Nicely done, Michael. Sounds like we have a decent contingency of European forums in here for whom this use of the customized field is mandated. I might be an outlier for American forums in terms of wanting this feature. I actually prefer having my members click that they’ve reviewed the guidelines at sign up than having a banner pinned at the top of the forum.
My hunch is that your wording may not be sufficient:
People are only confirming that they have read those documents. There is not hint that they are consenting to something by ticking that check-box, let alone that this “something” regards personal data…
I agree to data processing necessary to operate the forum, as laid out in the ToS and Privacy Policy.
So I wrote that down, but isn’t that just laying out the “legitimate interests” allowance?
Of course, the Privacy Policy isn’t really all that accurate if the admins are downloading backups and performing queries on that, is it?
To complicate things further: let’s say user A accepted to have their data processed as laid out in your tos when they signed up. A few months or years later, you change your tos in such a way that user A would not accept them, i.e. would not sign up. Doesn’t this mean that in order to fulfil the requirement of being able to demonstrate that the user consented, it’s not sifficient to have a record of the ticked check-box but you need a copy of the tos as they were at the sine of sign-up, no?
To me, this suggests that all the necessary information should be next to the custom user field at sign up, it should be self-contained.
I’m not sure what you mean here.
Similarly if you change the TOS?
Sites like ours which migrated from another platform may also need to make imported users go through the process of accepting the TOS.
I’m thinking that it might be a good idea to actually store your consent records (also) outside discourse, via a webhook. Who knows, depending on how the law will be interpreted and enforced, handling your consent records might become a third party service (hopefully with a good free contingent for forums)…
Which is handled by the Discourse post history mechanism, if I am correct.
In such a case it would be sufficient if your ToS would have a clause that states that you will communicate all changes 30 days in advance, and put up a pinned post on your forum that states that continuing to use the forum implies an acceptance of the new ToS.
Not needed, the onus is on the member
https://meta.discourse.org/tos#12
CDCK reserves the right, at its sole discretion, to modify or replace any part of this Agreement. It is your responsibility to check this Agreement periodically for changes. Your continued use of or access to the Website following the posting of any changes to this Agreement constitutes acceptance of those changes.
This is not a legal advice.
It is a little bit more complicated and depends very much on the services, content and fees you are going to deliver. The bigger value you handle, and the bigger is your risk in the case of user misbehaviour, the more should you invest in user verification and the more proofs you should have that the user agreed to what he agreed.
In case of a free forum such things rarely matter, but imagine a situation where there is a significant fee introduced with a ToS change. In EU, you cannot do that without getting an explicit consent from the customer (checkbox/button).
I have started this discussion to investigate what should I do with my setup, and it looks like I will have to implement TOS and privacy policy agreements in the SSO tool (Auth0).
You’re correct, thanks. I’m not sure what’s the perfect wording to not annoy users when they register. But still to make them aware that actually clicking the URLs and reading them is important.
Actually, it would need 2 fields - one for accepting the ToS, and the second to have read and understood the FAQ/guidelines. I’ve heavily modified the FAQ as the platform is more like QA and users tend to not know what to collect when asking a question. Similar thing with GitHub and issue templates, e.g. provide the OS, configs, logs and where to look for “troubleshoot on your own”.
I’ve asked our community what they do think, might need til next week for feedback. Weekend is where not many look into monitoring questions in their spare time and there’s expected low traffic.
If you scroll down on https://monitoring-portal.org, you’ll recognise the footer. I’ve added this as German law requires your to have an URL to your legal notice (“impressum” in German) on every single page. This lists personal details such as name and address where the owner can be contacted. I haven’t had that in Austria, but Germany is more special on that.
It is far from perfect and not very “fancy”, but it works for me to be on the safe legal side. Germany is known for legal notice trolls because of that law requirement.
I did that too - have links in the footer - using the Flex Footer Theme Component.
I am not required to show a url so just linked words instead.
I don’t include ‘about us’ because we aren’t required to in the US, but once we launch that could change depending on what people find useful.
This definitely will not hold up in court in Europe, and our legal guy says he thinks it’s not accepted in the USA either - after he stopped laughing.
You have to actively inform your users of such a change.
Usually when fees go up I have been required to click to accept fee increases like with Netflix for example. I got email notices before that. Click to accept changes in tos at sign in would be smart. Along with notices to members prior to that.
I’m thinking another case with SSO. User A logged in Discourse, some day user A revokes consent from, say passport (if we have a passport site, i.e. passport.example.org), how would we handle it?
I can think of a way to handle this, to add a javascript to check with passport site whether current user consented, if not, then ask user to consent, either redirect to passport site or show a modal in Discourse.
Discourse currently has ability to “Deactivate account” via Admin panel. I am wondering if we could use it to implement “Voluntary consent” required by GDPR for existing users.
Something like mass deactivation with custom activation email text explaining why existing users need to give consent by clicking link in activation email.
And to be legal this has to be done before May 25.
No, “activation” is only “prove you own this email” and unactivated accounts (with no posts, because of admins doing this kind of thing) are deleted after 7 days.
Yes I know that, but I was just thinking about easy method to do what original poster asked about, i.e. make existing users to give explicit voluntary consent to process their data via clear affirmative action. Under GDPR you need to collect such consent from existing users and be able to demonstrate they gave it actively and when they gave it. I just thought that existing functionality could be used to collect that.
While it is easy to ask new users for consent at the sign up time by adding user field in the admin panel and making it required, Discourse has no functionality to collect required GDPR consent from existing users (except maybe asking everyone individually). As May 25 deadline approaches every working method (even if not perfect) would be good.
This plugin may be helpful:
It’d be useful to know if anyone has used it for GDPR purposes, and if they could share their wording and config?
One important thing that is missing in requesting GDPR consent as “user field” is that changing user fields does not generate any entry in Users “Action logs”. Under GDPR it is important to be able to demonstrate when consent was given. For this Discourse should log such event in the user’s “Action log”.
It would be highly appreciated if Discourse team could tell us if Action logs can be improved to include user field change event.
You could use my Custom Wizard plugin to obtain consent under the GDPR, and I would be happy to work through any issues for that use case, however unless you’re using Discourse data for something other than just running a Discourse forum, it seems (at this preliminary stage) the more suitable basis for processing and control of data in Discourse is ‘Legitimate Interests’ rather than consent.
If you’re looking for some plain language explanations from a trusted source on this question, I would recommend the UK’s Information Commissioner’s Office.
In particular the ICO notes that consent needs to be granular, possible to withdraw and cannot be a precondition of service, each of which raises issues for the way you’re proposing to obtain consent in Discourse.
Moreover, they state:
But you often won’t need consent. If consent is difficult, look for a different lawful basis.
They note: (highlights are mine)
Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
It seems to me that it would be reasonable to expect that when signing up for a discussion forum that the details you provide would be stored and processed for the purposes of running the forum.
See further:
Please note that none of this is legal advice and cannot be relied on as such. I am not your lawyer.