GDPR Opt In?

[JR Network]

Hi Guys, 

I have nearly 19,000 members in my community and I am storing personal data. I'm trying to get GDPR compliant so I don't have any trouble in the long run.

In line with the GDPR we have to ask for consent to continue to mail users. As IP has done with an email is it possible we can do something like this? We have a way to check if a user has agreed to consent, but I can't find a way to be able to ask for consent within a bulk mail.

 

 

Hope you can help guys,

Jamie

[Matt]

The bulk mailer will only ever send emails to people who have already opted in, so you should have nothing to worry about there.

In 3.x, there was a setting in the ACP Bulk Mailer that offered to override the user's permission, but we removed this in 4 because it's not a great idea to email people when they expressly asked not to be emailed.

I would consider notification emails different as these again are opt-in.

The only wrinkle is that in earlier versions of IPS4, the opt-in was pre-ticked meaning you had to opt-out, which is not actually GDPR compliant.

However, the ICO's view is that if your email list has legitimate interest and captured before GDPR with a pre-ticked opt in then it's fine to keep it and you don't really need to ask for permission to keep speaking to them.

Now, if you wanted to send out a bulk email saying "Just a reminder that you can opt out of these emails" you can certainly do that via the bulk mailer.

[JR Network]

16 minutes ago, Matt said:

The bulk mailer will only ever send emails to people who have already opted in, so you should have nothing to worry about there.

In 3.x, there was a setting in the ACP Bulk Mailer that offered to override the user's permission, but we removed this in 4 because it's not a great idea to email people when they expressly asked not to be emailed.

I would consider notification emails different as these again are opt-in.

The only wrinkle is that in earlier versions of IPS4, the opt-in was pre-ticked meaning you had to opt-out, which is not actually GDPR compliant.

However, the ICO's view is that if your email list has legitimate interest and captured before GDPR with a pre-ticked opt in then it's fine to keep it and you don't really need to ask for permission to keep speaking to them.

Now, if you wanted to send out a bulk email saying "Just a reminder that you can opt out of these emails" you can certainly do that via the bulk mailer.

That's great information. I'm stilling getting my head around things but as long as the case is that if they already agreed to it on sign up before he GDPR comes in to effect that saves a lot of hassle.

Thanks for the great info Matt I'm sure this will help other members that possibly were thinking the same thing

[Matt]

Sure, no problem. There's a lot of panic and confusion over GDPR but there doesn't need to be.

[Sheffielder]

I'm so glad I read this thread!

I was getting worried and this has put my mind at rest 

Thank you!

[marklcfc]

I receive quite a few emails like this, do we not need to do similar?

[opentype]

10 minutes ago, marklcfc said:

I receive quite a few emails like this, do we not need to do similar?

IPS’s point of view on this is explained here: 

 

[Cyboman]

In concerns of email handling in total, I seriously doubt IPS point of view.

Let me explain:

Some of us admins have communities for an existence period longer than 10 years and massive member counts that opted-in to bulk email during that time (in my case: more than 100.000 members that opted-in!). If we look into monetizing strategy advice and consulting websites on the internet, we can easily notice that email marketing still is the no.1 success factor for generating massive income with your own marketing power. (Bulk) emails inform your members about "your choice of important informations", about new "commercial sales products" uprising, about "commercial partner sites offers" aso.

BUT: Wide-spreaded commercial bulk emails have a total different handling than the intangible wording "allow emails from admin" or "send me news and informations" (for small gaming communities)

NOT every community started as a commercial site, they've grown during time and explored their own new monetization models, that were added year after year (and email is a part of it). But not every change in the community usage/business model allows you to change your "email usage & information model (bulk email / newsletters)". Regulations like the GDPR originate from the insights and facts, that more and more misuse has been done with privacy data of inidividuals PLUS that these members haven't been informed carefully and lawfully (enough).

This will change NOW!

According to the new GDPR and other worldwide regulations, email handling is becoming a very risky job for every admin and must be handled carefully and according to laws.

