GDPR - What does it mean for the forum owner?

Maddox

Habitué
Joined
Jul 29, 2016
Messages
1,250
Couple of parts that you may need to amend to fully comply with the GDPR:

We do not sell, trade, or otherwise transfer to outside parties your Personally Identifiable Information unless we provide users with advance notice.

I would change that to:

"We do not sell, trade, or otherwise transfer to outside parties your Personally Identifiable Information without your explicit permission."

Google, as a third-party vendor, uses cookies to serve ads on our site. Google's use of the DART cookie enables it to serve ads to our users based on previous visits to our site and other sites on the Internet. Users may opt-out of the use of the DART cookie by visiting the Google Ad and Content Network privacy policy.

The bit in bold is a No No in the GDPR - everything must be 'opt-in', there is no room for opt-out anymore; anything that you previously had as an automatic opt-in now has to be changed to 'user opt-in' not opting out after the fact. Otherwise this is a comprehensive illustration of your Privacy Policy.

;)
 

Maddox

Habitué
Joined
Jul 29, 2016
Messages
1,250
I've just come off the telephone (before I was cut off mid sentence) to the ICO. The advisor I was talking to answered my questions, mainly about cookies and pointed to a pdf download about cookies (attached); the answer about dropping cookies 'BEFORE' they are dropped and gaining consent was discussed and it was something for the forum developers to look at.

Basically you need to inform visitors that cookies are used in clear transparent language that is 'jargon free' and only what is required; in other words keep it short, informed and accurate. Cookies are viewed in a layered way so that information is provided as and when required.

It was also mentioned to look at this document with regards to cookies: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/

I was also pointed to this page https://ico.org.uk/for-organisation...ion-gdpr/lawful-basis-for-processing/consent/ regarding gaining consent.

As for users who have been registered for a long time, there is no need to regain their consent as long as there is a legitimate interest in using their PII; this has to be seen to be the 'highest rate of interest' regarding consent.

There is no need to record every action a user makes whilst using your site, 'unless it is needed'.

With regards to inactive members - the information you hold needs to be accurate and required. There needs to be some form of 'retention policy' build into your privacy policy and terms. So if users have been inactive for whatever period you deem is necessary in the possibility that they will return, there is no need to delete their data. If they are unreachable, that is their email address has changed, then you no longer need their data and can delete it.

You can retain any data if there is a 'legitimate interest' in doing so - this would be applicable to banned members, as you have a 'legitimate interest' in keeping their data to prevent them from using your site.

This is where I got cut off, so I'm trying again to finish the list of questions I raised. I hope this helps.

;)
 

Attachments

  • cookies_guidance.pdf
    507.2 KB · Views: 1

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,710

Maddox

Habitué
Joined
Jul 29, 2016
Messages
1,250
Yeah that was one of the issues that I touched upon - everything, literally everything has to be opt-in with a mechanism to opt-out if they choose to do so later; the one thing we talking about before I got cut off was 'legitimate use' of cookies, but it never got any further. I'm not sure if it was my end that cut me off or their end. I tried to get back, but they must be inundated with calls; I was on hold for 40 minutes before being put through lol.

;)
 

Matt M

Director Development at Invision Community
Joined
Apr 28, 2005
Messages
421
The research I did showed that the standard cookie disclaimer is fine - as long as the user is informed. There's no way to operate a modern website without some kind of storage, so really the user has a choice to either accept cookies (and use the site) or not use the site at all.

Also, if you read the ICO guidance carefully, there is a bit where it says it's fine to store cookies without consent if the user initiated an action (things like shopping carts, etc.)

To that end, I don't feel that you need a specific checkbox opt-in to store cookies when using the site.

(Even the ICO website sets tracking cookies and shows the standard disclaimer)

Again, reading the GDPR document itself, the cookie changes are only very minor. They are only mentioned in a few sentences so in terms of changes from the current data protection act, there's not a lot of difference.
 

