GDPR discussion thread

[Davyc]

I'm hoping that what I heard on the radio recently, a spokesperson for the ICO saying their policy will be educative rather than punitive - the heavy fines will be for those companies that continue to flout the rules in spite of a few warnings.

I don't think they will be trawling the internet looking for forum owners and investigating them, however our main worry would be users making vindictive reports.

The ICO have stated that many times - education is the best way forward and punitive action will only be levelled at those who allow data to be exploited in ways that could have been prevented.

It takes some time to get your head wrapped around this regulation, but once the penny drops a lot of clarity comes into view. It just takes time, lots of time - far too much time lol, but you do get there in the end.

 

[Mr Lucky]

One thing that concerns me is that I presume this is not compliant:




For us this has been important because people joining the forums are often not aware they would otherwise have to go into their preferences and opt in. So they post, and then forget about the forum because they don't get notifications of replies.

In my experience all forums I have joined make you automatically subscribed to notifications of replies to your posts.

If the above default (needing "opt out") is not compliant, then we need to have something very obvious to opt in to notifications on the registration form

 

[Mr Lucky]

Another thing struck me though. As registering for a forum is not compulsory, isn't the mere act of registering a form of opting in?

For example what if the registration form says "if you want to join, you will receive a monthly newsletter and notifications, and your location will be displayed publically, do you still want to register?"?

 

[BassMan]

Good point, I was thinking about the same thing, to add a notice on registration form that you'll be subscribed to newsletter if you join. But that's not opt-in for users, I guess.

 

[Mr Lucky]

Good point, I was thinking about the same thing, to add a notice on registration form that you'll be subscribed to newsletter if you join. But that's not opt-in for users, I guess.

No, but for existing users, if you are sending a newsletter they didn't opt in to, then presumably before GDPR takes effect you need to send a mail saying they need to opt in to continue getting the newsletter.

I'm getting quite a few of these now as people panic to become compliant.

My own mailchimp list has a lot of people I added myself, based on them being a customer. So I'm planning to send an email saying they need to now opt in, and just after the email is sent I will remove them all from the list so they can rejoin if they want.

 

[Tony L]

One thing that concerns me is that I presume this is not compliant:

Does unchecking the ‘Recieve site mailings’ default impact the registration confirmation email? If not I’m happy to turn all this stuff off by default and let users opt into whatever they want (I never send bulk email of any description).

PS My main fear here is the ‘right to vanish thing’ and whether users can demand bulk post deletion which may actually render the technical areas of my site highly dangerous if key safety info or advice were to vanish randomly from threads without trace.

 

[Mr Lucky]

Does unchecking the ‘Recieve site mailings’ default impact the registration confirmation email? If not I’m happy to turn all this stuff off by default and let users opt into whatever they want (I never send bulk email of any description).

PS My main fear here is the ‘right to vanish thing’ and whether users can demand bulk post deletion which may actually render the technical areas of my site highly dangerous if key safety info or advice were to vanish randomly from threads without trace.

I was probably wrong about site mailings being checked by default. I think the opt in requirements may only be in regard to marketing email lists.

 

[Robust]

PS My main fear here is the ‘right to vanish thing’ and whether users can demand bulk post deletion which may actually render the technical areas of my site highly dangerous if key safety info or advice were to vanish randomly from threads without trace.

Right to erasure applies to personal data. If data is anonymised its processing isn't subject to objection. Users can request deletion of their identifiable data (email, username, IPs). They can't request deletion of posts. There are ways to continue processing data without consent, namely "legitimate interest".

--

With emails, you can send transactional mail as normal. Things like updates of privacy policy, terms, or emails sent directly due to actions by a customer (e.g. a purchase of something) can always be sent until a user closes their account, etc. It's just marketing mail that you need changes on.

 

[BassMan]

With emails, you can send transactional mail as normal. Things like updates of privacy policy, terms, or emails sent directly due to actions by a customer (e.g. a purchase of something) can always be sent until a user closes their account, etc. It's just marketing mail that you need changes on.

But I guess that will not be ok if you use transactional email service like SendGrid, SparkPost etc., right?

 

[Robust]

But I guess that will not be ok if you use transactional email service like SendGrid, SparkPost etc., right?

If you're using those services for transactional mail I don't see a problem.

I'd personally wait to see what larger sites do as they update their privacy policies. Since they've actually consulted lawyers and consultancy firms (as they have the funds to do so) they're a good basis to see what really needs to be included in a policy. Over the last week I had at least a dozen emails of privacy policy updates from relatively large services. A skim through those should suggest what extra things a policy needs. A lot of these aren't sending mail themselves and might use something like SES or MailChimp etc. See if they named them by name, or if they just generically referred to external email processing services. It's a good basis to decide how you need to restructure your policy.

There's nothing wrong with using external services (for transactional or marketing). Just disclosure may be required and (for marketing) additional opt-out or opt-ins might be also.

Edit:

For all those interested, Stripe is always good at writing guides. I found this one to be pretty good: https://stripe.com/guides/general-data-protection-regulation

 

[trapped_soul]

I'd personally wait to see what larger sites do as they update their privacy policies. Since they've actually consulted lawyers and consultancy firms (as they have the funds to do so) they're a good basis to see what really needs to be included in a policy. Over the last week I had at least a dozen emails of privacy policy updates from relatively large services.

