I know you’re looking for a clear, simple and short answer, but unfortunately this is a long and, in parts, complex answer. This reflects the reality that no-one yet knows how consent under the GDPR will be applied in practice.
What I can do is explain what’s going on and what you need to know in order to make an informed choice. I have given some specific suggestions on what I think you should do (see bottom).
I’m expanding on what I’ve already mentioned in various places before (including in this topic), as I think some people are still feeling a bit lost.
Consent is only one basis of handling user data in the GDPR
It’s important to understand that consent is one of six lawful bases for processing personal data in the GDPR. These are set out in Article 6.1 of the GDPR. Another relevant lawful basis is what’s called “legitimate interests” (6.1(f)). It’s also not clear how ‘legitimate interests’ will be interpreted. The UK Information Commissioner’s Office has this to say about it:
- Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
- It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
To this, I would add that various uses of personal data in Discourse for security, spam prevention and stability seem quite similar to the specific legitimate interests mentioned in Recital 47 (which discusses the concept more discursively than in Article 6).
While this seems to me to be a reasonable ground to rest on for most of the processing in Discourse. There is a real possibility that some authority or court could decide that the ‘Legitimate Interests’ ground has a limited scope and is intended for emergencies and / or things like crime prevention.
Here’s an example of someone who takes a restrictive view of legitimate interests.
Some folks have also raised Article 6.1( c) “performance of a contract” as a ground for processing. Personally, I don’t think this is a great ground to rely on as:
-
What counts as a contract, and what counts as terms of the contract (i.e. whether incorporating T&C’s by reference at the time of signup counts) depends on the jurisdiction you’re working in.
-
The data controller (i.e. the forum provider) is not under a “legal obligation” to provide anything to the user, and probably would not want their relationship characterised in that way in any event. There is no quid pro quo here.
cc @RGJ
If you decide to rely on consent, it’s a high bar
It’s also important to understand that if you decide to rely on user consent as the basis for processing personal data, that:
-
Consent must be clear, positive and unambiguous: “clear affirmative act establishing a freely given, specific, informed and unambiguous indication” (R.32).
-
Consent must be given for each individual purpose of processing the data: “Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.” (R.33)
-
There must be a way for the user to say no (at any time): " Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment." (R.42).
See generally Article 7 of the GDPR.
Furthermore, the UK’s Information Commissioner’s Office has advised, amongst other things:
- Keep your consent requests separate from other terms and conditions.
- Make it easy for people to withdraw consent and tell them how.
- Avoid making consent to processing a precondition of a service.
There are already claims under the GDPR focused on consent
The NOYB’s recent complaints under the GDPR against Google and Facebook are one example of how consent can be interpreted as a high bar in the GDPR.
For example, the complaint against Google mainly concerns ‘consent’ to terms and conditions and a privacy policy for the Android operating system when setting up a new phone.
The complaint discusses the effect of the power imbalance between the provider (i.e. Google) and the user on the user’s consent. They also make claims specific to each of the elements of consent mentioned above.
Relevant to your question, they claim:
On page 11 of its Guidelines on consent under Regulation 2016/679 (WP259) the Article 29 Working Part [sic] gives the example of “downgrading” a service when consent is not given, as a situation where there is a detriment to the data subject.
In the present case, the controller simply does not offer any service without data subject’s first agreeing to the terms and to the privacy policy. Being denied the use of any of these services could be seen as something worse than the simple downgrading of a service.
I will be watching the progress of these complaints to see how the Authorities they have been filed with respond.
So what should I do?
Personally, I think the best strategy for the legal basis of processing under the GDPR at the moment is to:
-
Rely on legitimate interests for the processing personal data relevant to running the forum, security of the forum and ancillary matters such as spam.
- This would cover the collection of ip-addresses for the legitimate purpose of security etc.
- The various ways user identifiers are used in Discourse internals to make the site work are constantly changing and hard to specify in a sufficiently specific way to be ‘consented’ to.
-
Rely on consent for the processing of email addresses for sending the digest email and / or other user notifications.
- The user can not give consent and continue to use the service.
- Consent can be clearly given and withdrawn at any time.
- A user’s email is perhaps the most sensitive piece of personal data collected, and sending emails is perhaps the most ‘intrusive’ part of Discourse.
This is just a personal, non-legal, opinion that could well change based on:
- The outcome of matters like NOYB’s filing
- Updated advice from authorities.
So what specifically should I do?
You should update your privacy policy to reflect the strategy you’re taking in clear, readable terms and make sure users, new and old, know about it. To notify your users you could use:
- an email.
- a forum notice.
- the Custom Wizard plugin.
- the new Discourse Policy plugin.
But, if you follow what I’ve explained above, you’ll understand that personally I don’t think it’s strictly necessary to get your users to ‘consent’ to your privacy policy at this time. With respect to the GDPR such ‘consent’ may not mean much.
Regarding consent to the use of email addresses, specifically the digest, there’s a topic on that here which covers most of the relevant aspects. On whether anything needs to be done to ensure new and existing users have given explicit consent to digest emails, I am working on a feature for the Legal Tools plugin that may help in that respect. In the meantime, you have two options:
-
Rely on the existing controls to satisfy the demands of consent, as laid out here: GDPR and the Digest email. These are probably sufficient.
-
Turn off digests.