I need all existing Wordpress users Synchronised/Imported into Discourse so that they are active Discourse users WITHOUT the users needing to first login to Wordpress to trigger the SSO Discourse account creation process.
Is this a feature that’s currently available or do we need to develop a custom feature for this?
It’s not available. In addition to being unethical it could well constitute a breach of data protection laws. This kind of activity is expected to be opt-in, rather than opt-out.
Your users need to know up-front where and how their personal information (including email addresses) is being processed. If they register on your website you can’t automatically assume that they also want an account or any emails from your community.
There are lots of ways to encourage participation, I would recommend you consider something along those lines.
In addition to @Stephen’s important point about data use, I’d just add that anything like this is an import of data into Discourse, and not something that the WP Discourse plugin handles.
And yet it is. If I’m creating an account in a blog, webstore, what ever I don’t expect that owner/admin moves my data to another system no matter if it is a discourse, matodon, twitter, propietary app or just something that a owner wants for theirs needs.
And in EU it is unlegal too.
Why every god damn admins know better than me what is the best option to me?
I do imports of data to discourse, typically when people move from some legacy forum to discourse. No one has ever questioned whether that was ethical.
I suppose it depends on what users thought they had signed up for. If discourse is replacing a part of the WP site, it could be fine.
That is different situation. The meta doesn’t change, only software. It is like changing from Shopify to WooCommerce — it is still same e-commerce.
I know you know the difference but Meta, Apple, Google, Twitter… is not the only players who thinks they can and should do what they like with users It applies to smaller players too. Something like GDPR is not an issue because it is limiting act from EU. It is so big issue to so many because it is limiting acts of owners of platform. Same-same when the topic is how to sync all users from one to second, but the Big Question™ should be should we do such operation in the first place.
Precisely. As data controller we don’t get add new ways to process user data in ways which fall outside the original purpose without their prior consent. I’ve had the misfortune of working in environments where this wasn’t understood and ultimately led to the staff responsible bearing the brunt of their error.
Plenty of organizations will assume it’s a risk worth taking. It really isn’t.
Also true, and this isn’t some new thing which arrived with GDPR, we published papers ten years ago explaining the responsibilities of the data controller, data processor, and the legal scope of processing. Europe, the UK and the US all have protections in place for this scenario. The Safe Harbour Privacy Principles blurred the lines for a few years, but they were thankfully overturned in 2015.
That’s the dangerous bit- it’s not just the likes of Meta who are misusing our data. Site operators are typically technical personnel who understand databases but not their risk exposure when sharing information between systems. Ignorance thankfully isn’t a credible legal defense.
There are plenty of times when there is nothing unethical or illegal about migrating users from one system to another. One example was brought up and then you say that’s different. Different than what? All we know is a person asked about migrating users from WP to Discourse.
It’s not different at all. It’s precisely what is being described.
Surely where you put the data internally (so long as you are careful and follow procedures to protect data and data access) is moot.
If emails from either system follow the same opt-outs, surely it’s moot?
If the wordpress and discourse instances are owned by the same legal entity then surely there isn’t a problem here?
Is there some GDPR clause that prevents you from moving the user record wtihin the confines of the company’s systems? I’d find that very surprising: would you have to seek user permission to migrate to new platforms? What if I moved the database from Postgres to Oracle? It doesn’t seem sensible to me but then I’ve not read the detailed wording of the law so perhaps I’m missing something?