How to make users to explicitly agree to ToS

Ok I was just showing an example of adding a checkbox to the signup form. Some standard wording will probably become common that everyone can use.


So, Is the check box next to the sign up compliant? I feel like it should be as long as the tos are clearly accessible from sign up. Especially in the case of a private users only install.
But I’m trying to just cover bases and be compliant. Is it a wording issue with the sign up check box, or an issue that it must be separate?
There’s no capacity for stand alone non sso linked sites to make a captive must agree tos/privacy policy at this time as far as I know

I read the enitire article and I understand the law conceptually but I don’t understand how it relates to (my) deployment of Discourse and how to comply.

Both. You need this:

I agree to the terms of service (link)
I agree to the fact that my data X and Y is going to be used for Z


I can handle that. Now to embed a link in the box. Sounds easy, hope it is.

A rare scenario, but worth mentioning: beware that this can be circumvented with mass generated invite tokens. Ordinary invites do honour required custom user fields.

I wonder if this could become a site setting to make life easier for European site owners?


Well, if you’re using mass generated invite tokens, you’ll already need to posess the email address of the user-to-be, so you’ll already have their consent. The same goes for SSO scenario’s: consent should have been given prior to the user logging in to your Discourse forum.


The problem is not whether you have their consent or not but whether you can prove it. Having someone’s email surely doesn’t prove anything. (Besides, the magic with the mass generated invite tokens is precisely that you don’t need people’s email addresses.)

Waiting for GDPR interpretation where you need call a GDPR officer to your house who signs off on your “for real” consent complete with a digital footage.


This onerous EU legislation is a real headache to understand.

I’d really appreciate if Discourse could have a “GDPR compliance” checkbox that would enable the necessary features (read: usability pain).

The cookie law was bad enough - but at least there’s no real teeth to it. With GDPR, on the other hand, the minimum fine for non-compliance is €2M, so I am quite keen on getting this right - at least while the U.K. is still a member of the EU bloc.

Viva Brexit :uk:

At the heart of it we completely agree with the sentiment behind GDPR, but there are just so many interpretations of it out there ranging from tinfoil hat insane madness to pretty lax.

If you look at complaints vs fines odds of actually being fined are enormously low and I doubt this will change though I am no lawyer.

At least they get some better teeth to go after Facebook tracking practices.


It’s not an interpretation. It’s what it says in GDPR Art. 7.1 (Conditions for consent):

  1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

Just sayin’ :rofl:

Honestly, some people go pretty nuts here, and anonymise IP addresses … everywhere … cause reasons … and then can no longer mitigate denial of service attacks.

My personal (NOT DISCOURSE) interpretation of GDPR basically boils down to don’t be a slimeball and collect and resell data (or track users across multiple properties) don’t have lax internal security practices and so on.


IMHO, this will keep you away from most of the accidental problems. However, lack of compliance may attract wrong kind of people - and then you have to show them that somebody claiming to be owning their email address clicked said checkbox on that day. That shields you in the best possible way.

VPNs and other stuff does not really matter here - if the user claims it was not him, you did your job, remove him from the database and you are done. You could not do anything more, or doing anything more was not reasonable.

But you need to get basics right.

I don’t dare to make predictions, but that’s what I’d hope too.

However, there are two sides to this: one is official law enforcement. Another, however, is internal compliance procedures, especially in public administrations (perhaps most relevant here: universities, but also, say, city administrations, for example): in my experience, these organizations will be annoyingly cautious in making sure they don’t do anything wrong because nobody wants to be the one responsible in case something goes wrong. In this internal compliance process especially, where it would help tremendously to be able to point decision-makers to some site setting called “enforce active consent to data processing” or something like that.

In a way, there is a chance for discourse establishing “common practice” and thereby influence how the law is interpreted.

I don’t think it’s a simple as that. On dicourse you can’t simply remove a user from the database…

1 Like

The minimum I’d expect from discourse is admins being able to at least anonymise an account (break the connection between user and his data).

What I meant to say is that in such a case the consent process is unrelated to Discourse.

That is incorrect. There are no minimum fines.

I expect the contrary. Because the cookie law was never really enforced, people never took it seriously. You can see that when this law was made, the lessons learned with the cookie law have clearly been applied. My personal prediction is that in Q3 2018 the authorities will set a few examples by imposing a huge fine and a lot of publicity upon some pretty well-known companies.

1 Like

There are in fact minimums, it’s a set amount or a percentage, whichever is higher. Meaning the set amount is the minimum. See Article 83 EU General Data Protection Regulation (EU-GDPR). Privacy/Privazy according to plan.

4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

No, those are maximums. The text says ‘up to’. Twice.