GDPR discussion thread

Slavik said:
Because XenForo 1 is no longer under active development, it hasn't been for some time. The only releases will be security ones. We aren't going to be backwards engineering fixes for every piece of new legislation the EU decides to churn out.
Click to expand...

Is this the right attitude? The GDPR is known since April 2016. For 2 years xenforo did nothing.

The Can-Spam Act of 2003 was neither respected:

https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business

Quote of #6:

"...You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request...."

This is law since 2003. According to that law, Xenforo should have had already since its inception an unsubscribe link in each email and no login to unsubscribe. What about that?

I am not amused to hear now, that it is too late and it is all our problem.

You scratch on your reputation, if you deal with problems like this in that way.

We pay for the software and we depend on trust to those who develop it. If the trust is misused in scenarios like this with statements as "we do not care, that's your problem", while there is objectively definetely something missing, than this is not a good impression.

You could say: we will look more into this, we will check with the authorities and lawyers and in case something is wrong we will fix it asap. But instead you try to sugercoat the problem and point the finger of blame to your customers.

Not a good sign...
 
snoopy5 said:
You try to mix this now. This is part of a discussion whether theer is any chance to have arguments not to follow these new rules. But the lawyers say, it is technically possible to unsubscribe even with more than only one newsletter without beeing forced to login in and this is why we have now to offer this also without login. Same as XF2 is offering that now too.

I am sorry, I am not a lawyer. I just give here hints that we have a huge problem with XF1.5 soon. PLease make your own research for english speaking articles.

I trust the German laywers. There is no reason not to believe this.

I know it is easier to sugercoat that, but this does not resolve the problem.
Click to expand...
snoopy5 said:
A newsletter is just a name. You can call it daisy dug. As long as you send out emails regularly to more than a few users, it will be handled legally like a newsletter.
Click to expand...
snoopy5 said:
We all use this feature, so we are all guilty and can not argue "but this is called differently" or "but this is just a minor feature of this software" ;)
Click to expand...
No. Just no.
  1. The laws explicitly only apply to commercial intentions. If you are a private person with no business interests at all, nothing changes for you. => "Newsletter" in this context is a whole different story.
  2. Transactional emails ("receipts" etc.) and newsletters ("marketing emails") are two different things, as someone has stated before. tl;dr: Transactional emails mainly are sent as a response to an action you have made (e.g. post, comment, etc.) whereas marketing emails are sent to you without interaction (e.g. new product available). https://www.reallysimplesystems.com/blog/gdpr-faq/ https://www.communigator.co.uk/blog/common-questions-around-gdpr-answered/ https://www.sparkpost.com/resources...ifference-transactional-vs-commercial-emails/
That being said, since we are talking about transactional emails for the vast majority of XF installations, nothing changes for us.
HWS said:
If a Xenforo admin wants to send professional newsletters to it's users some customization in Xenforo would have to be made. Since -again- there is no "Newsletter" feature for marketing emails in Xenforo.
Click to expand...
That's not quite true, there is a general Newsletter feature in ACP which can be used for marketing emails.
/admin.php?users/email
For a fact an unsubscribe link will be added by default (at least for XF2).
 
Last edited:
Hi,

Slavik added after my last posting to his comment yesterday, that he sent an email to ICO regarding this. Lets wait what they say.

yoloswaggerino said:
If you are a private person with no business interests at all, nothing changes for you
Click to expand...

No. As soon as you have ads on your forum, ie. Google adwords or offer premium memberships to your members for money, you are commercial. Ask your local tax authorities ;)

yoloswaggerino said:
Transactional emails ("receipts" etc.) and newsletters ("marketing emails") are two different things
Click to expand...

Nobody said something different.

yoloswaggerino said:
That being said, since we are talking about transactional emails for the vast majority of XF installations, nothing changes for us.
Click to expand...

That is an assumption, but not a fact. I do not know a single xenforo webmaster, who is not using in ACP the massmailing feature. There are even several addons available from andyB to automatise this and these are in high demand ;)


yoloswaggerino said:
For a fact an unsubscribe link will be added by default.
Click to expand...

???

Are you talking about XF1.5x or XF2.x?

In XF 1.5x, there is no unsubscribe link in the emails, if you use the mass-mailing feature in ACP.