Maddox

Habitué
Joined
Jul 29, 2016
Messages
1,250
When we were talking about cookies, it was said that you did not need to gain implicit consent if those cookies were required for the normal operation of your site, but the end user needed to be informed that those cookies were present - pretty much the same as Matt M stated above.

It's always best to go to the source rather than rely on what others say based on their interpretation - the ICO provides some really good info on their site, but it can often be difficult to find. Use the search bar to see if you can find what you want. I'm going to call again on Thursday and see if I can finish off my list of questions, but if I find the answers on the ICO site before then, I'll post links here.

https://ico.org.uk/

Go to: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Check the links on the left to see if you find what you need.

;)
 

Nev_Dull

Anachronism
Joined
Apr 27, 2010
Messages
2,295
Also, if you read the ICO guidance carefully, there is a bit where it says it's fine to store cookies without consent if the user initiated an action (things like shopping carts, etc.)

To that end, I don't feel that you need a specific checkbox opt-in to store cookies when using the site.
That was my read on it as well and that's the way i've gone with it.

The same applies to email addresses during the registration process. Getting explicit consent to capture their email address isn't a viable option. But having that address is required to provide the login service of forum membership. It becomes a contractual use, which is fine. You do, however, have to get explicit consent to use that email address for any other purpose, such as newsletters, or if you plan to share it with another party.
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,710
I have read it in mine own language and you need to make difference between two sorts of cookies so Matt is correct. The first is the functional cookie like for passwords, cookie preference, shopping cart, does can be done implicit when you continue you know that you get them. Cookies of ads, Google Analytics etc that needs to be opt-in this also means the button may not be set to on. The site https://www.cookieinfo.net/cookies-en-avg-gevolgen-en-kansen-voor-je-website/ (Dutch) has below consent for cookies. Its as follows Necessary (Noodzakelijk), Preferences (Voorkeuren), Statistics (Statistieken), Marketing (Marketing), No details (Geen Details), the first one Necessary (Noodzakelijk) may be pre selected so opt-out is good because its for stuff like password, shopping cart etc.. The others need to be opt-in and also needs to be easy to revoke the permission. One thing that IPS did is great track who did what and did they accept or deny. Also a cookiewall that you'll need to accept to continue is not permitted because the GDPR steads that it needs to be given freely and with no choice its not given freely. BTW its better to ask permission and store that then assume and you where wrong.
 

Matt M

Director Development at Invision Community
Joined
Apr 28, 2005
Messages
421
That's a very detailed cookie opt-in. I guess we'll see in the next few months how it all plays out. My feeling is that a simple banner is enough as long as the user is informed as to what is being set.

Right now, the ICO website on the very first page load sets several cookies, including Google tracking cookies.

Most cookie pages also tell you how to remove them from your device if you do not agree.
 

Shimei

Fan
Joined
Oct 11, 2015
Messages
511
So I am a little confused. I do not want to delete every post a person made on the board because it ruins the flow of conversations. By law am I required to take down all content as though they own it or can I "anonymize" the content. Example, change their user name, password, email address, and any other profile information, leaving the actual content up?

I don't understand why an agreement which makes all content of the board the website's not legal?

In other words, if I demanded my account deleted and all personal information now, would the AdminZone have to delete all my content since day one of my account?
 

Maddox

Habitué
Joined
Jul 29, 2016
Messages
1,250
In other words, if I demanded my account deleted and all personal information now, would the AdminZone have to delete all my content since day one of my account?

Short answer NO!! As long as there is no PII in the posts there is no 'legitimate' reason to remove them. The question as to whether the user publically posts PII is something to be determined yet - that's when I got cut off from talking to the ICO. I was about to ask who is responsible - the site owner or the user, or both equally. I will seek an answer to this later this week. But right now, if there is no 'legitimate' reason to remove all posts then you do not have to.

