GDPR countdown and compliance

It also works via the console. An ip_anonymizer may be helpful as well, i.e., the same behavior with :anonymize_ip =>“” but without anonymizing the user (for some time period).

Mostly via-via to be frank, lawyers I know, lawyers friends know…

Dutch articles are also raving right now about privacy watchdogs getting an easy way for a good income.

But a quick google brings me to:

Apologies for not clarifying that.


can be up to 4% of your revenue.
That is, in case you were really making a mess and deliberately infringing on people’s privacy.

Nope. Don’t see any chaos here. Just a lot of companies that are (finally) taking our privacy seriously.


Thanks for the correction. And to be fair, that is theory still.

Guess you know better companies than I do. :slight_smile:

The local university in my area is, from what I am hearing through the grapevine, in a bit of a pickle as they’ve hundreds of old systems they can’t simply update. One of the more prestigious ones in the country.

I’ve had a few companies tell me they might outright shut down depending on how the first lawsuits go, and a friend of mine who runs a marketing consultancy has switched careers as she doesn’t expect to be able to do her job anymore.

And to be frank, we’ve heard “GDPR will change everything” so often now, that a lot of people just seem sick and tired of the whole discussion.

Not arguing it’s a bad thing per se, I wish there was an exclusion for smaller companies (some of which are in pretty deep crap, as many are using systems that they haven’t updated in 5+ years and can’t update now) but I definitely would call this a chaotic situation.

There’s so many GDPR workshops, consultancy companies and such around in my area…

Either way I think this is a very serious matter, and I am deeply concerned by how decisively not-ready pretty much everyone seems to be. I don’t think IPB or other forums are fully compliant yet either…


Small Dutch organizations do not have to worry about getting fines quickly if they have not yet properly protected personal data.

" Minister Dekker does not think that this authority will immediately issue fines to small organizations"

The key here is “think”. The website for the law says explicitely they do have to keep to said law, and the European Union has it’s own authority that seems to be involved here as well.

I would feel a lot better with an official inclusion or perhaps a warning system, or perhaps similar to our tax system a "You have to follow this law in x months if requested to by the authority, or with over xx income in the EU’.

Perhaps this is a different topic though :stuck_out_tongue: Regardless, I’d sleep a lot better knowing we’re all in compliance.

This is sloppy language of the author and not a quote of the minister.

Translated from Wat zijn de risico’s bij overtreding van de AVG? Deel 1: boetes - ICTRecht

Considerations when imposing a fine

From the GDPR it also follows that a supervisor must carefully consider whether the imposition of a fine is appropriate (effective, proportionate and dissuasive) for the violation. When it comes to a small infringement, you can also opt for a reprimand instead of a fine. Supervisors may draw up their penalty policy at their discretion. The supervisory authority must in any case take into consideration the following considerations in its consideration (whether or not to impose a fine and the amount of the fine):

  • The nature, severity and duration of the infringement. This involves looking at the number of affected parties and the extent of the damage suffered by them;
  • Whether the controller or processor acted deliberately or negligently;
  • The measures taken to limit the damage;
  • Previous infringements by the controller or processor;
  • To what extent has the co-operation been granted to the regulator to remedy the infringement and to limit the damage;
  • Which category of personal data is concerned;
  • How the supervisor has been informed of the infringement, in particular whether the controller or processor himself has made a report;
  • Compliance with a previously imposed corrective action;
  • Whether the controller or processor is affiliated with approved codes of conduct or certification mechanisms;
  • Other aggravating or mitigating factors.

Well, we’ll see how it works in practice and how the other countries are treating this in the coming weeks I guess.

But keep in mind the Minister also is not all powerful in this.

Thank you for the information regardless.


You can use the Legal Tools Plugin to do this.

As @HAWK points out, the ability to do this is not determinative of compliance.

The GDPR is mostly about how you run your forum, rather than the software per se. It’s not that how the software is built is irrelevant, it’s that it shouldn’t be your primary focus.

That said, I completely understand why folks are anxious about the GDPR. It’s not irrational to feel anxious about it, particularly if you’re a small outfit.

If anyone has any remaining specific concerns about the GDPR and Discourse that have not been covered already please raise them here and we can deal with them together.

