Yes, I have been at 2 different lawyers, each one in 2017 and 2021. They were giving me pretty much the same answer, that these things are needed and should be implemented.
And no there is no lawsuit that is considering it yet, but until there is no lawsuit that says, that this is NOT the case, it is not a discussion.
It is something that absolutely needs to be addressed, so too does
dark patterns which are not legal and my country's regulator is specifically going after them. And yes there is a precedent now
here (that's not a forum, but note that the "best deal" is visible but that foreign company was fined for breach of local consumer law due in part to the use of a dark pattern - see
labelled screenshot). Some people on discord were arguing with me that we can't fine foreign companies - we absolutely can and the watershed case on this was ACCC v Valve. You can read the court orders and ruling
here as well as the the
judgment. If you haven't read it before it's a very entertaining read for a court document, Valve didn't obtain legal advice before telling their customers they weren't entitled to their rights when they were (from paragraph 39 on in the Orders). "Valve made the argument that 'we're based overseas so the law doesn't apply' but the law does apply" is a theme throughout the ruling as well. Paragraph 48: "I do not consider that the issues concerning the application of the
Australian Consumer Law to overseas corporations in Valve’s position were so clear that, despite the absence of any determinative judgment on the point, overseas corporations must have known that they were subject to local law. ..." Oh what do you know, the rule of law applies no matter where you're based and enforcement can be taken. That doesn't just go for consumer law, but also for business and competition law (it's the
one very well resourced regulator so
good luck making an opposing argument - the judge will simply say "the law applies").
In terms of GDPR & Cookies with forums - you need to do these things:
- You need to separate essential cookies from non-essential, and really you shouldn't need non-essential cookies unless its for third-party use such as advertisers. The only thing that a forum needs to store in a cookie is login information, and that's it. Per device settings is something that can be stored in cookies, but would require affirmative consent under GDPR.
- You need a clear privacy policy (and cookie use explained there).
- If you're only using essential cookies you don't need a banner - the privacy policy is enough but you need a way to put a link to it in sign-up/log-in forms and ideally a check-box next to it saying "I accept".
- You need a way to clear all cookies with one-click. If "Log Out" does this then fine, if not you need to make a link and put in the page. It must also remove 3rd-party cookies.
- Finally if you need to use a "cookie banner" you cannot use a dark pattern designed to trick users into selecting options that may not be in their best interests. That means you absolutely cannot highlight "Accept All" over "Refuse All" for example.
Very few websites do this right as it is. Having your forum software not provide you with the right framework is an issue that most forum apps will have to address (Flarum included).
You don't have to like the law, but you do need to abide by it or exclude people from the country where you're breaking their laws.
I'm a bit tired of the forums lately, I'm going to give myself some time before starting over with something, Flarum seems interesting to me but as I say I need some time to recharge my batteries, I had become very obsessed with Xenforo but there are times when we have to give a step back and see everything with perspective. hug everyone
Come join the Flarum community if you like. That's not an attempt to be in competition with xF or anything, I see their software as very different and catering to a different market compared with xF.
Laywers take this even further on the alarmist-scale to keep themselves in a job
If
that's your reaction to written legal advice you received I'd be quite concerned. "Doctors keep people sick to keep themselves in business". "Mechanics keep your car in bad condition to keep themselves in business". Or how about "Rack911 Labs sent us an alarmist security audit to keep themselves in business". etc. (For those who don't get the reference Rack911 is very well known and highly respected within the cyber-security/server-hardening space). There's bad apples in any profession doesn't mean you can ignore clear legal advice because you think it's "alarmist". I like my doctor and I like my mechanic (who I just had a 30 minute chat with following a service going over a few things). If I had a lawyer I would like to like them. Precedents have been set now. Here's some
free published legal advice on Dark Patterns, scroll down to the end and read the last three paragraphs for the tj;dr. Any regulation here has the ability to reshape the entire internet (although unlike GDPR it will make it
less annoying because
dark patterns) the regulator is very well resourced with a lot of power, and the laws are as water-tight as anything. The Trivago ruling is the precedent (well on Dark Patterns, the Valve case is the precedent that shows foreign companies that do business here including 100% online must follow our laws), and if a company had no assets in Australia and were uncooperative, and you wanted to pursue enforcement you could seek relief through things like issuing a court order to a payment processor to withhold funds to the value of the damages (that's very common in these things) or from advertising networks like Google (who themselves just
lost a local defamation lawsuit this week). Oh and to demonstrate how dumb Google LLC is, they literally didn't defend the defamation lawsuit once it got to trial, they withdrew every single defence that they were claiming they were going to take to trial so that trial was only about the damages they had to pay and nothing else.
I'm not a lawyer however my mind does have a legalistic way of thinking, and I think it's very bad advise to say you shouldn't listen to your legal advice IMO. If you're not happy with it, get another opinion from a better firm.
