it required at all

 

[DragonByte Tech]

The name in contact us does not have to be uniqe nor is it required at all

I was being facetious in everything above the "" emoji because the amount of completely over-the-top, unneeded or user unfriendly suggestions that have been presented lately as people are getting ready for the maypocalypse, has grown very very large.


Fillip

 

[Kirby]

Actually, I don't see any emojis in your posts above - bug?

I also somewhat fail to see how marking required files required or making not really required fields optional is user unfriendly (I'd say it improves usability), but everyone has its own opinion and that's great

 

[AndrewSimm]

Actually XF should set up the user with an email address from your domain, that way you don't capture the actual email address of the user.

 

[webbouk]

If someone is that thick that they cannot work out that if they put their details in a 'contact' form they will be then used to contact them, they shouldnt be allowed the use of the internet in the first place

 

[S Thomas]

Actually XF should set up the user with an email address from your domain, that way you don't capture the actual email address of the user.

... yea, and act as a email provider with all the legal stuff involved. Not to mention that many shared hoster only offer a limited amount of email accounts.

 

[Kirby]

If someone is that thick that they cannot work out that if they put their details in a 'contact' form they will be then used to contact them, they shouldnt be allowed the use of the internet in the first place

I don't disagree

Unfortunately there seem to be legal requirements to do so.

Here is an example of a privacy policy of a german law firm spezializing in IT law:
https://translate.google.com/translate?sl=de&tl=en&u=https://www.it-recht-kanzlei.de/datenschutz.php

You might what to take a look at 4) which deals with contact us (DSGVO = german name for GDPR)

 

[webbouk]

It doesnt state anywhere on there that there is a legal requirement to do so. It is a statement by the firm telling the user what they are going to do with the data submitted in accordance with their interpretation of specific paragraphs.

In simple speak, you fill in the contact form and they'll use that data to contact you.
Which to all intents and purposes is the sole purpose of the user filling the form in in the first place.

 

[Kirby]

Well, all I can say is ask your laywer if such information is necessary or not.

This is just a suggestion to make things easier for XnForo customers, personally I don't need that funcionality (we are not using the default privacy policy anyway).

 

[webbouk]

Why should I ask my lawyer, the chances are they would not have a clue anyway and would have to research the law, charge a fortune for their time, add the usual disclaimer backed by their insurers, and we'd still be in the grey but with an invoice to prove we'd asked the question.

 

[Chris D]

All contact form fields are required, and are now marked as such.

I'll leave it up to the interpretation of the user as to whether they feel providing their real name is appropriate or not.

 

[Kirby]

Thanks for the change