• It is strictly forbidden to sendout bulk email to users, who haven't checked the opt-in for receiving bulk email by themselves with active consent. The former bulk email field, that was checked by default by the IPS software in former times, is a clear violation for sending out further bulk emails. We are dealing with a mix-up of opt-ins with and also without consent.
   
• Every time when bulk email rules and usage declarations change, they MUST BE reaccepted by every member (consciously, by clicking a checkmark field). Without such evidence, you may not use emails anymore for (f.e. commercial) newsletters. So if your community started uncommercial and now acts commercially, you require reacceptance! This also means: "NO ADVERTISING" in system emails. With the new "content promotions feature" (our picks) there might be added "promoted advertising content" to every system notification email. This is a violation already, unless commercial informations to receive has been accepted with consent.
   
• Hiding email rules in the privacy declarations is strictly forbidden. All email usage plus further information has to be viewable directly before opting-in. We are forced to show and explain the exact email usages directly next to a checkmark field and above an accept button. And this customer information also has to contain infos about how to opt-out . By clicking the opt-in checkmark field ("user accepts monthly emails for commercial offers, continuous systemside informations according to his notification settings. You can opt-out anytime -> here") and pressing the button, and logging this event to the IPS logs, everything is fine. Without, we are in risk. "Allow email by admins" or "send me news and informations" had nothing like the claimed requirements.

All

• mixed-up (opt-ins with/without consent)
• not reaccepted (according to t bulk email usage changes)
• hidden declarations

bulk email lists will become unusuable on may 25th without a proper recheck, at least using them in this status is a real high danger. All businesses, that rely on the use of bulk email, will get very big problems.

We need:

• a feature to force the (re)acception of new "email rules"
  # If a user reaccepts these new email rules (yes, they have to be directly viewable - without extra clicks - and hence separate to the privacy declaration!) he will be kept in the bulk email opt-in
  # If users don't reaccept, then they will be kicked out of the bulk email list after a specified amount of time
   
• better filtering options to filter for members that are opted-in or out in the IPS Suite
  # with this feature we could also reset ALL opt-ins to start a new email list
  # or we could split the email-sendouts for very old, inactive customers from the freshly newcomers to lower certain risks

 

When IPS introduced IPS v4, only members were allowed to receive bulk emails anymore, that really wished to get them (opted-in, sending to opted-out members was cancelled). IPS claimed, that the general email handling should be more lawful and fairer concerning the consent requirements by their members.

BUT SENDING ANY NEWSLETTERS TO ALL BULK EMAIL OPTINS ISN'T LAWFUL ENOUGH DUE TO THE UNFILTERABLE AND NOT AUTO-BULK-REACCEPTABLE MIXUP IN OUR CURRENT BULK EMAIL LISTS AND WITHOUT CONSENT IN PARTS.

That's only my point of view and the future will tell us, after the first customers will be penalized if this opinion will be backuped by international lawyers.

For me, the current way emails are handled and missing functionality mean:

• a loss of members
• a loss of engagement
• a very high loss of marketing power

Thanks for being able to express my thoughts and understanding of fair email handling.

[Matt]

I've spoken to the ICO who said that they are happy that any email list obtained with a soft opt-in (that is a pre-checked opt in as was the case from 4.0 to 4.2.7) is absolutely fine to keep as long as there is legitimate interest (as in, they registered on your site, kept the opt in and the stuff you email is still site related).

So, my view is that you are fine and do not need to do anything.

If you have a really long history or converted at some point from an old forum, etc, then by all means, run a query to unsubscribe everyone and use the newsletter sidebar widget to get people to sign back up.

The ICO have made it very clear on several occasions they are not going after legitimate businesses who are working towards compliance.

It's your choice. We create the tools, it's up to you to use them how you see fit to comply.

[Cyboman]

Thanks, Matt, unsubscribing everyone is exactly my problem I try to avoid, because I will never reach out to these former members and customers ever again.

