Not a bug User registration option minimum age does not work

[Kirby]

Affected version

2.0.6 Beta 2

Description
I've set the minimum age for registration to 16 years to comply with Article 8 (1) GDPR:

Where point (a) of Article 6 (1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old.

I've also not enabled require date of birth to comply with Article. 5 (1) lit c GDPR:

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')

Expected Result
When clicking register, a question is being asked if I am at least 16 years old.
If this is not the case, a message is being displayed that prior written constent by my parents is required before a registration can be made.
This message is being diplayed without sending information about my age to the server or storing it in a cookie.
If I am stating that I am at least 16, the normal registration process begins.

Actual Result
Registration works normally as if no option is set, I am not being asked a question about my age.

 

[BassMan]

I can confirm this behaviour.

 

[Chris D]

The "Minimum age" option value on its own is what is passed into things like the terms and rules:

https://xenforo.com/community/help/terms/

This Service is only available to users who are at least 13 years old. If you are younger than this, please do not register for this Service. If you register for this Service, you represent that you are this age or older.

It doesn't do anything else on its own.

As the minimum age is noted in the terms and rules that they should be reading and explicitly consenting to then that complies with everything.

This is therefore not a bug.

 

[Kirby]

As the minimum age is noted in the terms and rules that they should be reading and explicitly consenting to then that complies with everything.

Unfortunately this does not seem to be the case:
The form can be submitted without ticking the accept checkbox in which case PII, at least the email, does get transmitted to the server without consent.

So if you want to go down this road I think it would be necessary to not allow submitting the form if accept is not ticked.

 

[Xon]

You need to have the "Require date of birth" option enabled, XenForo 2.x actually has code to check the minimum age but only shows the age field if it is required. Fairly unexpected behaviour and the upgrade from XF1 => XF2 doesn't preserve this option.

 

[Kirby]

Hmm, but if I enable "Require date of birth", the date of birth will be saved into the database.
So this is yet more, pretty much unnecessary, PII that has to be taken care of.

Ideally this would not be saved into the database - I do not need nor want to have it there.

 

[Chris D]

Fairly unexpected behaviour and the upgrade from XF1 => XF2 doesn't preserve this option.

Actually, it does. The format of the option value hasn't changed, only the UI has. If you required a DOB and minimum age in XF1, after upgrading to XF2 you still have that, but the benefit is you can now choose to switch off requiring the date of birth, and the minimum age is baked into the terms and conditions.

So, no, you don't need to require that option at all, and consenting to the terms and conditions is more than sufficient to verify a user has the correct age (they can lie, of course, but then they can lie that their date of birth makes them 22 rather than 12).

Ideally this would not be saved into the database - I do not need nor want to have it there.

Then don't require a date of birth. Consenting to whatever your minimum age is via the terms and rules is more than sufficient.