Upcoming changes for GDPR compliance in XF1 and XF2

The General Data Protection Regulation (GDPR) is soon upon us. But, what is it? Does it apply to your site? How can XenForo help you with compliance in the key areas of the regulation? This "Have you seen" thread will aim to clear up some of these questions, and give you a preview of what is coming up in XenForo 1.5.20 and XenForo 2.0.6.

What is the GDPR?
The GDPR is a European Union (EU) regulation that has been designed to protect the data and privacy of EU residents. It strengthens and replaces existing data protection acts/directives and becomes enforceable from 25th May 2018. The primary aim is to give control to EU residents over their personal data and unify regulation within the EU.

But I'm not an EU resident...
That may be true, but with over half a billion residents in 28 member states, it's a fairly reasonable expectation that at some point you will have an EU resident register on your forum and they will indeed be protected by this regulation and breaches of the regulation can bring penalties and fines against you, whether you're an EU resident, or not. Even so, data protection and privacy will be important to every one of your members, regardless of their country of origin.

How can we help?
Depending on your interpretation of the guidelines and how you specifically use your member's data, there isn't much more to add to help you comply with these regulations. That said, this would be a pretty boring post without some new things to show you so we will explain some of the new features below and how they help you, as a data controller, to comply with the regulations.


Individual rights

Right to erasure

Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

Unfortunately, erasure does not relate to a 1980s pop duo but instead it relates to the inevitability that at some point, one of your members may want to leave your forum and in doing so, may want to have their personal data removed. This is also known as the "right to be forgotten".

Of course XenForo has always allowed you to delete members via the Admin CP, and this approach is still recommended, but this has traditionally left their content attributed to them. You have always been able to workaround this by changing the user's name prior to deleting the user. Although we're not at this stage looking to totally remove the user's content, we are making it easier to anonymise a deleted user's content.

When deleting a user, you will now be given the option to just delete them (as now) or change their name before deleting them. You can choose the pre-defined text (which is the content of the deleted_member phrase in your language, followed by their user_id) or change it manually to whatever name you prefer.


Right to data portability

The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

Technically, under certain laws in certain countries, the right for a user to request a copy of any personal information held by a data controller has always been necessary. The main difference now is that the information should be provided to the data subject in a machine readable format.

Starting with the next release, it will be possible for admins to generate an XML file containing a user's personal information, including those entered in custom user fields. The XML file produced can be imported into any other XF1 or XF2 forum running an appropriate version.


Right to be informed

• You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
• You must provide privacy information to individuals at the time you collect their personal data from them.
• You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.

XenForo already has functionality to enable you to edit your terms and rules, provides you with tools for you to create a privacy policy (help pages, page nodes) and present that information when they are registering. In the next releases we are somewhat expanding these features.

The first step is to start providing a default privacy policy, via a help page, similar to how we also provide a default terms and rules page. If you already have a privacy policy URL, we will continue to link to this. If you do not, then we will start displaying the new default policy link in the appropriate places. After upgrading, if you do not want or need a privacy policy then you can disable it in options.


Lawful basis for processing

Consent

• Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
• Keep evidence of consent – who, when, how, and what you told people.

On a similar subject to the previous "Right to be informed" section, consent must apply to things such as the privacy policy and terms and rules. In XF2 we already seek this consent if you have a privacy policy or terms and rules URL configured. In XF1, however, we only did this if a terms and rules URL was configured. In XF2, there was no checkbox to consent to these, but in XF1 there was.

There are obvious inconsistencies there, so in the next releases we have taken a more consistent approach during registration:

We already make it possible for a user to opt-in to or opt-out of receiving site emails using the "Receive site mailings" option under "Preferences", which can of course be set or un-set by default for new users under Options > User registration. That preference remains, though we have changed its name slightly. We've also added a new admin option (again, under "User registration") to enable you to show that preference on registration:

To enable you to keep evidence of consent, we will log the consent date for acceptance of the terms and rules and privacy policy in the "User change log". We will also log if a user chooses explicitly opt in to receiving emails.

