GDPR - How does it affect forums?

[Chatgroup]

Out of interest how does GDPR affect forums?  I can imagine we need to delete email address etc on request but does it also concern posts/topics?

[Joy Rex]

You might want to read what IPS posted: 

 

[loccom]

On 2/14/2018 at 3:30 PM, Chatgroup said:

Out of interest how does GDPR affect forums?  I can imagine we need to delete email address etc on request but does it also concern posts/topics?

I beleive that as long as data does not link the person then it's fine to leave posts. The posts will simply be anonymous or guest

[opentype]

On 2/14/2018 at 4:30 PM, Chatgroup said:

Out of interest how does GDPR affect forums?  I can imagine we need to delete email address etc on request but does it also concern posts/topics?

Deleting content is more of an issue of intellectual property—GDPR is about privacy.

But GDPR contains regulations about “portability”, so providers must give you a way to download your data and take it to other providers. This was not created with forums in mind and no one knows if forum owners might get into trouble for that. We have to wait and see. 

[Joy Rex]

6 minutes ago, opentype said:

Deleting content is more of an issue of intellectual property—GDPR is about privacy.

But GDPR contains regulations about “portability”, so providers must give you a way to download your data and take it to other providers. This was not created with forums in mind and no one knows if forum owners might get into trouble for that. We have to wait and see. 

It would only affect forum content as related to the user's identifying information being posted in threads or available via the Members section. If a EU citizen invoked their right to be forgotten from your site, you would have to take steps to ensure all identifiable information (which can be as little as an IP address) is removed from your site and database.

The portability issue is a tricky one - what constitutes a user's "data"? Their account info? Their posts? Hard to say at this point like @opentype mentioned.

There's many catch-22 situations with GDPR though - for example, you may have to keep user data for tax purposes, despite any user requests to have their personal info removed. The law is going to evolve as it gets put into practice so I don't think right now there's anything to start wringing hands over.

[sudo]

Cookies are another issue, you cannot set cookies without a distinct opt in or at least a soft opt in (aka the first page hit sets no cookies with an alert but the 2nd page can set cookies, unlike now where you can set a cookie straight away with the notice)

Then personal data includes ip addresses which could mean you need to remove the post ip after x time as well potentially.

[marklcfc]

On 4/18/2018 at 3:24 PM, sudo said:

Cookies are another issue, you cannot set cookies without a distinct opt in or at least a soft opt in (aka the first page hit sets no cookies with an alert but the 2nd page can set cookies, unlike now where you can set a cookie straight away with the notice.

I thought this, but the cookie confirmation bar only shows for guests doesn't it? Is that right

also does every member have to agree to the privacy policy or can I change it without forcing every member to see privacy policy where they must click agree

[ptprog]

On 4/18/2018 at 3:24 PM, sudo said:

Cookies are another issue, you cannot set cookies without a distinct opt in or at least a soft opt in (aka the first page hit sets no cookies with an alert but the 2nd page can set cookies, unlike now where you can set a cookie straight away with the notice)

Then personal data includes ip addresses which could mean you need to remove the post ip after x time as well potentially.

Depending on the cookies, you may be able to use legitimate interest as legal basis for storing and processing cookies.  In that case, GDPR does not require you to get users consent (as you are not using the consent legal basis).  Now, in my opinion, you still need to ask for consent due to the previous cookies laws, but those laws accept weaker forms of consent than GDPR (such as implicit consent, which is more or less what IPS cookie consent implements).

Currently, even the ICO uses implicit consent on their site, although they provide an option to turn off cookies (which does not seem to prevent tracking third-party cookies from Twitter to be set).

(Disclaimer: I'm not a lawyer, and I'm still waiting for official replies on whether the interpretation presented above is indeed correct.)