GDPR discussion thread

Robust

Well-known member
Seriously? That's what people do with these requests?? Hmmm... Tempting, but...
Why exactly do you want to keep his information? As you've said, he's made no posts. You can keep the content of the posts, but you don't really have any legitimate reasons to keep his email, his IP, or any cookie data. These are all protected by the GDPR, and since you have no legitimate interests to keep them (presumably) which would outweigh his rights, you should delete them per his request.

If your website is based in the EU then you don't have a choice.
Or serving EU users.
 

Stuart Wright

Well-known member
Hi, I received this unusual request from a member, who has no forum content, not one post.



What is the world is he asking, all we have for info on his account is:
  • a made-up username
  • an email address,
  • he identifies as male,
  • the DAW software he uses,
  • he's in the UTC+1:00 time zone.

All other info would have been caught by a cookie, I suppose, in his browser, but that info doesn't come to us. Or does it?

Thanks for any help on this!

Andre
I have set up an automatic reply to emails having this subject (since they are automatically generated) telling them to send me a PM requesting to have their account deleted as we don't know whether they are really the account holder or not.
 

Mr Lucky

Well-known member
Hi, I received this unusual request from a member,

It's not really an unusual request. This is something I do from time to time when there is a site I no longer use. It makes good sense to me that my email address is not out there on loads of sites - from time to time sites get hacked. Mostly I use different passwords so I'm not too bothered about those. However I think it is a reasonable request (if the site itself won't allow deletion) and it is also part of EU law anyway as we know.

As Stuart Wright says you can double check with a PM or email to confirm it is legit.
 

markoroots

Active member
Hi there, I make my apologies to everyone if I haven't read all the posts in this thread that has 30 pages, so I will need a week.
I have tried to make some researches in this thread and on my forum to see if is there the possibility to show in the default Cookie Banner of Xenforo also the option to let the user deny the use of cookies (seeing that for law we must to offer them), but furthermore I haven't found the answer.

What I see is that the option we actually have are 2, shown in 2 buttons:
Accept
More information



but I haven't seen the way to add also the button to let the users deny the use of the cookies as many guests want.
So I would like to know if is there the possibility to add this option/button, seeing that we must serve this function in our sites.

Thanks in advance
 

Mr Lucky

Well-known member
but I haven't seen the way to add also the button to let the users deny the use of the cookies as many guests want.
So currently, without accepting cookies: we have

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.


Which implies if you don't want to have cookies, we don't want you looking at our site.

To me this seems fine, every site owner has this prerogative, but I can see why you may want people to still browse the site without thavingb their experience "tailored." However you reword the phrase it's still a kind of take it or leave approcah assuming people may want to look at the site without the tailoring and without the nagging notice at the bottom of the screen.

ie an option to Continue without cookies at my own risk...
 

Cylon

Member
To me this seems fine, every site owner has this prerogative, but I can see why you may want people to still browse the site without thavingb their experience "tailored." However you reword the phrase it's still a kind of take it or leave approcah assuming people may want to look at the site without the tailoring and without the nagging notice at the bottom of the screen.
Maybe that looks fine to you, but I can assure you that this way of thinking does not comply at all with the laws of some European countries. I'm talking especially about Germany, where I live, and I have to adapt my websites to the way the German law has interpreted the GDPR, not the way the GDPR is interpreted in Spain, for example.

And the way Germany understands the GDPR is if the user does not consent to the use of cookies, then you can not use cookies nor load third party script that makes use of cookies. Of course, the functional cookies. i.e, the strictly necessary to the site to work (login, and so on), are allowed, but all the extra cookies (analytics, crash reports, and so on), must be consented to). And we all know that we are not talking about the functional cookies. We are talking about all the cool scripts that we integrate in our sites: analytics, remarketing scripts, heat maps, an the like.

Which implies if you don't want to have cookies, we don't want you looking at our site.
Yes, that's the same that I think, but again, that does not work for Germany and many other European countries. You may provide a cookie banner, that if the user does not consent to, disallows the navigation through the site. But as said, this banner has to activelly prevent the navigation on the site if the user does not consent to cookies (modal dialog with black overlay). And of course, as long as the user has not consented to, you can not load third-party scripts.

I think it was the main website of Fujistu? Germany, that opted for this solution a couple of years ago. They didn't have enough time to adapt the website to the GDPR, and they embedded a modal dialog with a black overlay around asking for the consent of the user with two options: accept or go back to google.

In this case, this solution would be in accordance with the German rules, but who wants that for their site?

And of course, if the users do not accept the cookie banner, neither rejects it, then you are not allowed to load third-party scripts. That means, if you have the typical non-intrusive banner locate below, it can happen that the user ignores it, and browses the forum. And the visit will not be registered in analytics, because the script is not allowed to load until after the user consent.

At least in Germany, the actual cookie banner from Xenforo, does not provide the features to be GDPR compliant. We need somebody with the knowledge and the time enough to develop an addon and provide a better solution. I would pay for it. I thought about doing it myself, but I don't have time enough at this moment.


On the positive side, in the event of receiving a fine regarding the GDPR, the amount of the fine depends on the income generated by the website, and in my case, it would be the minimum amount. More or less 500€, I think.

Regards

PS: I'm not saying that I agree with this way of interpreting the GDPR law, and the GDPR law itself. But this is the way it works, at least in Germany.
 