In the current version, user change logs are only kept for a period of 60 days (by default) so we have made changes here to ensure that certain change logs are "protected". These protected entries are never pruned and they are displayed differently in the log (denoted by the left feature border):

In these releases, we are also making it possible to ask users to re-accept terms and rules or privacy policies. Because we provide the ability to use any URL as your terms or privacy policy, and because the default policies are editable by changing phrases or templates, the most explicit approach to triggering re-acceptance is having a specific page for each under Communication > Help in the Admin CP:

Once you click "Save" any users will be prompted to re-accept the respective policy. They will not be able to continue using the site until they do. If you use the default page then the policy will be displayed on the page:

Cookies

The rules on cookies are in regulation 6. The basic rule is that you must:

• tell people the cookies are there;
• explain what the cookies are doing and why; and
• get the person’s consent to store a cookie on their device.

We have, for many years, shown a notice to users on their first visit explaining that cookies will be set. This notice was only shown on the very first page load before it disappeared. This should be fine, in most cases, though we've decided to make some improvements for the next release to make the usage of cookies more clear, and to require the notice to be dismissed:

Interestingly, this notice doesn't appear as a block notice at the top of the page, and it doesn't appear in the bottom right corner as a floating notice. Instead, we've created an entirely new position called "Fixed". This notice position is actually fixed at the very bottom of the page and full width (similar to the inline mod bar). You can even use this position for any notice you create.

The default help page for cookies has been expanded with more detailed information about what cookies are set, and why.


And that brings us to the end of this GDPR-centric Have you seen thread!

Due to the fairly large number of changes in these releases, we will first be releasing beta versions on Tuesday 8th May which will be available to all customers with an active license, while aiming for a final and stable release on Tuesday 22nd May.

As ever, with Have you seen threads, please post any suggestions in the suggestion forum (one thread per suggestion).

 

[otto]

God question. You can deactivate it. But how can i change all embbeded Videos, Posts etc, back into a link?

You can use a addon from WMTech - that loads only a preview picture, but send no data to google bevor the user click activ on the preview to start the video. I think that should be ok?

 

[daimpa]

You can use a addon from WMTech - that loads only a preview picture, but send no data to google bevor the user click activ on the preview to start the video. I think that should be ok?

For youtube videos should be ok, but only for youtube.
I think that, since it's something required by current law, this feature should be included in the core of xenforo.
For WordPress, there're many plugins on codecanyon that blocks all cookies before explicit consent.

 

[Chris D]

It isn’t required by law at all.

As long as you have a privacy policy which states it and your users consent to that policy, no further action is required.

 

[webbouk]

...and Google own Youtube anyway

 

[daimpa]

It isn’t required by law at all.

As long as you have a privacy policy which states it and your users consent to that policy, no further action is required.

Registered users can be forced to consent to that policy, but what for guests? Implied consent is not valid. If the first page they visit has a youtube video, it will automatically load the cookie, and this is against the law. Correct me if I'm wrong, this is what I've learned in these days.

 

[webbouk]

The law as I understand it relates to identifiable information so how can a guest who has not presented any identifiable information cause an issue by viewing a Youtube video embedded in a page?

 

[daimpa]

The law as I understand it relates to identifiable information so how can a guest who has not presented any identifiable information cause an issue by viewing a Youtube video embedded in a page?

Not sure which cookies youtube sets, maybe IP? IP address is seen as a personal data from GDPR, look at here: https://eugdprcompliant.com/personal-data/
And look at this youtube embeed: https://edps.europa.eu/press-public...-probe-facebook-over-data-privacy-giovanni_en

 

[Kirby]

@webbouk
Every guest does present one identifiable information, the IP address.

 

[webbouk]

But the user's IP address does not and can not identify them alone and if they are a guest then their IP address is as much use to anyone as a chocolate tea pot

 

[Sim]

I don't know why people get so hung up on IP addresses. Yes, it is personal data - but only when matched to other personally identifiable information, otherwise it's just an IP address.

Today is 17th May 2018 (at least it is here in the future in Australia ) ... that date is personal data if it happens to be your birthday. But only if we know it is your birthday and we also know who you are.

Just knowing an IP address is insufficient to be a problem unless you also have a profile built around that person which allows you to uniquely identify who is using that IP address.

