Robust
Well-known member
What's the loophole?
GDPR discussion thread
- Thread starter 7ore
- Start date
What's the loophole?
RobinHood
Well-known member
Following up on this, I've started to receive updated privacy policies from drop shipping companies, which can be good for selling forum merch.
This is from a large company that has locations in the US and Europe. Here's some snippets, on the one hand they're clear about what they collect and process themselves, but then they go on to say in a rather broad sense that they also share whatever data they need to with third parties. Which just muddies and fuzzes the data trail with each link down the line, of course they haven't specifically named these companies or exactly what data is processed, as it's very much completely out of their hands and reliant on each individual company.
On their end:
Then there's the 3rd parties section, which gets a lot more vague
I think the first 2 paragraphs in the above quote highlights the complexity of the data chain that can be involved with the way a lot of web based companies operate these days. So many sites bootstrap services or features in order to provide functionality, it's almost impossible to completely track and have control over where all this data ends up. That's not necessarily a bad thing, as many of the companies involved specialise in their service, which is more desirable to rolling your own internal solution, especially when it comes to payment processing. But it's still eye opening how many companies are involved.
By the time a single forum user has registered on your site and decided to order a forum tee shirt, their data could be in the hands of 10 different companies in some form or another by the end of the transaction. Ain't nobody got time to be reading 10 different privacy policies and understanding the technology stack and and connecting the dots of the supply chain behind how this all works.
I guess on the forum admins end, you just end up putting a similar section in the privacy policy as the third party quote above and be general about it. Then hope that there's no data breaches further down the line.
All personal data XF collects is shown at the user account settings screens. There is no need to "export" anything if everything is clearly shown to them at the screen.
The GDPR states that you have to "Provide an electronic copy (in machine readable format) of personal data to the data subject, and upon request, transmit these electronic files to another data controller. "
it is called the "right to data portability" https://gdpr-info.eu/art-20-gdpr/
Cylon
Member
Hi Friends,
I request apologizes in advance about my poor English.
I'm following this thread since a couple of weeks, but unfortunately, not all my questions about the GDPR compliance are solved. There is not very much time left until the next 28 May. I would have some basic things done for my forum before that datum but I don't know how to achieve some of them.
I share with you my "todo" list . Each forum out there is unique, but for my case, my legal advisors say that this would be enough when I do the following:
1.- Each website should have three pages: 1.- Terms of Use / Legal Advice, 2.- Privacy Policy, 3.- Cookies Policy. My legal advisor have written all pages for me, and there can be added to Xenforo with the standard help pages that xenforo provides. Because of that, that point is solved in my case.
2.- Store the consent to the Privacy Policy when a users registering. Here I have a lot of doubts. Although Xenforo provides a required checkbox in the register form, that the user has to accept in order to register, there is a little problem. My legal advisors believe that to "cover my back", it would be ideal to store this consent in the following way:
UserID | Privacy Policiy Consent (flag) | IP | Timestamp
This flag should be set when the user confirms the account after receiving the account activation email. Ideally a copy of the email sent to the user should be stored somewhere.
Questions:
4.- All the email notifications sent by the forum should be updated, and include in the footer not only the links to the privacy policy and so on, but also a short summary, like in the registration form.
5.- The user has right to download all his data. The tool suggested in this thread should help: https://xenforo.com/community/resources/kl-admin-tools.6352/
6.- The user has the right to cancel the account. Ideally, the user should be able to do this himself (by clicking on a button or something like that). But it is also acceptable to provide a form to contact with the admin, and the admin has to do it in a "reasonable period of time". That means: as soon as posible.
6.1.- If the user has not written a lot of PI in his posts, it should be enough with to anonymize the user. Otherwise, al the posts should be removed too.
7.- Newsletters: I you have a mailing list and you send newsletters, you have to collect the consent of the users explicitly for this newsletter. It is not enough to subscribe the user to the newsletter when the user registers (opt in by default). If you have a such mailing list, you have until 28 May to send a mail to your users and asks for the consent. And again you have to store somewhere this consent.
Again, Xenforo does not provide a tool for that (at least, one that I know). I'm using Threadloom to send weekly emails. This service does not provide a way to ask for the contentment of the actually existing users. Because of that I'm considering to renounce to my mailing list and start again from scratch, using a plugin that really stores the consentment.
