Opt-In Cookies, Tracking, Receive saved Data - GDPR, DSGVO - European Law.

hibiskus

Active member
1.
I want to alarm the community, because i got a mail where one guy wanted to receive all his saved data, because now it is his right.
And he tried that for simple reason to see if he can sue me, because he literally said in the 2nd mail that he gives me another 48 the response or he will sue me.

I had before phpBB and the last 14 years it is lead by germans, and updated before few days before the law would come into effect, to be law compliant in front.
One of the changes was, that every user can Download all his saved Data all his Posts he ever did with a simple click from the profile panel.

201653

So now I switched to Xenforo2 and i have to do it manually? and every time i fly to holidays i have to fear now that i can't answer a data request soon enough and get sued?

Please you have to implement that too, Facebook has also a Button for that, in phpBB it is Out-Of-The-Box because they are very strict when it is about laws, there are many trolls who will wait for it.

This is the Article 15 of GDPR - Right of access by the data subject - https://gdpr-info.eu/art-15-gdpr/


2.
Opt-In for cookies, where you have to accept cookies and analytics should be also out of the box, technically you are selling EU law non compliant software.
As specially when you have google analytics integrated, still everybody free to use, but out of the box i can't use it with EU law compliant.
And is very very simple i guess to implement that, you are using it on your Page to? Am I missing the Settings for that, or is this custom?
Also one where you can accept and not accepting doesn't have a effect is also not compliant with the law, but better then nothing.
But one example how it should be done and is more then 100% GDPR compliant can be find at - https://forums.macrumors.com
When you press on "Show Purpose" you get a full selection where you can tick off everything normal cookie, tracking cookies, analytic ..

201651

This is the Recital No 32 of GDPR - https://gdpr-info.eu/recitals/no-32/

Those 2 things are essential because out of the box XenForo2 is not GDPR compliant, not anymore at least, as specially in strict Germany&Austria.
Since XenForo wants money for debranding which i understand but it makes it easy for troll lawyer or hacker to find a sue able or exploitable target.
 

RobParker

Well-known member
Public posts on a forum are not personal data as defined by GDPR.

They don't have a (EU/UK) legal right to downloaded "all their data". They have a right to get any information you have on them like their name, email address, date of birth, etc and XF now has an in-built system to provide that to them.
 

hibiskus

Active member
Public posts on a forum are not personal data as defined by GDPR.
That might be true, but i am sure it is seen as good practice, Facebook does it to, and phpBB implemented that also not without a reason.

They don't have a (EU/UK) legal right to downloaded "all their data". They have a right to get any information you have on them like their name, email address, date of birth, etc and XF now has an in-built system to provide that to them.
Yeah but is this done automatically, by the user himself, with one click? Or do I have to response manually to a mail and download his files first from admin panel and send it over by mail?
 

AndrewSimm

Well-known member
My recommendation is to provide him with what XF allows you to provide. Next, I suggest deleting his account and then notify him that his account has been deleted and that you request that he no longer access your site. I suggest IP banning him as well.

I don't play games with users that threaten lawsuits.
 

djbaxter

Well-known member
My recommendation is to provide him with what XF allows you to provide. Next, I suggest deleting his account and then notify him that his account has been deleted and that you request that he no longer access your site. I suggest IP banning him as well.

I don't play games with users that threaten lawsuits.
I wouldn't recommend this, although I agree with the sentiment. Banning and IP banning may well be in violation of the GDPR too. Under the GDPR, he has a right to request that any identifying information be divulged for any site. It's a PITA but you can't refuse to provide it if the site falls under the GDPR and taking punitive action against someone for exercising his legal rights under the GDPR might get you into more trouble, just as refusing to delete his account information would be a GDPR violation.

What you can do:
  1. point him to your GDPR, privacy, and cookies notices for information on what's collected
  2. use phpMyAdmin to export his information; then gzip it and make it available for download from your site for a very limited time before you delete it from the site
  3. use the XF built-in discouragement system, which is less transparent, to annoy him until he leaves voluntarily or requests account deletion :)
 

AndrewSimm

Well-known member
I wouldn't recommend this, although I agree with the sentiment. Banning and IP banning may well be in violation of the GDPR too. Under the GDPR, he has a right to request that any identifying information be divulged for any site. It's a PITA but you can't refuse to provide it if the site falls under the GDPR and taking punitive action against someone for exercising his legal rights under the GDPR might get you into more trouble, just as refusing to delete his account information would be a GDPR violation.

