GDPR discussion thread

I'm not sure if it is required by GDPR, but I have always wanted a feature so that if you change the terms or privacy policy, then users get notified and have to consent. Obviously you could send out a bulk email avery time you change them, but I think that would be a pain (and expensive if you pay for email service) so why not have a notice for users as they login with a tick box to accept changes to the terms or privacy?
 
Last edited:
As people keep bringing it up that XenForo is "already compliant out of the box", I wonder which detail I am missing regarding cookie behavior? There's literally no cookie consent at all. As vague as the regulation might be, I'm very certain, that a barely noticeable "we use cookies and by continuing to browse this page, you agree to that" after cookies have already been placed is hardly enough to tell anyone you're prompting them for consent.

Consenting to cookies needs to be a clear affirmative action
Click to expand...
Source

I don't see where this is happening. And I don't see a way to prevent XF from placing cookies before this consent has been given either. Cookies are placed with the very first site visit, before consent has been given in any form (unless visiting a page suffices as giving consent?). There's a lot of things we can and have to do ourselves, obviously, but changing the cookie behavior of our underlying software with no technical means given, is hardly "compliant out of the box" in my honest opinion.
 
The GDPR can be complicated to fully understand, especially when there are parts that 'appear' to be contradictory. Firstly they say that implied consent is a no no, but if you have a 'legitimate interest' in dropping cookies that are considered 'essential' to giving the visitor the experience they expect (viewing your website) then you can drop 'essential' cookies if they allow the visitor to view your site, which s/he may not be able to do without those cookies, providing you tell them that you are doing so and why. That is something for the developers to decide as we have no apparent control over how those cookies are dropped and whether they are 'essential' for a casual visit.

When it comes to other cookies (we're just dealing with cookies here BTW) that are not considered 'essential' such as advertising or tracking cookies, then explicit consent is required. At present there is no means to facilitate this in the software to block those cookies until consent is given, or a means to seek that consent - this is what's missing.

As @Mr Lucky said, sending out a bulk email every time something changes that requires consent is a no go - and you can't send emails to people unless they opt-in; you can word your T&C and Privacy Policy as cleverly as you may believe in order to facilitate consent, but if consent is not given explicitly you can find yourself on dodgy ground.

A lot of the questions and concerns raised have been dragged out with no real defining actions being taken to help XF users to do what the GDPR requires - sure it may appear that way, but is it? I've spoken at length with the ICO and have also emailed a whole bunch of questions to them, I want their response in writing as a verbal conversation may not suffice, if there is something not being stated correctly.

Effectively, the ICO more or less leaves it up to you to decide if you're compliant by using their resources - and failing going to seek legal advice (expensive) your assumptions and findings may not be enough. I'll keep everyone posted on what the ICO comes back with.

;)
 
Chris D said:
XF is already compliant by default and there currently isn’t any further action planned.
Click to expand...
So not even a guide or anything official from XF on how your customers can be compliant? No tips or help? Nothing to help your paying customer have faith that we’re doing things correctly? That’s a bit of a cop out to be honest. Sorry.
 
Davyc said:
When it comes to other cookies (we're just dealing with cookies here BTW) that are not considered 'essential' such as advertising or tracking cookies, then explicit consent is required. At present there is no means to facilitate this in the software to block those cookies until consent is given, or a means to seek that consent - this is what's missing.
Click to expand...

This part is somewhat contrary (not your presentation of it, but the actual regulation). Tracking cookies do not require consent? Why is that? Isn't the whole regulation about giving me control over which data can be used to track me and which one cannot? It is (or would be) really ironic to rule that out specifically.

Also, imho tracking cookies are not essential. I'm under the impression that XenForo works fine without keeping a session cookie for unregistered visitors, so there'd be no need to store it. I see that this is maybe somewhat different for the csrf token, but how am I - as a forum owner - going to explain that, when I can't even tell my users what they're used for, really. (The term 'I' is here used for someone not well versed in these technologies. I am very well aware of what these cookies are used for, or at least I am under the impression that I am, hence why I pointed out that I am not living up to the believe that session cookies for unregistered members are necessary).
 