And well, the are other things to do, but those are the main tasks that I have to perform before Juni.
May you provide some answers to the couple of questions that I wrote?
Thanks!
I request apologizes in advance about my poor English.
I'm following this thread since a couple of weeks, but unfortunately, not all my questions about the GDPR compliance are solved. There is not very much time left until the next 28 May. I would have some basic things done for my forum before that datum but I don't know how to achieve some of them.
I share with you my "todo" list . Each forum out there is unique, but for my case, my legal advisors say that this would be enough when I do the following:
1.- Each website should have three pages: 1.- Terms of Use / Legal Advice, 2.- Privacy Policy, 3.- Cookies Policy. My legal advisor have written all pages for me, and there can be added to Xenforo with the standard help pages that xenforo provides. Because of that, that point is solved in my case.
2.- Store the consent to the Privacy Policy when a users registering. Here I have a lot of doubts. Although Xenforo provides a required checkbox in the register form, that the user has to accept in order to register, there is a little problem. My legal advisors believe that to "cover my back", it would be ideal to store this consent in the following way:
UserID | Privacy Policiy Consent (flag) | IP | Timestamp
This flag should be set when the user confirms the account after receiving the account activation email. Ideally a copy of the email sent to the user should be stored somewhere.
Questions:
- Does Xenforo store somewhere the data UserID | Privacy Policy Consent (flag) | IP | Timestamp? I know that there is a xf_user_confirmation table, but in my forum it is empty.
- Is there a way to send a copy of the activation email to the admin of the forum?
4.- All the email notifications sent by the forum should be updated, and include in the footer not only the links to the privacy policy and so on, but also a short summary, like in the registration form.
5.- The user has right to download all his data. The tool suggested in this thread should help: https://xenforo.com/community/resources/kl-admin-tools.6352/
6.- The user has the right to cancel the account. Ideally, the user should be able to do this himself (by clicking on a button or something like that). But it is also acceptable to provide a form to contact with the admin, and the admin has to do it in a "reasonable period of time". That means: as soon as posible.
6.1.- If the user has not written a lot of PI in his posts, it should be enough with to anonymize the user. Otherwise, al the posts should be removed too.
7.- Newsletters: I you have a mailing list and you send newsletters, you have to collect the consent of the users explicitly for this newsletter. It is not enough to subscribe the user to the newsletter when the user registers (opt in by default). If you have a such mailing list, you have until 28 May to send a mail to your users and asks for the consent. And again you have to store somewhere this consent.
Again, Xenforo does not provide a tool for that (at least, one that I know). I'm using Threadloom to send weekly emails. This service does not provide a way to ask for the contentment of the actually existing users. Because of that I'm considering to renounce to my mailing list and start again from scratch, using a plugin that really stores the consentment.
And well, the are other things to do, but those are the main tasks that I have to perform before Juni.
May you provide some answers to the couple of questions that I wrote?
Thanks!
You just need a well written privacy policy. All the other documents are optional. Small sites won't need them.
Just create a privacy policy (e.g. at https://www.iubenda.com/) and you are set.
The new user accepts your policy at the exact time of registration. That timestamp is recorded in the user's data set. Also the IP (if you like). If the user does not accept the policy he can't register. No need for any special treatment.
It is allowed to just link to the policy. There is no need for a "summary". I would recommend against a summary, because this is a legal document of it's own and even small differences to the complete document may bring legal troubles or misunderstandings.
This is also not a "must". You just have to present who is responsible for the email, why you send it and how to stop future emails. This can be done with a template edit in XF as you like. No need for any special treatment.
Again, this is applicable for "personal" data only. The only personal data stored at a default XF installation is the email address. It can be clearly seen by each user and the account details page can be saved at the local computer, if anyone likes to do so. There is no legal need for a "download tool".
If a user wants to delete his account, he uses the contact form to notify you and you delete the account according to your terms. Again no need for anything special.
There is no need to delete ANY posts after the deletion of a user. If a user wants to delete any PI written into his public posts, he can contact you and request an edit. This can be done whether the account has been deleted or not. Anonymization of an account is only necessary if you allow real name user accounts. Just disallow that (and the public presentation of any PI) in your terms and you are set and no longer responsible for such accounts and users.
