How to make users to explicitly agree to ToS

gdpr
(Christoph) #34

That just means that the maximum fine is either 10m or 2 percent, whichever is higher.

1 Like
(Andy Logan) #35

Guess we’ll see, I’m going off my consultants and lawyers recommendations who expect them to push hard on fines, especially with the Facebook debacle of the week.

1 Like
(Chris Beach) #36

Apologies, I was wrong, or out of date, with the €2M minimum fine. The actual minimum fine is €10M:

(Mittineague) #37

Errm, isn’t that more correctly the “minimum maximum amount”? :wink:

5 Likes
(Richard - DiscourseHosting.com) #38

There is no minimum fine. You’re putting the emphasis wrong. Let me try to explain it again, by splitting the sentence.

The first is up to X

Where X = €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher

4 Likes
(Blu McCormick) #39

If anyone was inspired by this topic like I was to add a user field at sign up for people to check that they’ve reviewed the TOS or FAQs or whatever it is they require, here is the very simple way to achieve that:

5 Likes
(Michael Friedrich) #40

That’s exactly what you need, I have implemented that now at https://monitoring-portal.org :heart:
Woltlab for example has that built-in, German company. Don’t know if it makes sense to move this into a generic setting for users, or to just leave that to the user fields (it is somewhat hard to find if you are not pointed to).

3 Likes
(Blu McCormick) #41

Nicely done, Michael. Sounds like we have a decent contingency of European forums in here for whom this use of the customized field is mandated. I might be an outlier for American forums in terms of wanting this feature. I actually prefer having my members click that they’ve reviewed the guidelines at sign up than having a banner pinned at the top of the forum.

1 Like
(Christoph) #42

My hunch is that your wording may not be sufficient:

I’ve read the FAQ and ToS.

People are only confirming that they have read those documents. There is not hint that they are consenting to something by ticking that check-box, let alone that this “something” regards personal data…

3 Likes
(Kane York) #43

I agree to data processing necessary to operate the forum, as laid out in the ToS and Privacy Policy.

So I wrote that down, but isn’t that just laying out the “legitimate interests” allowance?

Of course, the Privacy Policy isn’t really all that accurate if the admins are downloading backups and performing queries on that, is it?

(Christoph) #44

To complicate things further: let’s say user A accepted to have their data processed as laid out in your tos when they signed up. A few months or years later, you change your tos in such a way that user A would not accept them, i.e. would not sign up. Doesn’t this mean that in order to fulfil the requirement of being able to demonstrate that the user consented, it’s not sifficient to have a record of the ticked check-box but you need a copy of the tos as they were at the sine of sign-up, no?

To me, this suggests that all the necessary information should be next to the custom user field at sign up, it should be self-contained.

I’m not sure what you mean here.

1 Like
(Andrew Waugh) #45

Similarly if you change the TOS?

Sites like ours which migrated from another platform may also need to make imported users go through the process of accepting the TOS.

(Christoph) #46

I’m thinking that it might be a good idea to actually store your consent records (also) outside discourse, via a webhook. Who knows, depending on how the law will be interpreted and enforced, handling your consent records might become a third party service (hopefully with a good free contingent for forums)…

1 Like
(Richard - DiscourseHosting.com) #47

Which is handled by the Discourse post history mechanism, if I am correct.

In such a case it would be sufficient if your ToS would have a clause that states that you will communicate all changes 30 days in advance, and put up a pinned post on your forum that states that continuing to use the forum implies an acceptance of the new ToS.

3 Likes
(Mittineague) #48

Not needed, the onus is on the member
https://meta.discourse.org/tos#12

CDCK reserves the right, at its sole discretion, to modify or replace any part of this Agreement. It is your responsibility to check this Agreement periodically for changes. Your continued use of or access to the Website following the posting of any changes to this Agreement constitutes acceptance of those changes.

(Krzysztof Daniel) #49

This is not a legal advice.

It is a little bit more complicated and depends very much on the services, content and fees you are going to deliver. The bigger value you handle, and the bigger is your risk in the case of user misbehaviour, the more should you invest in user verification and the more proofs you should have that the user agreed to what he agreed.

In case of a free forum such things rarely matter, but imagine a situation where there is a significant fee introduced with a ToS change. In EU, you cannot do that without getting an explicit consent from the customer (checkbox/button).

I have started this discussion to investigate what should I do with my setup, and it looks like I will have to implement TOS and privacy policy agreements in the SSO tool (Auth0).

1 Like
(Michael Friedrich) #50

You’re correct, thanks. I’m not sure what’s the perfect wording to not annoy users when they register. But still to make them aware that actually clicking the URLs and reading them is important.

Actually, it would need 2 fields - one for accepting the ToS, and the second to have read and understood the FAQ/guidelines. I’ve heavily modified the FAQ as the platform is more like QA and users tend to not know what to collect when asking a question. Similar thing with GitHub and issue templates, e.g. provide the OS, configs, logs and where to look for “troubleshoot on your own”.

I’ve asked our community what they do think, might need til next week for feedback. Weekend is where not many look into monitoring questions in their spare time and there’s expected low traffic.

If you scroll down on https://monitoring-portal.org, you’ll recognise the footer. I’ve added this as German law requires your to have an URL to your legal notice (“impressum” in German) on every single page. This lists personal details such as name and address where the owner can be contacted. I haven’t had that in Austria, but Germany is more special on that.

It is far from perfect and not very “fancy”, but it works for me to be on the safe legal side. Germany is known for legal notice trolls because of that law requirement.

1 Like
(Blu McCormick) #51

I did that too - have links in the footer - using the Flex Footer Theme Component.
26%20AM

I am not required to show a url so just linked words instead.

I don’t include ‘about us’ because we aren’t required to in the US, but once we launch that could change depending on what people find useful.

2 Likes
(Richard - DiscourseHosting.com) #52

This definitely will not hold up in court in Europe, and our legal guy says he thinks it’s not accepted in the USA either - after he stopped laughing.

You have to actively inform your users of such a change.

6 Likes
(Blu McCormick) #53

Usually when fees go up I have been required to click to accept fee increases like with Netflix for example. I got email notices before that. Click to accept changes in tos at sign in would be smart. Along with notices to members prior to that.

1 Like