Mackeral_Fillet said:
So not even a guide or anything official from XF on how your customers can be compliant? No tips or help? Nothing to help your paying customer have faith that we’re doing things correctly? That’s a bit of a cop out to be honest. Sorry.
Click to expand...
I was mostly commenting on whether we'd be adding anything to the software itself. Currently, there's nothing planned (certainly not in this current release, which is releasing imminently), as we don't believe there's anything remaining to be compliant.

We're reviewing it closely, however. We will certainly be commenting on GDPR as a whole in the coming weeks. But people need to calm down a little. As @Amin Sabet rightly put it yesterday; the sky is not falling. If there's work to be done, there's still plenty of time to do it.
 
No the Sky is not falling but people ARE panicking whether that is rightly so or not, it's a fact. Personally, I'm not panicking, just pointing out some potential pitfalls. It's a pigs ear this GDPR and it's caught a lot of people on the hop. Forums, particularly small forums are not the intended target of the GDPR, but unfortunately they do fall under the jurisdiction of the GDPR if something untoward happens.

A lot of smaller charities, for example, are nowhere near GDPR ready it's reported. The DWP (Department of Works and Pensions) is said to be spending £15m on getting ready for GDPR. So, it's pretty current news and the reports coming back are astounding in terms of who is and who isn't ready and the obscene amounts of money being spent to gear up for it.

If the XF team are looking into this, then that's good news - if they intend to make some changes to help owners out, that's brilliant news. Let's wait and see what happens.

;)
 
ozzy47 said:
What internet lawyer advised you of this? Or are you just pulling stuff out of the wild blue yonder?
Click to expand...

Hi ozzy47,

this is why I was not amused when I saw that my own thread was merged into this one.

I have linked to the postings of German lawyers who specifically explain how they see the GDPR is affecting even small websites, forums etc.

It is clear in the view of these lawyers, that we do need an unsubscribe link in XF1.5x and all that without beeing forced to login.

Even more has to be changed in the text of the terms of rule and privacy statements. If you use mailchimp et alii even more has to be agreed on by the users before continuing.

IPS sent out it last newsletter today and you have to subscribe totally new to be able to get a newsletter from them even though you are an old customer.

What I want to say with this is that there are obviously differerent views on this. So far I am the only one, who was able to offer written statements from real lawyers. Everybody here is either guessing or relies on phone calls.

The way how XF is dealing with the opinions of its users is not ideal.

I just see as a first step a " there is no need for anything" without having even tried to contact a lawyer before that statement.

Once more and more people get interested in that GDPR issue, a suddenly payed addon is offered.

Now since other forum software vendors show how you should communicate with your customers, XF starts to say, we will look at it in the future.

Come on, do we need to kill each other here first before the XF managemet makes clear statements based on written opinions of lawyers how this GDPR will affect the XF forum software?

For both, XF1.5x and XF2.

Do I expect here too much?

At least this is the way how I would treat my users in my support forum, if I would have sold them the product.
 
The threads were merged (5 out of 6 of them, one is a a suggestion) because it’s much easier to follow and listen to all customer opinions in all one place. I’m sure you wouldn’t like us to miss anything important.

We’ll be making an official statement on the current status of GDPR compliance and detailing any changes being made (if any) in the next few weeks.
 
Chris D said:
The threads were merged (5 out of 6 of them, one is a a suggestion) because it’s much easier to follow and listen to all customer opinions in all one place. I’m sure you wouldn’t like us to miss anything important.

We’ll be making an official statement on the current status of GDPR compliance and detailing any changes being made (if any) in the next few weeks.
Click to expand...

Is it OK to come with GDPR suggestions to the software in here? Or use standard suggestion thread? Ref. keeping it all in one GDPR thread.
 
Chris D said:
The threads were merged (5 out of 6 of them, one is a a suggestion) because it’s much easier to follow and listen to all customer opinions in all one place. I’m sure you wouldn’t like us to miss anything important.