Concerning the ICO, your statements might be absolutely right. And I don't fear the ICO, I'm sure they will start softly and concentrate on the bigger market players or on really bad website/portal owners. But on the downside, I fear cease-and-desist warnings mandated by competitors, specialized law firms and other haters, that might cause immense costs and time-consuming legal and technical operations. That's the reason I try to do everything legally correct and work against any upcoming trouble in time. We only want to operate safely!

A switch from an uncommercial portal to a commercial portal isn't easy at all, and as stated before, there are a lot other national (email) regulations in addition to just the GDPR. And unfortunately "commercial emails" are handled as spam easily, if you haven't gained them correctly for commercial purposes. Even email service providers won't care, if the ICO said, they are happy with everyone working towards their regulations. Email service providers just ban you.

I feel bulk email is just a "forgotten feature" in IPS. With more strategically development efforts in bulk email, automatically filtering opt-ins and opt-outs, email marketing, we could perform a lot more magic and increase our active participants immensely without having to fear upcoming issues. But sendout emails or not (no matter the changes around), members just being opted-in or opted-out isn't enough functionality. We can't generate any processes, we can't implement any trigger rules nor exclude members or let them reaccept terms like for the "terms & conditions" or the "privacy policy". There is just nothing we can do with the "bulk email" field, nor use it for important changes. It's missing almost all flexibility.

Small tools and functionality improvements can revolutionize the world, also the community portals worlds! And I believe, that a continuous and fair email contact and information behaviour (on a much higher level as it is currently implemented) can rescue us from decreasing member counts, and also from legal conflicts caused by 3rd party entities.

But anyway, thanks for the response and the IPS clarification.

[Sovereign Grace Singles]

Yall realize that the GDPR has no jurisdiction for those in the U.S.?

[Cyboman]

I'm just an unlucky european... forced to obey the regulations. Not living in Panama, Seychelles or Cyprus... ?

[AlexWright]

1 hour ago, Christforums said:

Yall realize that the GDPR has no jurisdiction for those in the U.S.?

It does if you're directing content to Europeans, from my understanding of it.

[Sovereign Grace Singles]

4 hours ago, AlexWright said:

It does if you're directing content to Europeans, from my understanding of it.

Like the cookie consent? Ha, they can't do anything. If they want to ban non compliant sites that'll save me the headache. The U.S. is a sovereign country, the eu has no jurisdiction here.

Enjoy

[AlexWright]

17 minutes ago, Christforums said:

Like the cookie consent? Ha, they can't do anything. If they want to ban non compliant sites that'll save me the headache. The U.S. is a sovereign country, the eu has no jurisdiction here.

Enjoy

You would think so, but that's not entirely correct. 

https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-affect-your-u-s-based-business/#2819a9956ff2

Specifically:

There are still questions about how the EU will enforce these actions against U.S. and other multinational companies doing business over the Web.

So yes, its questionable on how they will attempt to enforce it in the US, but they probably still could attempt a lawsuit.

[Sovereign Grace Singles]

1 hour ago, AlexWright said:

You would think so, but that's not entirely correct. 

https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-affect-your-u-s-based-business/#2819a9956ff2

Specifically:

 

 

So yes, its questionable on how they will attempt to enforce it in the US, but they probably still could attempt a lawsuit.

What a joke. Frivolous lawsuits.  Now I understand why some are deciding to block the eu.

[Joel R]

18 hours ago, Christforums said:

What a joke. Frivolous lawsuits.  Now I understand why some are deciding to block the eu.

The territorial scope of GDPR *can* extend to all processors and controllers that serve users from the EU, no matter where you're located.  In reality, you probably don't need to worry.  

Recitals 23 and 24 (which are unofficial and non-binding drafts written by the drafting party and meant to explain the intention of the GDPR) make clear that the general accessibility of email addresses or contact details and the use of language generally available in the third country (eg. English in the USA) does not mean that the GDPR must apply.  In fact,  the GDPR's territorial reach is designed to apply to processors and controllers that use language, currencies, the ability to order goods and services of those languages and currencies, or the mentioning of customers and users who are located in Member States of the EU.  

Basically, don't try to target EU customers.  Don't use EU country languages, don't use EU customer testimonials, don't use EU currencies. 

Recital 24 goes on to explain that the regulation can also apply to any websites as it related to the monitoring of behaviors of users within the EU.  

Basically, don't try to cyber stalk your EU customers or try to follow their online movements  to market to them.  (Facebook Pixel integration anyone?).  Google will need to comply.  Facebook will need to comply.  You probably don't need to comply if you're a USA forum, unless you're stalking @opentypesinging career in Germany.   

Email addresses on their own are insufficient for USA forums to fall within the territorial scope of the GDPR.  The recitals make clear that there's a sliding scale of factors to consider, and email addresses are insufficient to require GDPR complince.  You need to show that you're targeting EU customers OR monitoring them.  (Probably a good time to stop your hobby forum IStalkEuropeans.eu)

With that said, even USA forums that don't intentionally target EU customers data users should implement some of the common sense practices in the upcoming versions of IPS:

- You're going to want to upgrade to 4.3.3+ on May 25th, which offers Invision Community with GDPR-ready features.  

- You're going to want to review your privacy policy

- You're going to want to review your cookie policy

- You're going to want to send out a bulk mail to all all users explaining the informed consent options, right to delete their profile, right to export their data, and how you're protecting user data

- You definitely need to stop selling your community's email addresses on the dark web for bitcoins.  

If you're a USA forum, you don't need to panic  UNLESS you specifically target EU customers OR cyber stalk Euro members over the Interwebs to sell them cheap crap that's ironically made in Asia. If you're an EU  forum targeting EU clients and stalking EU visitors, you have 99 Acts of GDPR and 173 Recitals to read and interpret in exactly one week.  Good luck! I'm gonna go listen to Opentype's newest duet.  

[gabs007]

Ok, now I'm going to ask a stupid question, maybe 

Has the industrial or commercial or corporate data be treated the same way than personal data ?
For example, Company data is published in every company's website. Companies normally release public  information like phones, addresses & Staff Board with names.

If a user writes in reply, for example, the name and phone number of a company,  Does the GDPR forces me to remove that data ? I can see that if someone publishes a personal phone number, that would be out of the question, but how about a  company phone number ? or an employee number which is already listed in the company website ? 

[bfarber]

I would say that publicly available company information is not the same as "personally identifiable information" which is meant to protect regular citizens.

[RevengeFNF]

On 5/18/2018 at 12:58 AM, Christforums said:

What a joke. Frivolous lawsuits.  Now I understand why some are deciding to block the eu.

Do you really think the states aren't going to do a similar law? Its a matter of time and it won't take too long.

[DesignzShop]

5 hours ago, RevengeFNF said:

Do you really think the states aren't going to do a similar law? Its a matter of time and it won't take too long.

US citizens already have the ability to access the the USA courts. No need. As it stands now in the USA and has been proven, individual or class action lawsuits are always an option when data is compromised. We've seen major corporations pay up to data abused customers more than once and that will continue. I was personally involved and settled with Home Depot over a data-breach no more than little over a year ago.

On 5/17/2018 at 6:58 PM, Christforums said:

What a joke. Frivolous lawsuits.  Now I understand why some are deciding to block the eu.

Yep!!! However, they wont get past the front door.. And yes, my own personal forum runs off US law. If a EU person wants to join, they follow US law or leave. I'm making no special concessions for this what-so-ever. DesignzShop's website sells to 4 countries but I do sell here at IPB for EU customers.

[Dll]

Although GDPR is a bit of a pain, it's actually a massive step forward in terms of transparency and an opportunity to build trust with your users, regardless of where they're from. If that's not of interest to you, ultimately I think it may cost you - it's not about lawsuits or whatever law you think you're entitled to use on your website.

Do you think that in time, and given the choice, a potential customer (whether they're from the EU, the USA or anywhere else), may well choose to spend their money through a website who is being transparent about what they do with personal data, or one who isn't?

I know who'd be getting my $ £ or €....