As soon as a user uses an IP address to log into an account - and you track that - then it becomes personally identifiable. Until then it's not.

Of course, if you are doing some kind of matching of cookie data and IP addresses and building up a profile based on that - THEN you need to be cautious.

 

[daimpa]

But the user's IP address does not and can not identify them alone and if they are a guest then their IP address is as much use to anyone as a chocolate tea pot

Almost all webistes identify IP address as a personal data.
"A much discussed topic is the IP address. The GDPR states that IP addresses should be considered personal data as it enters the scope of ‘online identifiers’. Of course, in the case of a dynamic IP address – which is changed every time a person connects to a network – there has been some legitimate debate going on as to whether it can truly lead to the identification of a person or not. The conclusion is that the GDPR does consider it as such. The logic behind this decision is relatively simple. The internet service provider (ISP) has a record of the temporary dynamic IP address and knows to whom it has been assigned. A website provider has a record of the web pages accessed by a dynamic IP address (but no other data that would lead to the identification of the person). If the two pieces information would be combined, the website provider could find the identity of the person behind a certain dynamic IP address. However, the chances of this happening are small, as the ISP has to meet certain legal obligations before it can hand the data to a website provider. The conclusion is, all IP addresses should be treated as personal data, in order to be GDPR compliant."
https://eugdprcompliant.com/personal-data/

 

[webbouk]

You've virtually answered your own question daimpa, the ISP has to meet certain legal obligations before it can hand the data to a website operator, and in doing so it would still be nigh on impossible to identify a guest on that information alone.

Everytime a mobile user activates their internet access they are assigned an IP address which can and does change everytime they do so. A guest cannot be identified by this IP address unless you have the power of the FBI or MI5 .
Likewise some Broadband ISP use proxies which will show an IP address for a group of their customers as they are routed through a proxy. So you could have hundreds of users/guests using the same IP address

I often wonder reading some of these queries on GDPR how people sleep at night, they must worry themselves into a right state waiting for the knock on the door that will never come.

As a website owner you have to comply with GDPR to the best of your ability, not re-write it, not make your website unusable and inaccessible unless the user donates three pints of blood first, and not spend eternity trying to cover every single aspect of an unworkable unenforceable law

 

[Kirby]

Just knowing an IP address is insufficient to be a problem unless you also have a profile built around that person which allows you to uniquely identify who is using that IP address.

If it was that easy I'd be a happy guy, unfortunately it is not.

It doesn't matter if I can directly correlate the tuple IP address-source port-timestamp to a real person, it's enough that the ISP can correlate that tuple to a customer.

There is an ongoing trial (since 2008) against the german government to stop logging dynamic IP addresses as this practive violates the law according to the plaintiffs.
German federal court quite recently sentenced that danymic IP addresses are personal data:
https://translate.google.com/translate?sl=de&tl=en&js=y&prev=_t&hl=de&ie=UTF-8&u=http://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=pm&Datum=2017&Sort=3&nr=78289&pos=1&anz=75&edit-text=

Article 4 (1) GDPR

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

IMHO & IANAL there really isn't that much room for interpretation

A guest cannot be identified by this IP address unless you have the power of the FBI or MI5.

Not really. The guest would, for example, just have to massively infringe your intellectual property and you could get a court order to get it's name from the ISP.
https://translate.google.com/translate?hl=de&sl=de&tl=en&u=https://dejure.org/gesetze/UrHG/101.html&sandbox=1

 

[daimpa]

You've virtually answered your own question daimpa, the ISP has to meet certain legal obligations before it can hand the data to a website operator, and in doing so it would still be nigh on impossible to identify a guest on that information alone.

Everytime a mobile user activates their internet access they are assigned an IP address which can and does change everytime they do so. A guest cannot be identified by this IP address unless you have the power of the FBI or MI5 .
Likewise some Broadband ISP use proxies which will show an IP address for a group of their customers as they are routed through a proxy. So you could have hundreds of users/guests using the same IP address

I often wonder reading some of these queries on GDPR how people sleep at night, they must worry themselves into a right state waiting for the knock on the door that will never come.