What you can do:
  1. point him to your GDPR, privacy, and cookies notices for information on what's collected
  2. use phpMyAdmin to export his information; then gzip it and make it available for download from your site for a very limited time before you delete it from the site
  3. use the XF built-in discouragement system, which is less transparent, to annoy him until he leaves voluntarily or requests account deletion :)
My first sentence is "My recommendation is to provide him with what XF allows you to provide."

I have never seen any such law that prevents a website from banning users.
 

djbaxter

Well-known member
I have never seen any such law that prevents a website from banning users.
I didn't say there was any law against banning. I said if you banned someone as a punitive measure for requesting information under the GDPR, you might very well find yourself the target of GDPR action for punishing someone for a legitimate and lawful request.

Sites that fall under the GDPR have to tread carefully. The law has a lot of power, up to and including the power to shut down a noncompliant site or levy heavy financial penalties. Is it really worth testing that power?
 

AndrewSimm

Well-known member
I didn't say there was any law against banning. I said if you banned someone as a punitive measure for requesting information under the GDPR, you might very well find yourself the target of GDPR action for punishing someone for a legitimate and lawful request.

Sites that fall under the GDPR have to tread carefully. The law has a lot of power, up to and including the power to shut down a noncompliant site or levy heavy financial penalties. Is it really worth testing that power?
You would be banning them for threatening litigation not for asking for their data.
 

Slavik

XenForo moderator
Staff member
find yourself the target of GDPR action for punishing someone for a legitimate and lawful request.
Specifically what part of GDPR? A site is well within their remit to delete data they control and refuse access to anyone they please for any reason.
 

AndrewSimm

Well-known member
Do you really want to get involved in a discussion about that with the GDPR office?
You have to draw the line between assisting users with their "right" (GDPR) and users throwing our threats to sue. I would be more than happy to provide users with the export that XF provides, and my site is based in the US and has no obligations to do this. What I would not do is put up with threats. I suggest providing the users with the XF export and then providing them an email where they can send legal correspondence. Explain to them that because of the threat of litigation you can no longer directly communicate with them and that they are banned from your website.
 

hibiskus

Active member
My recommendation is to provide him with what XF allows you to provide. Next, I suggest deleting his account and then notify him that his account has been deleted and that you request that he no longer access your site. I suggest IP banning him as well.

I don't play games with users that threaten lawsuits.
48? Hours I assume. Not sure where this is as to the best of my knowledge an organisation has upto 30 days to reply, so a user setting arbitrary deadlines for responses is pointless also.
This was just a bored guy, who just saw after updating some contrast and he thought he can try to test his opportunity and my response time.
But I am afraid he won't be that last one, since there is no really maintained add-on nor it is out of the box included in XF, so with a not removable branding (for poor people like me at least), XenForo Users are a good target for troll lawyers, easy to find and nothing prepared against it.

1. So is there no way to hand there own private data automatically, similar to phpBB User Panel? What if I am in holiday or in coma? I had luck in my case to response fast enough.
2. Ist there a way to have Opt-In (accept cookies), like any add-on or out of the box, how is it here solved as example, is that custom? And how did https://forums.macrumors.com solve that, is that a custom version or am I blind and can't find it in resources?? Because macrumors is the most sympathetic one I haven't seen that kind of policy acceptance first time. Those are one of the only ones which are fully GDPR compliant out of question even better. As example Cocacola is a multimillion concern i am sure they have much better lawyer then we or XenForo ever could effort and they use the same scheme. - https://coke.com
Bildschirmfoto 2019-05-04 um 20.16.09.png


Even google one of the biggest and oldest tech gigantes uses similar concept.

Bildschirmfoto 2019-05-04 um 20.22.00.png

Macrumors which i like the most, and they even use XenForo, is on top in opening post. So this is also proof of concept, how did they solve it, I am asking my self really hard.
 

hibiskus

Active member
Can me someone explain how macrumors solved that?
Is that an addon, or is that custom made?
If it is custom made why the **** are they not selling it or put it out for free?
I mean I am really affraid of trolls, since it is kinda german sports to sue random people on internet!

I am also shocked, how this topic got ignored by the team.
 

hibiskus

Active member
@hibiskus maybe you ask MacRumors itself or the style developer (@ThemeHouse ) how they do that.

