adamsmasher
Active member
Not surprising. Fortunately, if you're already covering all the bases for GDPR you should be in fine position for this.
GDPR discussion thread
- Thread starter 7ore
- Start date
Davyc
Well-known member
First part - no! A simple link saying we use cookies with a link to show users how to block/delete them is no longer enough; I believe this is the part that is causing the most concern. Apparently you are supposed to ask for explicit permission for cookies to be dropped - before they say yes or no - no cookies are supposed to be dropped; how the hell can we know the complete workings of the software we're using as to whether this is the case or not - unless the developers tell us. You are also supposed to name all of the cookies being dropped by using your site in a privacy policy.
For banned users there is a legitimate reason for retaining their data, to stop them from re-registering or gaining access to your site (the re- registering part is easily circumvented though if they are bright enough lol).
As far as scanning every single post for PII that's not going to be easy, or even possible, so I'm not sure where the onus would lie there; both parties could be equally responsible, but then if people are stupid enough to post PII on an open forum then, for me, the onus should be on them to find them and point them out; the law may have a different viewpoint, so that would need to be checked out.
Lukas W.
Well-known member
Simple check: Install a cookie editor add-on (or use the developer tools of your browser if you're familiar with them) and delete all cookies of your page. Open your page and check your cookies again. If cookies are set, then they have been without you consenting to them. For XenForo, this would be the session and the csrf cookies, that are automatically generated the first time you visit the page.
In my honest opinion this task should have been delegated to browser developers instead though. It's way easier to implement this in a general manner for a browser than individually for each piece of software and it would also give the user a general "just allow them all ffs" type of option.
RobinHood
Well-known member
Here’s what WordPress is doing. Sounds like they’ll end up doing quite a lot and also adding tools to help admins manage and be transparent about what add ons are also doing with user data.
https://wordpress.org/news/2018/04/gdpr-compliance-tools-in-wordpress/
An interesting read here on their roadmap about their plan to implement some of this
https://make.wordpress.org/core/2018/03/28/roadmap-tools-for-gdpr-compliance/
Seems like a good roadmap system, it has links off to each ticket issue where admins and devs can comment and leave feedback
https://wordpress.org/news/2018/04/gdpr-compliance-tools-in-wordpress/
An interesting read here on their roadmap about their plan to implement some of this
https://make.wordpress.org/core/2018/03/28/roadmap-tools-for-gdpr-compliance/
Seems like a good roadmap system, it has links off to each ticket issue where admins and devs can comment and leave feedback
BassMan
Well-known member
This looks promising: https://xenforo.com/community/resources/kl-admin-tools.6352/
From XF? Nothing very official as I recall. But believe they will make some statements, maybe even some new core features for this thing. You never know.
From XF? Nothing very official as I recall. But believe they will make some statements, maybe even some new core features for this thing. You never know.
RobinHood
Well-known member
I wonder if this legislation will kick older forum sites into gear and force them to upgrade and accelerate any planned upgrades to a 2018 release of their forum software of choice.
This could end up being a massive boost for online communities if gets admins to upgrade to the latest GDPR compliant software, and at the same time they could upgrade their entire server stack so they're on PHP 7 etc., accelerating the development of modern features.
If users start making demands about having control over their data and the tools aren't there on older platforms, admins are going to have to find an upgrade path to software that will satisfy these demands. Good GDPR compliance tools could be a big selling point.
I've had 3 emails today from various companies about GDPR. I think a lot more lay users than we may realise will be getting informed about this over the next few months as the companies they work for start to educate them about it for their own internal company use.
This could end up being a massive boost for online communities if gets admins to upgrade to the latest GDPR compliant software, and at the same time they could upgrade their entire server stack so they're on PHP 7 etc., accelerating the development of modern features.
If users start making demands about having control over their data and the tools aren't there on older platforms, admins are going to have to find an upgrade path to software that will satisfy these demands. Good GDPR compliance tools could be a big selling point.
I've had 3 emails today from various companies about GDPR. I think a lot more lay users than we may realise will be getting informed about this over the next few months as the companies they work for start to educate them about it for their own internal company use.
Last edited:
Mr Lucky
Well-known member
So what about all those thousand of forums on vbulletin 3 & 4 I wonder?
Lukas W.
Well-known member
I'd welcome that. Even though I come to believe that the administrators who procrastinated updating their software for the last few years for security reasons will see any motivation to do so now until GDPR actually stomps in their front door.
StarArmy
Well-known member
Unfortunately default Xenforo's biggest holes is a lack of search for conversations so this only works for posts. I have over 15,000 conversations to go through, IIRC.
Last edited:
adamsmasher
Active member
Fortunately you can delete all the conversations for a user in admin. Although like my previous comment I'm not sure how you would export that and provide it to a user if they wanted it.
Mr Lucky
Well-known member
Does that delete the entire conversations? ie the user and all recipients leave those conversations, or are they still in the recipients' inbox and so so some personal infpo may still be around.
Lukas W.
Well-known member
As far as I am aware this option physically deletes all conversations that have been started by that particular user, but not all that he has participated in.
Mr Lucky
Well-known member
OK, so technically not quite fit for purpose re:GDPR? Mind you, I'm of the opinion that you don't need to delete user content provided you anonymised them, ie removed profile and changed username and password.
Lukas W.
Well-known member
Agreed.
As we tend to name conversations "Private Messages", we're implying that users are free to share their private details there though, so we should consider that they have shared private information through these in the past. Additionally, it's not totally obvious for all users that "leaving" a conversation does not fully delete the conversation and they also have no indications which of their old conversations still exist.
Mr Lucky
Well-known member
I address that in my Privacy Policy:
Personal Conversations (PCs)
Please note that while personal conversations are not visible publically or to other members of the forum (except to those people in the conversation) it is possible for forum and/or server administrators to access conversations which they would only do under exceptional circumstances (see below).
For this reason we do not actually call them “Private” – although they are just as private as on any other forum software or social network.
Please note that this isn’t just us, the ability for admin to view personal messages is common to any similar forum software. Our policy is not to read personal conversations or allow any third party access unless exceptional circumstances require it, however you are advised to be aware that nothing you say in personal conversations on this, or other forums, is truly private. If you want to discuss completely private matters with other members, then you are advised to do so via email, telephone or other forms of communication.
Exceptional Circumstances
Include but are not limited to:
- Requests from law enforcement agencies with the appropriate warrants.
- Any action needed to be taken by admin to ensure the legality and security of the forum, for example if there are good grounds to suspect fraudulent activity.
Robust
Well-known member
The GDPR does not override any legal obligations, obviously.
If you are required to retain information for legal reasons, such at VAT MOSS compliance or other accounting legislation, it overrides certain rights provided by the GDPR (e.g. the right to be forgotten) -- the business can retain the essential information required to comply with this legislation. There are exemptions in the GDPR for this. There is nothing contradictory here.
Additionally, regarding another response you made, you cannot rely on PayPal to collect and retain that information for you. You are to retain that information yourself. By the way, as the first link you linked mentions, I'd recommend collecting 3 pieces of data. Often 2 can be contradictory, and you don't want to have to reject a transaction. If you collect 3, there's a higher chance that 2 of them will be the same.
Last edited:
