As we’re quickly approaching May 25th, here’s my (perhaps naive) understanding of certain key Discourse GDPR issues:
Right to Be Forgotten
If the user requests, the admin can use the user info panel to delete all of a user’s posts. Note you may need to up the “delete user max post age” and “delete all posts max” settings but then it’s possible. Once there are no more posts you can then delete the user.
Alternatively, a less disruptive solution is the “Anonymize User” button which leaves the posts but changes the username and everything else about the user so they are no longer identifiable, although recorded IP addresses still linger (?) so that may be an issue (see below).
Be sure to uncheck Settings > Legal > “log anonymizer details” (“Whether to keep a user’s details in the log after being anonymized. When complying to GDPR you’ll need to turn this off.”)!
The user has a “Delete My Account” button on their own info screen, but I believe only if they have a small number of posts.
So I think Discourse is okay on GDPR compliance here, as long as it’s documented in the privacy policy that they must contact the admin to do some of these operations.
Data Portability
Via the user’s own info panel they can click the “Download All” button to download all of their posts. I believe this is only the text, not any uploads, although I’m not sure about that. It’s not clear if this also includes private messages sent via Discourse, although I assume it would need to. Again, if documented in the PP then I’m hoping we’re GDPR-compliant here.
Explicit Consent to Emails
By default a user will receive email if someone messages, quotes, replies, mentions, or invites them. They will also receive, by default, a digest email of popular topics and replies.
On sign-up they consented to the terms of service but not to these emails. Perhaps something like this:
The forums service can send me emails when my forums user is messaged, quoted by, replied to, mentioned, or invited by another forums user.
The forums service can send me a weekly digest email of popular topics and replies.
I agree to the terms of service and privacy policy.
If they consent then Discourse would need to record the consent date, not just a boolean, so we can match it to a ToS/PP revision.
If not checked, then all emails like those should be off by default. Perhaps after activating their account Discourse could show an email opt-in screen. Again, consent records the opt-in timestamp, unchecking should record the opt-out timestamp.
In lieu of this, is there a way to turn all of this off (a) by default for new users, and (b) for all existing users? They could then turn it on manually via their info screen. This tip is related but doesn’t change the default:
This doesn’t tackle the issue of recording opt-in / opt-out dates but it’s better than automatic opt-in.
I realize I can disable digest emails for all users and even disable emails entirely, but I simply want to turn it off by default until they opt-in, not disable it entirely.
IP Addresses
Discourse stores each user’s last IP address and registration IP address. These are visible to admins in the user info screen. It is my understanding that GDPR considers IP addresses as personally identifiable information so, while there are legitimate uses for rate limiting, etc, if Discourse is keeping this data indefinitely then explicit consent may be needed. Or ideally Discourse can decay/hash this data automatically after some period of time.
Many more details in this thread:
Re-consent to Changed ToS / Privacy Policy
If we have to update our ToS and Privacy Policy new users would be okay but we’d need existing users to re-consent to these changes before continuing use on the forum. Again, we’d need to record the timestamp of the consent so we can pair it to a ToS/PP revision.
More details here:
To be honest, I’m not sure why a blanket pinned topic “Our ToS and PP have changed. By continuing to use this service you agree to these changes.” (with hyperlinks to the ToS and PP) wouldn’t suffice. Perhaps some more knowledgeable person can chime in here. Does every site now need to record an explicit opt-in?
What Others are Doing
It looks like some other discussion forums vendors are rolling out GDPR changes and statements. Something similar from Discourse would be most welcome as we get closer to GDPR Day.