GDPR and the Digest email

gdpr

(David Rice) #1

Here’s a question…

Does the email digest, sent out automatically, contravene the GDPR post 25 May if users haven’t explicitly asked for it?

Discourse sends all active users the digest but there seems to be no way of switching it off for all users then asking them to re-enable the option if they want to.

Thoughts???

Cheers,

Dave


How to make users to explicitly agree to ToS
#2

Did you read this How to make users to explicitly agree to ToS ?

#gdpr


(David Rice) #3

Hi @SidV,

yeah I gave that a skim through and there are some useful points when signing up new users after 24 May - Still not sure where the date of agreement is stored - signup date I presume! :wink: but what happens if they give consent later, after registration???

I’m more concerned about the 2,500 users I already have! Non of them have explicitly given permission to use their email to send them the Digest. How do I get that permission in a simple, straight forward way?

Cheers


(Daniela) #4

Your users can

  • say to Discourse “don’t send me digest emails” from their profile /preferences/emails. Just disable the entry “When I do not visit here, send me an email summary of popular topics and replies”
  • unsubscribe the digest email

You can

  • disable digest email globally, see the site setting disable digest emails
  • disable digest email for users not seen on the site for more than (n) days (see the site setting suppress digest email after days)

How to make users to explicitly agree to ToS
(David Rice) #5

Thanks @Dax,

all good points, I’ve had a look at all of those solutions, but it doesn’t solve the problem.

I can disable the digests altogether - not great as they’re useful.
Asking users to flick a switch on their profile page is fraught with danger - what happens if they don’t do anything - that’s no excuse in the eyes of the law???

I guess what I’m looking for is a way to ‘unsubscribe’ all users, whilst keeping the digest active. Then emailing them before may 25 asking them to re-subscribe and being able to store the date of subscription.

That seems a logical and simple way of being compliant.

In my case that’s the only issue I’m having with compliance. Everything else seems covered by existing mechanisms.

Cheers


(Jay Pfaffman) #6

This hasn’t been tested (so do a database-only backup first), but this should do it:

cd /var/discourse
./launcher enter app
rails c
User.real.where("not admin").update_all(email_digests: false)

GDPR countdown and compliance
(David Rice) #7

ah, now that’s an interesting idea!

looks like it should work.


(Michael - DiscourseHosting.com) #8

That does not fix the problem of new users signing up and getting it enabled by default.

But. I don’t think there is a problem here. You could argue that digest emails are a integral part of the forum, and you are going to need the email address anyway, because it’s not possible to sign up without that.

So GDPR article 6.1 b) says that “processing (which) is necessary for the performance of a contract” is lawful. So that includes storing the email address - because you cannot sign up without it. And when you store an email address, people should expect to get emails.


(David Rice) #9

If only that were true - you may very well be right in the eyes of the law, but many people see their email address as ID not as a mail address - i know, i know!

But can a digest email be seen as an integral part of the forum? Can it function without them (yes, technically) so I’m not sure that would stand up in court :frowning: I guess it depends on how a forum of any kind is viewed. Is it just what you see on your screen, or is a wider communication tool?

It’s a minefield. I like the premise of GDPR, but it’s obviously written by non-techie people! The law needs definitions of what’s what, but there aren’t any in the GDPR legislation.


(Michael - DiscourseHosting.com) #10

I disagree. It has many wordings that were obviously chosen very carefully. The fact that things are not spelled out completely is true, but it has been done on purpose, to make the law future-proof.


(David Rice) #11

You may be right, but that vagueness is getting annoying when dealing with specific issues/problems and systems :wink:


(Michael - DiscourseHosting.com) #12

Vagueness allows for creative solutions :sunglasses:


(David Rice) #13

and jail time :scream:


(Michael Howell) #14

And case law :briefcase:


(David Rice) #15

does that apply in the EU?


(Chris Beach) #16

Just got this from the U.K. Parliament website.

If this kind of mass-opt-out/explicit-opt-in is what the U.K. government is implementing on its own sites, then we can safely assume this is what’s expected under GDPR.

Will Discourse offer this?

As for accepting the “contract” of receiving emails on sign up to the forum, no users have ever been presented with that contract on sign up so I don’t think this can be considered a safe defence.

The GDPR is hugely damaging for the forum model. It totally sucks.


(David Rice) #17

I’ve had lots of these types of emails to my personal address. It’s what triggered my initial question really.

I’m not sure a change to discourse is needed for this one time event. But a simple way of doing it would be lovely!

After the 25th, this will be the default behaviour of discourse?

Are we getting a GDPR update to include the required functionality? Including logging of consent dates etc, new default privacy details and terms and conditions?

Cheers!


(ljpp) #18

I am not too worried about the emails. I just read an interview of a lawyer, where she stated that an existing customer relationship is a valid reason for sending out the necessary emails. She explicitly made an argument that GDPR panic letters from online retailers and service providers are mostly unnecessary. Marketing emails have reguired an opt-in consent for a long time (may vary in between countries), but Discourse generated emails are not marketing. There is an existing relationship in between the user and the community service and email is one user interface to the service (notifications, summaries). And the user can already opt-out.


(Michael - DiscourseHosting.com) #19

Do you have a link to the interview?


(ljpp) #20

Sure do! I hope your finnish is fluent.

The key paragraph is here:

Kuluttajan tapauksessa oikeus kerätä tiedot syntyy, kun on esimerkiksi asiakassuhde. Sähköisten markkinointiviestien lähettäminen taas vaatii kuluttajan ennakkohyväksynnän. Näin on ollut Suomessa tähänkin asti.

For once, the Google Translate does a decent job:

In the case of a consumer, the right to collect information is generated when there is, for example, a customer relationship. The sending of electronic marketing messages requires the consumer’s prior approval. This has been the case in Finland so far.

The quote is by Ms. Eija Warma from the Castren & Snellman law office, who have an english website by no cookie consent banner!