Whatever it is, we can fix it. But please be specific and read up on what has already been covered first.


We have a lot of people beeing anxious about that *** GDPR law here in Germany. There are lots of those admonish lawyers waiting for the law and rubbing their hands. The government did nothing in front of to prevent from those lawyers to admonish for every small error. So it´s a big business, also for the government. They will earn a lot of money when big companies getting sued.

I am happy about you guys taking that matter seriously!

Please note that (contrary to how this would be in e.g. the US), the fines will not be paid to the plaintiff, but to the state authority. This severely limits the incentive to file bogus lawsuits.

Yes, you can sue based on a data-breach, but that was already the case afaik.

Then they probably shouldn’t exist. I also can’t run a cocaine farm due to regulation. I won’t shed a single tear.


So, to clarify the current status for compliance regarding the issues I raised in the first post:

Consent to Updated Privacy Policy / Terms of Service :white_check_mark:

We can use @angus’s amazing custom wizard to construct a consent to new privacy policy and ToS (which can state that emails are used to “notify you about posts and other activity on the forum”):

IP Addresses :hourglass: :white_check_mark:

Sounds like a ton of work was done with regards to IP addresses and will be part of an upcoming 2.0 or 2.1 build so we’re almost there:

Data Portability :white_check_mark:

We can use @angus’s Legal Tools Plugin to allow users to download all collected data about themselves.

And perhaps some of this work can go into the normal Download button handler after the IP addresses issue is fully resolved.

Great job everyone! :clap: :clap: :clap:


How about handling all cookies that are present at Discourse including third-party cookies:

This has been discussed in some depth here:

tl;dr: Cookie use in standard Discourse is either non-user-specific or or falls under the ‘legitimate Interests’ basis of data processing and storage, rather than consent. If you’re using third-party services, such as analytics or ad-based services, you may need to obtain consent. In the topic I linked to, there’s some examples of using purpose-built services to obtain consent for cookie use.

To your specific point about notices, you can provide a statement about your cookie use in your privacy policy, in a globally pinned topic and / or in a banner.


The Discourse forum is shutting down due to GDPR.

I don’t think it’s a good measure to shutdown the forum because GDPR, in fact, moving to reddit does not solve the problem at all.

GDPR is here to stay, and we need to learn to be complaint. And the Discourse community is doing their best to prepare the platform. Just my view.


Wouldn’t it be beneficial to everyone if the admin shared an anonimized version of the requests and perhaps we could help agree an appropriate response together? We could then understand the result and ultimately develop a standard response to such requests? This is going to be repeated on forum after forum and it’s best we don’t reinvent the wheel every time?

I would also like to understand if these requests are from an individual or an agency?


Wow, embedded in that thread are two incredibly useful and insightful articles.

One from LinkedIn, where a PwC consultant, presumably a lawyer, has kindly drafted a ‘worst case’ letter that you might receive so you can prepare how to respond in the ‘worst case’ (please don’t send this to your forum admins, be nice :wink: ):

(you will note the article has a lot of good feedback and a number of good samaritans have translated it into other languages including Dutch & Greek, links in the comments)

Also, here is someone’s proposed response:


It doesn’t solve the problem, but it does shift the problem to someone else. Unfortunately as that admin pointed out, it makes your privacy as a user worse and of course and limits your agency as an admin (reddit can do anything they want with content you post on their site). In this case the admin was afraid of theoretical fines to the point where they thought the trade-off was worth it.

Seems a bit extreme because at this point there’s no indication that the GDPR can be used maliciously to fine someone acting in good-faith to the point of financial ruin… there’s just a lot of fear-mongering.


Totally agree. And who was this troll? It’s very different if the EU’s legal department is calling you up or if it’s a layman who has a sketchy interpretation of the law.

I believe the admin should simply be more thick skinned, do what is reasonable and see how things go. Arguably, he doesn’t need any legal counsel unless he’s summoned to court. Would the troll really go so far? And even if it got to that stage, some legal eagle with a reputation to enhance is going to offer pro bono support because it will be a headline grabbing test case that will attract more business … that is if there is any case to answer!

1 Like