Robust
Well-known member
They're still effectively passed to Amazon (SES) which is used for email sending, so that's a 3rd party with access to the personal info in their email logs.
GDPR discussion thread
- Thread starter 7ore
- Start date
If you're hosting with AWS you would already be within the AWS organisation so you wouldnt need to expand it as it would already be covered under your general T's and C's.
Obviously different if you are using an outside hosting company and only using SES just for emails.
DragonByte Tech
Well-known member
I would imagine that a line in the privacy policy regarding email addresses being transferred to Amazon SES would suffice, but I'll defer to @Slavik or someone else more knowledgeable.
Fillip
BassMan
Well-known member
That is something that I am not sure about as reading here: https://techblog.bozho.net/gdpr-practical-guide-developers/
BassMan
Well-known member
Actually, SparkPost is launching EU version: https://www.sparkpost.com/docs/faq/sparkpost-eu-faq/ to compile with GDPR.
DragonByte Tech
Well-known member
Right, but from signing up to the ICO register (UK), it would seem as if the scope of "personal information" in terms of the GDPR is largely confined to things like name / physical address, not forum user names.
If I register to a site with user name "asdfklfsdnjkfdjkdfjnknjkasdb" then it's highly unlikely that the user name alone can be used to identify me as a person, by anyone other than the most ardent digital forensic scientist working for a government agency with access to ISP's IP-to-customer records.
In other words, if my understanding is correct, the requirements forum owners have to follow largely relates to whether we collect real name / address information for eCommerce purposes and if so, provide a method to delete said information (either via the back-end or via the regular UI).
The grey area in that case would be whether email addresses are classified as personal information, which I don't believe I saw specified in that article.
Personally, I am of the opinion that classifying email addresses as personal information is a bit silly, since you can make as many email addresses as you like, but that is just my opinion and has no relevance to anything, really
Other than IP addresses (and potentially email addresses), by default I don't believe forums collect any form of information that can be used by anyone to identify the person, by any stretch of the imagination.
I am not a lawyer so this post is 100% speculation on my part. I am interested in figuring this out, as DBTech is going to have need of a 3rd party email delivery service like Amazon SES for sending transactional and marketing emails (obviously marketing emails would use XF's 1-click unsubscribe and such).
Fillip
DragonByte Tech
Well-known member
EU version priced in USD with no visible way of changing to GBP or EUR. u wot m80s?
Fillip
BassMan
Well-known member
Agree, email address as personal data? Hm... IP? Ok.
I'm still thinking about this:
What bothers me more is pricing and changing the free plan limits for a new account. On US account I have a daily limit of 5.000 emails and monthly 100.000. Now for free EU account, they offer you only 750 emails for daily limit and 5.000 per month.
I think GDPR is more than welcome to some companies for making extra profits.
I'm still thinking about this:
EU version priced in USD with no visible way of changing to GBP or EUR. u wot m80s?
Fillip
What bothers me more is pricing and changing the free plan limits for a new account. On US account I have a daily limit of 5.000 emails and monthly 100.000. Now for free EU account, they offer you only 750 emails for daily limit and 5.000 per month.I think GDPR is more than welcome to some companies for making extra profits.
Robust
Well-known member
It goes. The point of the GDPR is to improve transparency of how consumer data is being used and give consumers more control over their own data. You just need to disclose the transfer of data to 3rd parties.
I am not sure if you need to name the external organisations or if a generic line like "your name and email address may be passed to a vetted 3rd party used for sending emails" would suffice.
---
Email addresses weren't under DPA1998, but I believe they are by GDPR. As are IP addresses.Right, but from signing up to the ICO register (UK), it would seem as if the scope of "personal information" in terms of the GDPR is largely confined to things like name / physical address, not forum user names.
If I register to a site with user name "asdfklfsdnjkfdjkdfjnknjkasdb" then it's highly unlikely that the user name alone can be used to identify me as a person, by anyone other than the most ardent digital forensic scientist working for a government agency with access to ISP's IP-to-customer records.
In other words, if my understanding is correct, the requirements forum owners have to follow largely relates to whether we collect real name / address information for eCommerce purposes and if so, provide a method to delete said information (either via the back-end or via the regular UI).
The grey area in that case would be whether email addresses are classified as personal information, which I don't believe I saw specified in that article.
