How to make users to explicitly agree to ToS


(Krzysztof Daniel) #1

It’s one of the GDPR requirements in Europe - the ToS acceptance must be an explicit act (like marking a checkbox), not an effect of a separate action (like pressing the sign up). Is it possible with the SSO?

GDPR and the Digest email
Reconfirm user email (and delete account if not)
GDPR countdown and compliance
(Simon Cossar) #2

Would you be compliant with the GDRP requirements if users agreed to your forum’s ToS on the SSO Provider site? If so, it would be fairly easy to build it into your SSO provider code.

(Lee Strickland) #3

I’m also a fan of this behavior. Some sites do this by “pinned banner” type notices that must be accepted to clear.
I do not have an sso provider to that wouldn’t be an option for me but I agree should work with several sso provider

(Neil Lalonde) #4

You can add a mandatory checkbox to the sign-up form.

GDPR countdown and compliance
(Lee Strickland) #5

That’s a decent solution! I’ll use something like “I have read and agree to the terms of service”
If the whole install is login only, I will have to use an alternate hosted tos and privacy policy for the links on signup page yes?

(Richard - #6

You’re too late then, you’ll already have stored information at that point.

Just having an ‘I accept the TOS’ is not enough for the GDPR though.

This is a good read. Some highlights:

Explicit consent requires a very clear and specific oral or written statement of consent. For example, having the wording “ I consent to receiving emails about your products and special offers ” with an unticked opt in box.

The guidance says “ consent requests must be separate from other terms and conditions. Consent must not be a precondition of signing up to a service unless necessary for that service ”. Consents may be bundled where the processing is genuinely necessary to provide the services

(Neil Lalonde) #7

So they have to write some words into a text field like “I consent to blah blah” and then tick a checkbox? Also… oral statement… like at a notary public… for a website? wow.

(Lee Strickland) #8

I don’t know about that interpretation of that being exactly right. A couple sites I use with a million plus users have been recently overhauled for gdpr compliance and once uses a banner and the other it a tick box on a captive tos page before you sign up. I’m not a lawyer tho

(Richard - #9

No - it just says that the text next to the checkbox should be clear and specific. So ‘I understand and agree that this website is going to use my name and e-mail address in order to send me e-mails’ instead of ‘I accept the privacy policy’.

No, this is not just about websites, the oral statement would work for telephone sales for instance.

Well, here is the literal relevant part of the law, I don’t think you need to be a lawyer to understand what it means.

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia , the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Personal note: I find it funny how most non-European people keep talking about the details of the GDPR and how big a burden / weird / illogical it is. I don’t think that’s important, it going to be a law and we will all have to deal with it. We Europeans had to deal with the DCMA and we never complained :wink:

(Neil Lalonde) #10

Ok I was just showing an example of adding a checkbox to the signup form. Some standard wording will probably become common that everyone can use.

(Lee Strickland) #11

So, Is the check box next to the sign up compliant? I feel like it should be as long as the tos are clearly accessible from sign up. Especially in the case of a private users only install.
But I’m trying to just cover bases and be compliant. Is it a wording issue with the sign up check box, or an issue that it must be separate?
There’s no capacity for stand alone non sso linked sites to make a captive must agree tos/privacy policy at this time as far as I know

(Lee Strickland) #12

I read the enitire article and I understand the law conceptually but I don’t understand how it relates to (my) deployment of Discourse and how to comply.

(Richard - #13

Both. You need this:

[ ] I agree to the terms of service (link)
[ ] I agree to the fact that my data X and Y is going to be used for Z

(Lee Strickland) #14

I can handle that. Now to embed a link in the box. Sounds easy, hope it is.

(Christoph) #15

A rare scenario, but worth mentioning: beware that this can be circumvented with mass generated invite tokens. Ordinary invites do honour required custom user fields.

I wonder if this could become a site setting to make life easier for European site owners?

(Richard - #16

Well, if you’re using mass generated invite tokens, you’ll already need to posess the email address of the user-to-be, so you’ll already have their consent. The same goes for SSO scenario’s: consent should have been given prior to the user logging in to your Discourse forum.

(Christoph) #17

The problem is not whether you have their consent or not but whether you can prove it. Having someone’s email surely doesn’t prove anything. (Besides, the magic with the mass generated invite tokens is precisely that you don’t need people’s email addresses.)

(Sam Saffron) #18

Waiting for GDPR interpretation where you need call a GDPR officer to your house who signs off on your “for real” consent complete with a digital footage.


This onerous EU legislation is a real headache to understand.

I’d really appreciate if Discourse could have a “GDPR compliance” checkbox that would enable the necessary features (read: usability pain).

The cookie law was bad enough - but at least there’s no real teeth to it. With GDPR, on the other hand, the minimum fine for non-compliance is €2M, so I am quite keen on getting this right - at least while the U.K. is still a member of the EU bloc.

Viva Brexit :uk:

(Sam Saffron) #20

At the heart of it we completely agree with the sentiment behind GDPR, but there are just so many interpretations of it out there ranging from tinfoil hat insane madness to pretty lax.

If you look at complaints vs fines odds of actually being fined are enormously low and I doubt this will change though I am no lawyer.

At least they get some better teeth to go after Facebook tracking practices.