Newsletters is not a default feature in XenForo. If you write newsletters to your users, you need software which comply with the GDPR.
I know there are many rumors out there and fear about the GDPR. But a default XenForo forum admin does not have to change anything. The default features and the default cookie notice is enough to comply with GDPR.
There are some things to think about if you collect more personal data (like real name and addresses) from your users, send newsletters or show advertising at your forum. Then you have to do some work until May 25.
@HWS there seems to be a misunderstanding as to what data is encompassed in the term "personal data" here
please read this: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
key phrase: Personal data is any information that relates to an identified or identifiable living individual.
This includes any data that can be linked to a person such as IP addresses, cookie IDs, etc. The email address is the identifier, but all other data in your database associated to that email address can also be considered "personal data" and therefore should be allowed to be exported.
please read this: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
key phrase: Personal data is any information that relates to an identified or identifiable living individual.
This includes any data that can be linked to a person such as IP addresses, cookie IDs, etc. The email address is the identifier, but all other data in your database associated to that email address can also be considered "personal data" and therefore should be allowed to be exported.
The email address is the only personal data stored and used by default XenForo. If you delete the user account in XenForo, no personal data is left at your system. Any user can see all data in his account at the user account screens. He can save all those screens at his computer. There really is no need for a "download" tool.
Regarding cookies there is an exemption for cookies technically needed to run the web site. You don't need prior consent for them. All default XenForo cookies are allowed to be used without prior consent. You just have to notify the user you use them and add them to your privacy policy.
Regarding IP addresses, no admin should ever store or provide full IP addresses anywhere. If you do store and use them you need consent from the users. There is a setting in XF to delete IP data.
Davyc
Well-known member
This is where the software needs to take this into account. It would be not only impractical to view every single post ever made to ensure that the username was anonymised, it would be impossible - especially on a site with thousands of members and posts.
Mr Lucky
Well-known member
This is where the software needs to take this into account. It would be not only impractical to view every single post ever made to ensure that the username was anonymised, it would be impossible - especially on a site with thousands of members and posts.
However, thinking about it, can compliance with GDPR mean you may need to remove all content by that user, as opposed to just removing (or anonymising) their profile? EDIT: I see HWS addressed this above.
I suppose the main issue in this case is if they used their real name. On our forum we have a member who is a member of parliament and did join under his real name. I advised him to remove "MP" as his occupation in his profile.
Last edited:
Davyc
Well-known member
People can use their real name, though it's best to advise them not to, because if someone joins using the name John Smith, that name can be the same a tens of thousands (if not millions) of others. Where this becomes a sticky point is if there is other identifiable data being used alongside that name that could single that person out as an individual; hence your good move to advise him to remove MP from his profile.
To be frank, I'd like to see more control over the options available in the user profile. Get rid of DOB if it's not required. Get rid of social media as that can then link that person to an individual. What's needed and what's wanted are two different things, so the ability to turn off or remove aspects of the user profile would be a great asset.
To be frank, I'd like to see more control over the options available in the user profile. Get rid of DOB if it's not required. Get rid of social media as that can then link that person to an individual. What's needed and what's wanted are two different things, so the ability to turn off or remove aspects of the user profile would be a great asset.
Unless it's changed, an IP address is not personally identifiable information. It merely identifies a specific computer/location, NOT the person using it.
adamsmasher
Active member
This is a point I was curious about. Xenforo aside, the server you run the software on is going to store IP addresses in logs. If an IP address was considered PII then someone would be able to request their logs. I personally think this is extreme and nothing stored there should be considered PII, but hey, I didn't write the law.
Davyc
Well-known member
The issue being explored is that whilst small individual items (such as IP addresses) may not be able to identify an individual, it's when all the little pieces are put together that this could change and an individual could be identified. So, it's about all pieces of the jigsaw puzzle. One piece doesn't show you the whole picture, but when other pieces are added you begin to see.
This is a point I was curious about. Xenforo aside, the server you run the software on is going to store IP addresses in logs. If an IP address was considered PII then someone would be able to request their logs. I personally think this is extreme and nothing stored there should be considered PII, but hey, I didn't write the law.
There was a case a year or so ago where the (European) court ruled they're not PII in general unless you also somehow have legitimate access to the ISPs records linking them to a real person.
I don't know if GDPR overrides any of that.
