GDPR and Social logins- collecting consent


I haven’t come across any mention of Social login and GDPR, so I was hoping to find someone who has implemented GDPR compliance while using social login. What did you change in your registration and sigin process flows to gather the required consent? What considerations were made for existing members (who registered with your website pre gdpr)?

Our sign-in form has an email/password option or buttons to sign in with your favorite social platform. How are you displaying the consent options in this case?


(Christoph) #2

In what way is social login relevant for GDPR compliance? All social login does is to save the user the email confirmation email and some typing.


We’ve integrated SSO with our own internal user management system, which is separate of Discourse. We transfer user info from FB to our local system during registration. I was hoping that another site or two was similar in that fashion.

Also, we had existing users using social login, that hadn’t explicitly consented to that data transfer pre-GDPR-compliance-deadline .

(Christoph) #4

Although technically a social login is a kind of SSO, I think their legal implications are very different.

As I said, I can’t see how social logins that people use to register on your forum are GDPR relevant for you.

Yes they have. That is how social logins work. Besides, you don’t need consent for most things (if any) that you do when running a discourse forum. See here (and following post):

SSO, on the other hand, is GDPR relevant if you are the SSO provider, which you apparently are:

Assuming that the processing of personal data in your user management system is legal on the grounds X, Y, and Z, the question is whether X, Y or X also cover the forum (perhaps because you have a support contract with those users and discourse is simply the software you use for providing that support, perhaps replacing a different system), but it seems more likely that your previous legal grounds X, Y and Z are not covering the processing of personal data in discourse. For that reason it’s probably a good idea to make people accept your forum privacy policy the first time they log in via SSO (I believe that is when the data is transferred).

Plrase note that I’m not a lawyer and the above does not constitute legal advice.


Thanks for the excellent reply.

Our issue was more for existing users (that registered using social login before anything GDPR related) signing in for the first time post GDRP-compliance-changes we made.

We’re also doing some data processing outside of Discourse, within Wordpress and some custom apps, with the same users. That’s probably something I should have mentioned. And thanks for that post. It’s one I read previously.

Yup, this right here.

Thanks again!