Indeed, for the last two weeks I too have been inundated and most of them are pretty much the same. Aside from the ones which are mentioning that you do not need to do anything if you're happy to continue use of their services etc.
It makes for good reading for us as we can determine what we should be doing.
I think we're pretty much ready for it, I think I have covered all angles as best I can. It's taken some time to get down on paper and then onto our T&C's etc though. So anyone who hasn't done it as of yet, be prepared to set aside some time to re-write your ToS with extra bits here and there.

 

[Mackeral_Fillet]

Hi Xenforo staff.

What actions are XF taking to support forum owners with the upcoming GDPR deadline on 25th May.

If nothing, please say so, then I will look at resolving with support from others.

If something please list what, so I don’t duplicate work.

Thabks
Rob.

 

[Chris D]

XF is already compliant by default and there currently isn’t any further action planned.

 

[snoopy5]

Yes, as the guy on the phone said, the right to be forgotten is not an absolute right to total erasure of all content you post online.

Do you have anything in written from ICO? It is nice to hear that somebody said something on the phone, but I would prefer to base my future actions on something written to be on the safe side

@snoopy5, are you planning to shutting down any forums you own and removing this information from your database until you get the answers you're looking for?

Because if you're not, I don't understand your immediate need for answers.

I do not know how you do run your forums, but I prefer to know what is coming around the corner and might hit me bad to plan actions NOW to defend me. We have only 4 weeks left. I do think that this is not too early

Even if it turns out, that we do not need to change anything, it helps a lot if users start to play the that game and you know for sure waht you are allowed to do and what not. At least I prefer that instead of discussing this for weeks with my users because nobody knows anything for sure.

This is actually the job of the admin/forum owner: Thinking ahead, making plans what can happen in the future, act according to law etc.. Don't you think so?

In Germany there are regional authorities for data protection. And these are not sleeping. If a user calls them, you have a nice discussion with them if you are not prepared. Even if the user lied. You are busy to proof that he is wrong and you are right. They have the power to shut your site down, give you a fine etc., whether I like it or not. They act even with small forums.

 

[snoopy5]

What I do not understand is, that in this thread everything regarding GDPR is played down, but at the same time I see new paid addons for XF1 and XF2 to improve the software to be in line with GDPR. Kind of contradictory, don't you think?

What exactly means this "...mostly compliant". I am not a native speaker, but for me this means not everything in the software is GDPR compliant...



50 bucks for the addon plus 100 if you need advise is not cheap. I have nothing against that addon and I welcome that someone makes the effort to offer something for GDPR security.

It just feels strange to read here everything is o.k. with the forum software and then read at the same time in the Resource manager that actually not everything is o.k.

 

[Slavik]

It just feels strange to read here everything is o.k. with the forum software and then read at the same time in the Resource manager that actually not everything is o.k.

Everything on a stock XenForo install is fine, the only thing we are keeping an eye on is the portability rules.

However XenForo can not be responsible for if you use 3rd party services which may require you to alter your GDPR policies accordingly, which is what my addon is aimed at.

 

[snoopy5]

Everything on a stock XenForo install is fine, the only thing we are keeping an eye on is the portability rules.

However XenForo can not be responsible for if you use 3rd party services which may require you to alter your GDPR policies accordingly, which is what my addon is aimed at.

Hi Slavik,

I just got the alert that my thread was merged with this one. I do not think that it was a good idea to merge now two separated threads into one. We had in my original thread of March 2018 a few very specific points raised, especially - among others - the missing unsubscribe link in the sitemailing Emails of XF1.5x.

After this merge, it is very confusing to follow this thread now because everybody talks about different things and it is hard to keep focus. I do not want to "chat". I do want to get problems solved. By watering the thread with merging it with another more general GDPR thread, this is not a service and does not help at all

Obviously also my old title:

Xenforo 1.5x not in line with the European General Data Protection Regulation (GDPR), as of May 25th 2018

Is very different then this general GDPR title and we all know what this means. Many pages with no outcome, no results, becaue teher is nothing to stick, no goal, nothing to nail on.

My point is explained here at the beginning:

https://xenforo.com/community/threads/gdpr-discussion-thread.142396/#post-1229964

I am glad that you offer now a payed addon for having an unsubscribe link also in XF1.5x for the sitemailing Emails. But I would have found it better, if this would have been added in the core for free to be fair

 

[snoopy5]

By the way, all old links to the old thread are not working anymore. If you merge normally two threads the links do not get broken, it just leads to the "new merged mega thread", right? So why not here?

 

[snoopy5]

I was probably wrong about site mailings being checked by default. I think the opt in requirements may only be in regard to marketing email lists.

Do not get confused by words. What you understand with the word marketing is something different to what lawyers understand under this word.

Sitemailings are marketing emails. What kind of content you send them is not as important as how many users get the very same email at the same time. As soon as it can be interpreted as "massmailing", you will have a hard time to argue.

 

[Amin Sabet]

From what I can see, even the major companies like Google and Facebook are looking at GDPR as a process. There's a lot of stuff not yet in place. For example, Instagram is going to have a data portability product that lets you download all your own content, but it isn't going to be ready for May 25th.

I'd be very surprised if May 25 comes, and the EU nations all start to fine everyone left and right on day 1. The adverse reaction would be swift, and it's not as if the rest of the world is powerless.

So hopefully the XenForo developers will pay attention to what other platforms offer in response to the GDPR, why those other platforms show those responses, and how the courts handle the application of the GDPR. If the XenForo developers watch the developments, keep an open mind, and do the right thing, I've no doubt that we will see some additional tools in the core to help us navigate the new regulations. If not, then their competitors will have an advantage.

But again, it looks like it doesn't all have to be there for May 25. The sky isn't falling.