;)
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,710
So I am a little confused. I do not want to delete every post a person made on the board because it ruins the flow of conversations. By law am I required to take down all content as though they own it or can I "anonymize" the content. Example, change their user name, password, email address, and any other profile information, leaving the actual content up?

I don't understand why an agreement which makes all content of the board the website's not legal?

In other words, if I demanded my account deleted and all personal information now, would the AdminZone have to delete all my content since day one of my account?

It all starts with a good privacy and end user agreement if you state that they provide a license that can not be revoked on their content then you have less issues. The profile is another matter that falls under GDPR that needs to be removed when someone asks.
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,710
That's a very detailed cookie opt-in. I guess we'll see in the next few months how it all plays out. My feeling is that a simple banner is enough as long as the user is informed as to what is being set.

Right now, the ICO website on the very first page load sets several cookies, including Google tracking cookies.

Most cookie pages also tell you how to remove them from your device if you do not agree.

The problem is ICO and AP (Dutch counter part of ICO) they interpret the law differently. The cookie opt-in and opt-out that you saw is detailed but it will hold in any country because its very strict. Also if you make it so that add-ons can tie in into that banner that i showed then it would be easy on the website owner to maintain everything. A simple banner is not enough the GDPR is clear that non-functional cookies need to ask implicitly for to be set, functional cookies you can get away with implicit consent. But why would you do that if you have a good system then make use of it for everything. Also i as user need to be able to adjust the cookies it my not be buried in the site it needs to be accessible.
 

Maddox

Habitué
Joined
Jul 29, 2016
Messages
1,250
If cookies are a normal part of delivering your services and you could not do so without them then you have a 'legitimate' need to use them; otherwise your site could not function. These cookies do not require consent, (I am told by the ICO) though you do have to inform them that you are using cookies and give a clear, concise reason; e.g

"This site uses cookies in order to provide you with the services we offer and cannot function without them"

That's just an example, but it's clear, concise and tells the user that cookies are used. You can go on to explain in a 'little' more detail in your cookie/privacy policy. The ICO advisor explained that everything must be clear concise and free of jargon.

The problem is ICO and AP (Dutch counter part of ICO) they interpret the law differently.

This is where people get bogged down, it's how you interpret the law that will ultimately decide how you apply it; having said that the GDPR directives are pretty clear when you read them carefully and apply a layered approach in linking different sections together. For example; consent, if you have a legitimate interest in providing something without having to seek consent then it's OK - you do however have to prove that you have a legitimate interest (the example cookie notice above does just that - your site cannot function without cookies).

For example this is a snippet from the GDRP:

The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.

Legitimate Interest snippet from the GDPR:

It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

So you have to be careful not to 'interpret' too literally for each piece of the GDPR because other parts may allow you to forego other parts if there is 'legitimate interest' - these two words were used frequently when I was talking to the ICO.

;)
 

mysiteguy

Migration Expert
Joined
Feb 20, 2007
Messages
3,241
Thought just came to mind... this is going to be a nightmare for archival sites like archive.org and the like.
 

Dobson

Aspirant
Joined
Jan 4, 2012
Messages
25
So if a previous user with 20,000 posts contacts me and asks to have all their posts removed and I reply stating I will change their username and can delete any posts containing personal information on them, whose responsiblity is to to trawl the 20,000 posts?
 

Dobson

Aspirant
Joined
Jan 4, 2012
Messages
25
Also I have had a user hounding me for a couple of years now. He was banned previously for being generally rude, abusive etc etc, you know the usual.

He demanded I removed his posts which I declined to do as its basically not in my policy to do so. He claims i'm using his images without permission, which I am not. He posted these himself in line with my sites terms and conditions which give me permission to use them(I don't but the terms are just covering me). He even posted on his first post saying he was offering his copyrighted images to the forum.
Now I am fully expecting him to be the first person to message me on May 21st. Based on the fact he posts under a pseudonym, if all traces of his name are removed can I still just tell him to do one?
 
Top