Or maybe do it by yourself.. ;)
I wrote the Director of MacRumors, 20 minutes beofre your post.
I have a good connection to ThemeHouse i will wirte them now to, since they make cleanest work in hole XF scene, they are my only hope.

But I think you do not fully understand my intention, XenForo is officially in my opiniun selling illegal software.
When i want to sell clothes here in Austria or Germany i have to print washing info in german for EU law compliant, and you have to add label it is law.

I am 100% sure out of question if I go to court right now, and say they are selling non EU law compliant software, that they will agree with me, and maybe force sanctions.

It is EU law, ypu must be able to Opt-Out! This fact, and XenForo is not compliant also a fact.

Can you explain me why they did implement the dummy version out-of-the-box?
Yes, you guesed right they tried to be GDPR complaint, but they failed it is in fact not complaint.

MacRumors are the onlyone who really read and fully understood the law in the right interpretetion... do you think they added that for fun?
ThemeHouse Devs cost arround 130€ a hour, this addon for MacRumors must have been cost thousends.
Do you think they did that for fun?

Learn to read, or if you can't understand law text, get some valid proffesional person @mcatze @XenForo

I just want to help thousends of other people, and I want a clean solution where maintainig it, is law costs. With every update i might have to give themhouse and nother thousends while others get suied. You think in to small dimensions. @mcatze The next time you need a heart surgery i will give you the same advice, "Just, Do it on yourself.. ;)🥴" meanwhile, i will have forced roboters who will do that on my heart and thousend others for a coffee bill at the next corner stop.
 

hibiskus

Active member
ACP => Options => Basic Board Information
View attachment 203819
I alerady wanted to mention that I found that option, also if somebody else needs it.

But the problem is this is still just a dummy, and still not GDPR complaint in the broadest sense.

Again: Recital No 32 of GDPR - https://gdpr-info.eu/recitals/no-32/
...
This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
...

By default XenForo 2 and even here the official site use as "opt-in" phrase " By continuing to use this site, you are consenting to our use of cookies. "

This is fully to 100% not GDPR compliant i spoke with 2 laywers, but they said at the moment it is not looked very stircked more the big companies, but both said it is just question of time when trolls will sue the **** out of it.

This is really negligently! And it has a reason why it was a really big thing in phpBB community and also the thousends of dollars paid by MacRumors. Because they are not negligently and can interpret law text 100% correct like a fully-grown man!
 

Masetrix

Well-known member
ACP => Options => Basic Board Information
View attachment 203819
Thats invalid/ineffective


English follows...
Unwirksame Einwilligung

Eine rechtsverbindliche Vorgabe, wie ein Cookie-Hinweis auszusehen hat, gibt es nicht. Eine wirksame Einwilligung setzt jedenfalls voraus, dass der Website-Besucher tatsächlich die Wahl haben muss, zu entscheiden, ob er Cookies zulassen will oder nicht. Er muss folglich das Setzen von nicht zwingend erforderlichen Cookies auch ablehnen können. Etliche Hinweise verdecken jedoch in Form eines großen Layers fast die gesamten Inhalte einer Website und bieten lediglich die Möglichkeit, mittels eines einzelnen OK-Buttons Cookies zu akzeptieren. Ohne Einwilligung kann man die Website somit nicht nutzen. In solchen Fällen gilt die Einwilligung nicht als freiwillig erteilt und ist daher unwirksam.
English by Google ;)
Ineffective consent

There is no legally binding specification as to how a cookie hint should look like. In any case, an effective consent requires that the website visitor actually has the choice to decide whether to allow cookies or not. He must therefore be able to reject the setting of non-essential cookies. However, a number of hints conceal almost the entire content of a website in the form of a large layer and only offer the option of accepting cookies by means of a single OK button. Without consent, you can not use the website. In such cases the consent is not given as voluntary and is therefore ineffective.(Invalid)
 

Kevin

Well-known member
Thats invalid/ineffective
There is no legally binding specification as to how a cookie hint should look like
Even if it was "ineffective" it doesn't mean it is not meeting the requirements legally.
Again: Recital No 32 of GDPR - https://gdpr-info.eu/recitals/no-32/
...
This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
1Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. 2This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. 3Silence, pre-ticked boxes or inactivity should not therefore constitute consent. 4Consent should cover all processing activities carried out for the same purpose or purposes. 5When the processing has multiple purposes, consent should be given for all of them. 6If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
That stock XF cookie notice? That is a pretty big & clear statement which indicates the context in which a user is or is not accepting the terms.
 
Top