We’ll be making an official statement on the current status of GDPR compliance and detailing any changes being made (if any) in the next few weeks.
Click to expand...
Thanks Chris, good to hear that you’ll be talking about it. That gives me some confidence (y)
 
kaieivindm said:
Is it OK to come with GDPR suggestions to the software in here? Or use standard suggestion thread? Ref. keeping it all in one GDPR thread.
Click to expand...
To be honest, probably in here at this point.

I very nearly merged the suggestion thread in here too, but that didn't feel quite as appropriate, though I do need to review if there's been any significant comments in there, yet.
 
snoopy5 said:
Come on, do we need to kill each other here first before the XF managemet makes clear statements based on written opinions of lawyers how this GDPR will affect the XF forum software?
Click to expand...

As you have pointed out, your German lawyers have differing interpretations.

So even if we did release a statement/guide, would you be happy unless it mirror what the German lawyers have said? Being an English company, our guidance will come from the ICO, and for example, your 1 click opt out, has been categorically stated by the ICO to not be required.

XenForo isn't a legal firm, it falls down to the site owner to look up, research and work out what is needed for their sites based on services they use and what they do with their users data. I feel a lot of people are expecting us to cover all bases for every person, which is unrealistic.

I mean running down the few key complaints:

Cookies
Enable Show cookie notice on first visit option: Might require a tweak to have a button to accept/acknowledge.

Right to Erasure
Deleting an account will remove all personal data related to that account.

Emails
A variety of email preferences to allow a user to receive site mailings or not are provided in their account settings, changing the site mailing preferences. Changes to account preferences are accordingly logged.

Right to be informed
The help pages are easily found and can be easily edited.


Now outside of these points, which help you to comply with the GDPR, further guidance on specifics (eg, when can you refuse erasure, what cookies need explicit opt in, what about provider X Y and Z etc) it falls down to the site owner to investigate and implement the required policies. Any further advice / interpretation we give on specific points are outside the scope and capacity of XenForo to officially tell you, but we don't mind giving you the information the ICO has provided, but it boils down to you as a site owner to decide if its good enough.
 
Stuart Wright said:
Do you ever have unhappy users/ex users? All it takes is one unhappy (banned) user to make a complaint, and you are then potentially on the radar of compliance people who will have targets for the number of websites to prosecute. And the fines are big.
Click to expand...

In order to pay the fine which is 4% or max 20 million euro, then your business has to earn 500 million euro, so unless you are one of those high tech power players that could be affected, then I certainly would not lose any sleep over this. Everyone is letting their imagination go wild when all of this was started by some scared person that never understood GDPR, and now everyone wants to claim they are experts on the subject.

I think every post that relates to GDPR should be deleted from XenForo.

You are your own worst enemy!
and you are allowing your imagination to control your emotions and your life.
 
usAdultAds said:
In order to pay the fine which is 4% or max 20 million euro, then your business has to earn 500 million euro, so unless you are one of those high tech power players that could be affected, then I certainly would not lose any sleep over this. Everyone is letting their imagination go wild when all of this was started by some scared person that never understood GDPR, and now everyone wants to claim they are experts on the subject.

I think every post that relates to GDPR should be deleted from XenForo.

You are your own worst enemy!
and you are allowing your imagination to control your emotions and your life.
Click to expand...

Errr... it’s 4% or up to €20m. Whichever is the HIGHEST!
 
Mackeral_Fillet said:
Errr... it’s 4% or up to €20m. Whichever is the HIGHEST!
Click to expand...

obviously, €20m would be the highest no matter what.
So why is the 4% in there at all? Just to throw you off?

Besides, top tech companies are expected to spend millions in order to comply with GDPR, and if that is the case, then how would you think you could ever comply with GDPR without the assistance of legal counsel? You think you are going to make some forum tweaks and your good?

This will blow over when people realize that there is no fire, and their forum is not burning to the ground.
 
You must log in or register to reply here.

Similar threads

M
  • Question Question
Integration of subdomain with Shopify website
Replies
4
Views
701
MadHatter
M
Dakis
Online course for forum owners
2
Replies
26
Views
2K
Dakis
Dakis
Back
Top Bottom