GDPR compliance when using public user profiles


European data protection law, namely the GDPR, lists as one of its core concepts the principle of privacy by default.

I think, the option hide user profiles from public should be ticked by default for new Discourse installations.


If user profiles are shown by default, users should be at least informed in the ToS to be confirmed at sign-up (up to every Discourse admin).

Then if user profiles are public by the configuration of the forum, users should have an option in their profile to opt-in (privacy by default) to be part of the listing of public profiles.

I am convinced the last option is really important for European Discourse installations. Note that the server location does not play a role here. It’s about the intend to have European users.

Confidentiality is part of security. Hence, European authorities could see public profiles without user consent as security breach or breach of personal data. That’s why I think this issue is more a bug then a request for an enhancement.

I disagree, particularly since user pages are excluded from web crawler indexing by default already.

If you want your site to be private, make it login required.


I do not believe the exclusion from web crawler indexing changes the legal assessment significantly. Let’s say user A has never posted anything, but has an account. It is not essential for the purpose to read the forum to have a public profile. Neither, I can imagine that legitimate interest can be a legal basis here. In conclusion, public forums are better enabled on an opt-in basis using consent.

Even if profiles are only visible to those with login, it is still not necessary and also for sharing personal data among logged-in users of an internet forum, a legal basis is required.

@Judith, @ChrisBeach, @AlecDobbie, @RGJ - you commented on GDPR compliance questions before. Have you all enabled the option “hide user profiles from public”?

As long as the forum users have no means to opt-in for being listed in the public user dictionary by an affirmative act (let’s assume consent as a legal base), I think public user profiles shall be disabled for GDPR compliance with “privacy by default” and most likely for lack of legal basis.

Then those installing in Europe can tick the necessary boxes on site setup. If this is not to your liking, perhaps you can choose another free open source software that is more to your liking?

Note that even on Twitter when an account is marked private it can still be looked up and browsed for existence and basic profile info (whatever is provided by the user). Should Twitter shut down due to GDPR?

I don’t see a reason to change the default. There is no personal information visible on public profiles unless the user chooses to put something in the bio or any other profile field.


What about:

  • last activity
  • username

Let aside that users filling out the bio ma have no conscious of the current access restrictions to read the bio.

The username is all over the place. You can’t remove it from Discourse.

Don’t want to be identifiable by your username? Choose a random one.
Don’t want your last activity to be seen? Don’t log in. You don’t need to if it’s a public forum. Heck, if it’s a public forum you don’t even need an account for reading.

Don’t get me wrong. I’m all for privacy by default, but a registered user can’t hide on a public forum. It’s simply not possible. If someone wants to see the hidden information about a user they simply create an account for themself.

The only real solution is to make the forum “login required” and enable “invite only” and/or “must approve users”.


Although I do agree with you - note that from a legal point of view, a random username is still tied to a specific person and therefore it is personal information subject to the GDPR.

If it is a public community, it is not essential for the purpose to read the forum to have a user account at all. So just read the forum as an anonymous user.

If it is not a public community, then the community owner apparently finds it important that this is a closed user group. You will only share your profile information with other users within that community. I would argue that being part of a community means that you are visible as such. If you create an account at a forum you can expect that a user profile is created. You can choose how many information you will be sharing there. My personal stance is that explicit consent is not required since you already made the explicit decision to sign up.

There is still something like common sense and there is no need to get carried away…


I just stumpled again upon GDPR Art. 25 (2) which reads:

The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. 3In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

Source: Art. 25 GDPR – Data protection by design and by default | General Data Protection Regulation (GDPR)

I think that one must distinguish between:

  1. give forum users the possibility to click on an authors name and access this profile, and
  2. give forum users the possibility to have a complete list of all forum users

I imagine 1. is necessary for the purpose to engage in a conversation with people that I only know from the Internet. It is helpful to know a bit to whom I talk to. In so far I agree with @RGJ, that one can expect from those of a community that speak up to reveal their identity.

Yet, I still do not understand the legal basis for point 2. and still believe that publishing the list of all users (for logged-in users in some cases) without explicit opt-in does violates privay by default as laid down in the article cited above.

  • Creating a user profile does not require being part of a list for scrutiny to all others or even the entire Internet.
  • As I said, alone the existence of a unique profile, the username, and time stamps qualify as personal data.
  • I think you mix up pro-active affirmative consent and the stronger form explicit consent. Anyway, the GDPR does not allow to bundle consent, because then consent is not freely given any longer. If the controller cannot proof to the DPA (and in case of complaints, judges) that a users consent was freely given, than it is not valid and processing not legal.

Is there a difference between publishing profiles of all users separately, and publishing a list of all users?
(I don’t think so).
Users can easily be enumerated in various ways and even if that wasn’t true, there is no difference GDPR-wise.

No. When a user signs up for a forum, the legal basis for processing isn’t consent at all, it’s performance of a contract.


I think so, because the list constitutes a central, sorted database that gives a complete overview of all user accounts. Without the list, I would need some part of the username to search for the profile or a post from that username.

I try to make a comparison: People in my street are ok with having their name on their door. However, they may not be ok with being listed as street residents in the city map.

Do you have a GDPR compliant Discourse privacy policy at hand from which you can cite the relevant passage determining the purpose? Note that also if processing for a contract is the legal basis, privacy by default must be uphold.

I’m closing this. Armchair lawyering is completely pointless.