As a website owner you have to comply with GDPR to the best of your ability, not re-write it, not make your website unusable and inaccessible unless the user donates three pints of blood first, and not spend eternity trying to cover every single aspect of an unworkable unenforceable law

I know that it's awful to comply with GDPR, and against UX, but that's not my fault
Unfortunately, implied consent is not enough now. Related to youtube embeed, or even the simple social like/tweet buttons, users have to explicit opt-in. Until they opt-in, the features have to be disabled. You can read it in many trustworthy websites, and this example is pretty much clear. Chances you'll be sued for that? 0 maybe. But this doesn't means this is OK.

PS: I'm not a lawyer, neither I pretend to input my ideas into your head, I'm just sharing what I've learned.

 

[Slavik]

I often wonder reading some of these queries on GDPR how people sleep at night, they must worry themselves into a right state waiting for the knock on the door that will never come.

Quite, just like when the cookie law came into effect, everyone lost their minds like it was the end of the internet, what came of it? Next to nothing to be honest.

GDPR is just like cookie law on steroids, people losing their minds even more, and what will come of it? Probably exactly the same.

I'll bet in the first year there wont be a single fine issued at all, even if some large multinational company flouts the rules.

 

[MySiteGuy]

Add this in the template for the youtube iframe

allow="autoplay; encrypted-media"

It's Youtube's privacy enhanced mode and won't log their info. If they click on the video, it can log info if they haven't opted out at Youtube. Disclose this on your site disclosure popup -- that they can watch the videos but as soon as they click through... they are on Youtube's site and its up to Youtube at that point to get consent.

 

[MySiteGuy]

Oops, left out the URL portion! Change it to: https://www.youtube-nocookie.com

 

[imno007]

Guys, you can dump IP info any time you want and no one can prove that you have or had any particular ones stored, even if they could actually be correlated to specific persons. I think many of you are spending a whole lot of time worrying about nothing. You're a tiny grain of sand in an ocean of data, and to think that governments are going to be monitoring you and busting you for things like embedded Youtube videos....

 

[Sabermaster]

Quite, just like when the cookie law came into effect, everyone lost their minds like it was the end of the internet, what came of it? Next to nothing to be honest.

GDPR is just like cookie law on steroids, people losing their minds even more, and what will come of it? Probably exactly the same.

I'll bet in the first year there wont be a single fine issued at all, even if some large multinational company flouts the rules.

Just to give you an idea about why germans worry: in Germany there is a legal practice of issuing warning letters by lawyers and they can charge you an arm and a leg for it.

Now the problem is: even if they have nothing to do with you (they are a lawyer and you are running a forum on fishing hooks) they can still do this.
Currently there is a legal initiative going around to restrict this to cases where they can prove a legitimate interest, but until that law has been passed they can merrily send their warning letters.
The real issue is, there are certain lawyers who make this their prime source of income. Scanning websites for anything illegal, sending out a warning letter and charging you an arm and a leg for this. And if you don't pay they sue you in court, win the case if you really did break the law and you also have to pay the costs of the court, your own legal costs and their legal costs.

And be assured, there have been quite a lot of these letters when the cookie law came. There will be enough of those this time around as well.

The authority itself is a toothless tiger. They do not even have the personal they need in order to actually go hunt for violators. The will only go after the real big fish, not after a small forum.

 

[webbouk]

So you are saying a German lawyer off his own back can send you a letter identifying a violation and in effect fine you, or the reality blackmail you, into paying them so they don't take it any further which would cost you should it go to court?
I'm glad we're leaving the EU then as that is ludicrous.

In the UK we have similar involving no-win no-fee solicitors making spurious or inflated claims for their 'clients' against companies for injuries, etc they may have (or may not have) sustained.
They work on the premise that it is cheaper for the company to agree a settlement figure outside of court than it is for the company to go to court to successfully defend themselves.

The best thing to do if that is the situation and you are that worried is to give the website to any individual in some remote distant land and let them be the owner, the person doesn't even have to be real, pick a name from the many Nigerian scam emails. You could then just be the 'manager' of the website, a paid employee in other words, with no legal responsibility for it, and when/if the letter lands on the doormat forward it on to them