Personally, I am of the opinion that classifying email addresses as personal information is a bit silly, since you can make as many email addresses as you like, but that is just my opinion and has no relevance to anything, really
Other than IP addresses (and potentially email addresses), by default I don't believe forums collect any form of information that can be used by anyone to identify the person, by any stretch of the imagination.
I am not a lawyer so this post is 100% speculation on my part. I am interested in figuring this out, as DBTech is going to have need of a 3rd party email delivery service like Amazon SES for sending transactional and marketing emails (obviously marketing emails would use XF's 1-click unsubscribe and such).
Fillip
Sure, asdfklfsdnjkfdjkdfjnknjkasdb may not be identifiable, but something like "johndavies1991@gmail.com" is.
I don't think the GDPR is really scary, it's a good initiative to hold businesses accountable for the data they've been entrusted with. It should've been implemented a long time ago, but I'm glad the EU is finally doing it now. The point of the GDPR isn't pointless bureaucracy, but to hold businesses accountable. For smaller businesses, a clear effort to protect the personal data of its consumers should suffice, assuming there is no negligence, but IANAL.
Quite, people all over are losing their minds, because they engaged in shady practices and now they know they might be called to account for it.
Your average day to day forum owner is never going to notice the GDPR in any meaningful way.
Stuart Wright
Well-known member
Our commercial team are telling us that the GDPR will be a good thing from a financial perspective. At the moment, people can place ads on our forum via Google AdEx, targeting people with specific interests from the information gathered about them elsewhere on the ‘net. With GDPR, advertisers will have much less information about viewers that they can use to target their ads, so will need to come to us directly to put their ads in front of the right people.
The xenforo cookie notice required some years ago was a nice, easy solution. What we need now are some templates for the various notices we need to have available for people to read. Cookie notice, privacy policy and advertising policy with GDPR taken in to account. And whatever else is needed. Don’t even know what that is, yet.
The xenforo cookie notice required some years ago was a nice, easy solution. What we need now are some templates for the various notices we need to have available for people to read. Cookie notice, privacy policy and advertising policy with GDPR taken in to account. And whatever else is needed. Don’t even know what that is, yet.
trapped_soul
Well-known member
Yes this seems to be something we're all thinking about I should imagine. I know I am.
I'm currently drafting things up after speaking with the ICO, but it's fair to say - it's a minefield.
trapped_soul
Well-known member
Is Xenforo planning on releasing anything for us to help with GDPR templates too? Such as new terms of service or conditions of use etc?
Alluidh
Well-known member
I also thought and was allowed to learn from a or media law. Every post, every topic and every profile message falls into the area of personal data, since it was created traceably with an account and an IP address. I didn't want to believe it, but I had to accept it.
At the moment we try to create a list of all neded features for Xenforo 2, togehter with a lawyer, for getting all points catched for German Xenforo customers.
BassMan
Well-known member
That would be useful. Like said, I think XF should take care of that part in the core. XF is located in the UK, so it needs to be GDPR consistent also for users on this forum.
Martok
Well-known member
Whilst you can trace posts/topics/profile messages to an account (obviously) and that account to IP addresses used, that doesn't mean that these are personal data. IP addresses are, for most people, dynamically assigned by their ISPs and these IP addresses change (very few ISPs give static IPs to households). In addition, you can't identify the precise individual from the IP address as there are usually several people at that household. Even if you did have the IP address, you'd have to be the assigning ISP to be able to identify exactly which household has been given that IP address on any particular day.
In addition, posting something that isn't specifically personal (such as a general comment) still isn't personal data in itself as it can't identify that individual (as pretty much anyone could post the same thing). It's only when you post personal details in a post that makes that personal potentially identifiable by others.
Removing a user name (changing it to something like retireduser1), any personal details from their account (email address etc) and removing any IP addresses would generally be enough should anyone ask for their accounts to be deleted (if your policy is in fact not to delete accounts). They cannot require you to delete all of the posts that they have made.
Alluidh
Well-known member
They don't need to, because the brexit process.
It is not enough to remove the name or the ip address.
Yes, they can. Please talk to a lawyer of your choise. I wasn't very happy hearing this.
trapped_soul
Well-known member
Brexit has nothing to do with it. We and XF still have to be GDPR compliant.
Alluidh
Well-known member
This sounds good, so they had to change some parts of the software (forum and ressource manager)Brexit has nothing to do with it. We and XF still have to be GDPR compliant.