This whole discussion is only about XF1.5x, not about XF2.x ;)
 
  • Putting ads on your website expresses your business / commercial interest (obviously).
  • Using mass mailing for example as a maintenance informer is considered as a transactional email (see links above).
  • Thus, it is not an assumption, it is a fact (because that's what webmasters ususally do).
  • If you are using the newsletter function for marketing purposes in XF1.5, it's your problem, because XF1.5 will only get security updates and this is certainly not a security issue. It's a feature request which has been implemented in time in the current version of XF.
There is legit no room for discussion on this topic, everything has been stated clearly, multiple times actually. ;)
 
This morning I spoke to the ICO.

I can confirm in no uncertain terms, that 1 click opt out is not required.

I explained to them in detail, the different types of email XenForo offers, and explained that the opt out method for all types of email required the user to log into their account to change any email preferences.

They confirmed this was completely fine and in line with the rules, as we are not making it unduly difficult for a user to unsubscribe.

The rules are in place to stop the sort of unsubscribe links where you click it, get asked if you're sure, then asked why you're leaving, then asked if they can do you an offer to get you to stay, and then finally you might get to the end page to unsubscribe.
 
Slavik said:
Similarly, the right to be forgotten stirred up a lot of similar arguments that people would delete all the content off a site etc citing the GDPR. However when I spoke to the ICO (the UK body in charge of data protection) they said what I was suggesting all along of renaming and deleting the account (and specific posts if they contained personally identifiable information and was brought to the webmasters specific attention) was considered acceptable.
Click to expand...
Thank you for looking into this. Could you ask the ICO about the following issue:

The GDPR defines the right to be forgotten and we can indeed rename the account. However, this does not affect name mentions and quotes. i.e. @Slavik
So renaming the account still leaves the persons name visible on the site and this comes up in google searches. I have a member who has made a large number of posts and was quoted and mentioned extensively. Unfortunately hse became the victim of stalking on the net and therefore requested here name was removed from the site and a name change was applied. This unfortunately did not resolve the problem due to name mentions / user tagging and quotes. Quotes and Mentions of her name on my site come up in google extensively.

Could you please ask the ICO about this type of situation? It seems to me that this is an issue with the GDPR, but the ICO can best clarify this.
 
Alfa1 said:
Could you please ask the ICO about this type of situation? It seems to me that this is an issue with the GDPR, but the ICO can best clarify this.
Click to expand...

Once they post something in the public domain, being quoted or sub quoted is the risk you take if you want something removed later on and might not be able to have it removed in its entirety.
 
I agree in principle.

But it seems to me that this situation does fall under the GDPR and can result in fines. Or do you mean to say that this situation has been discussed with the ICO?
 
Could I please suggest that there be an official GDPR resource area/thread in which, as a community, we can set out what we, as admin, are obliged to do to comply with the GDPR law?
And then when we are agreed on it (hopefully that will happen), then it can be set as an official Xenforo resource?
And if Xenforo software needs to perform certain functions on the data to comply, then the XF team will look at implementing them?
Or has this already been done and I've missed it? Because this is only the third thread in search results with GDPR in the title.
Thanks
 
Slavik said:
Theres basically nothing XenForo side that needs to be implemented, all the current systems provide everything as required.
Click to expand...
Excellent. Does that include deleteing IP logs for members when they are deleted etc.?
I think we still need to coordinate our approach to requests and questions from members.
Some will be arguing that posts are 'personal information' and an organised FAQ will save us all a lot of time.
 
Stuart Wright said:
Some will be arguing that posts are 'personal information' and an organised FAQ will save us all a lot of time.
Click to expand...

Yes, when an account is deleted, the relevant IP's that could be classed as personal linking back to the account are also removed.

A right to be forgotten is also not an absolute right to erasure. Posts made publicly are not covered unless it contains personal information (address, name, etc).

I have just put together a set of documents for one of my larger customers, while I wont be releasing them due to it being billable to my customer, the only major thing you need to be aware of and account for is if you pass that personal data to 3rd parties (such as using a dedicated newsletter service).

Otherwise its pretty much business as usual for forums.
 
Stuart Wright said:
Would that include Sendy (the interface to Amazon SES)? In that instance I have total control over (and sole access to) the email list.
Click to expand...

As far as I am aware, as long as those details arent being passed to a 3rd party (eg using Mailchimp) and kept within your organisation, then that is fine.
 
You must log in or register to reply here.

Similar threads

M
  • Question Question
Integration of subdomain with Shopify website
Replies
4
Views
695
MadHatter
M
Dakis
Online course for forum owners
2
Replies
26
Views
2K
Dakis
Dakis
Top Bottom