Cylon

Member
They may continue browsing without clicking on Accept.
In that case some content won't be available for them.
That is not entirely correct and extremely vague. At least in xenforo, there is no content that depends on the acceptance of the cookie banner. You can log in or register because the cookies used for that are functional cookies.


As explained above, what is not allowed to load are the third-party script that make use of cookies. And they don't provide anything useful to the visitor, but features for the owner of the site!
 

Kirby

Well-known member
PS: I'm not saying that I agree with this way of interpreting the GDPR law, and the GDPR law itself. But this is the way it works, at least in Germany.
Almost :)

Forcing a user to accept specific data processing (like cookies for Ads, Analytics, etc.) in order to continue browsing the website would not be compliant - you have to offer that service/website without those cookies if the user does not consent.
Though that offer does not have to be free, eg. it could be made accessible only with payment.
 

Mr Lucky

Well-known member
Maybe that looks fine to you,
No it doesn't
but I can assure you that this way of thinking does not comply at all with the laws of some European countries. I'm talking especially about Germany, where I live, and I have to adapt my websites to the way the German law has interpreted the GDPR, not the way the GDPR is interpreted in Spain, for example.
I thought I was agreeing with you!
 

webbouk

Well-known member
Make the site 'Members only' and as part of the membership application (registration) it is accepted that cookies are used.
That way the user has the option whether or not to proceed with registration to gain access to the site knowing that cookies are and will be in use.
Just because you have a website does not mean it has to be made accessible to all in the public domain.
 

Cylon

Member
Make the site 'Members only' and as part of the membership application (registration) it is accepted that cookies are used.
That way the user has the option whether or not to proceed with registration to gain access to the site knowing that cookies are and will be in use.
Just because you have a website does not mean it has to be made accessible to all in the public domain.
yes, that is correct, but don't forget the second part of the GDPR: your privacy policy has to be very detailed, and you have to explain which cookies you are using, and for what they are used. It is not enough to mention that you use cookies.

The saddest thing is, that only 1% of the internet users care about all this stuff, and 99% of the internet users simply accept the cookie banner without reading the privacy policy nor worrying about it.
 

Kirby

Well-known member
yes, that is correct
No, it is not correct.

Make the site 'Members only' and as part of the membership application (registration) it is accepted that cookies are used.
You can't force users to accept data processing that is not necessary.

 

markoroots

Active member
The saddest thing is, that only 1% of the internet users care about all this stuff, and 99% of the internet users simply accept the cookie banner without reading the privacy policy nor worrying about it.
Cylon sorry but I'm not agree with that. I think that is totaly the contrary, now no one click yes anymore on the cookie banners because the people begin to understand what it mean.
Personally and I have discovered that many people I know make exactly the same, when visit a site, I always click on disable all cookies or let only the strictly necessary to let them measure the traffic, because are tons and more of these that collect your data on internet for them scope and now, the people is tired about this. Infact when I cannot disable all the cookies on a site I go away, also if is there a really important content I want read.
If you go on the european sites where this law make you show these information mandatory you can read what is there in a site and if you check in the Partner section of the cookie banner you will see tons of these cookie that will be installed on your machine and no one want this anymore.
Just for example let's take a site "Thetimes" (but just for example because as everyone knows is a great and famous news paper) or also every other information site (but also others kind) in Europe, but not only, you will see what you download on your device if you accept the banner without read. Watch all the section of this banner cookie and also "Site Vendor" section, but is not the only site have this, are many more that use all those cookies and you must be free to accept or not. Then if you obligate the users to accept it as the only solution more of them simply go away and you loose a lot of traffic, for this they have truly added the option to refuse the cookies, also as per law.

In our case (Xenforo) we use really few cookies so is good to tell the users "hey we use only these few cookies to measure the traffic on our site to make this..." showing them that you are not using udreads or thousents of these files not necessary to watch a site, then them are free to accept or not, but maybe telling them that you use only few cookies to let work few things also shown, maybe will be more cool to accept also.

So sure will be good to add some option to let us set the banner to be compliant to our laws, with a button to let read all cookies are used, what are strictly necessary and the option to accept them or refuse, to refuse all, or some of them. Because for now that live in Europe our default cookie banner is furthermore out of law and this is a big risk for us.
 
Last edited:

webbouk

Well-known member
Where do you draw the line as a website owner?
To all intents and purposes reading some of these comments you're pulling your pants down and waiting for the inevitable.
Operating a website should give you as much pleasure as it does the users. When it stops doing so and instead becomes a chore treading on egg shells, its time to pull the plug.
 

wedgar

Well-known member
Where do you draw the line as a website owner?
To all intents and purposes reading some of these comments you're pulling your pants down and waiting for the inevitable.
Operating a website should give you as much pleasure as it does the users. When it stops doing so and instead becomes a chore treading on egg shells, its time to pull the plug.
What if you moved your server out of the EU or changed to a server located outside of the EU, are you still subject to EU law?
 

Rhody

Well-known member
What if you moved your server out of the EU or changed to a server located outside of the EU, are you still subject to EU law?
I would think so, if it can be proven that the operator/owner is based in a place where the courts and laws are. But I am not a lawyer.
 

markoroots

Active member
Sorry @webbouk but your post was't clear to me. What do you mean?

@wedgar the problem is not where you have the server, but is about where come from the owner. I'm italian and have the VAT registered in Italy so I rightly need to respect the laws of my country. Then I also don't think that must be so difficult to add 2 or 3 options to the cookie banner.
 
Top