Post Before Register GDPR

[Unlucky]

Thanks for getting back to me Andy.

I know this is not your plugin directly now having looked into it, but without the visitor giving (and there being a record of ) Implicit Consent then this is against the GDPR law here in Europe.

Maybe you as IPS Staff can move this post if possible please to a better forum but I need to highlight the risk to everyone.

Problem is if they don't complete their registration and agree to the terms and conditions, the IPS system still automatically sends out 1 unsolicited reminder email from what I can see with the subject heading " Did you forget to submit your post?".

Invision can verify this is the fact by contacting the Information Commissioners Office here: https://ico.org.uk/global/contact-us/live-chat/ or the telephone number is: 0303 123 1113

If we can turn off this reminder email from being sent, we might / should be ok - Is this possible to do?

All the current system needs is one websites competitor to go through the process of asking a question and not completing the registration form and then complaining to the ICO that they have received unsolicited email.

A lot of companies have already been fined for sending out unsolicited emails which this reminder is without someone having provided implicit consent IE:

(Ignore numbers) Leave.EU Group Limited has been fined £15,000 for sending almost 300,000 unsolicited communications on a single day for which they did not have consent. 

Taken from:

https://ico.org.uk/action-weve-taken/enforcement/

Thanks for you time reading this, we just want to make sure nobody falls foul of the GDPR

 

 

[Andy Millne]

Split from a marketplace topic as this relates to Post Before Register not the plugin it was originally posted on.

[PoC2]

6 hours ago, Unlucky said:

If we can turn off this reminder email from being sent, we might / should be ok - Is this possible to do?

If a piece of text near the posting box mentioned that an email reminder might be sent in a week, and using the posting box means you agree to that, then that might also do?

[Black Tiger]

that an email reminder might be sent in a week, and using the posting box means you agree to that, then that might also do?

No. Only when it also is stated somewhere that the user's email address is only saved for that purpose and automatically removed afterwards or something like that.

Because according to the GPDR it's not only "unsollicited mail" which is more like spam, but the bigger issue is the data protection. You need consent to save personal data of a user and an e-mail address belongs to personal data (also IP address for example).

So if you want to comply with GPDR you can better have the user consent to saving his e-mail address and for the use of his e-mail address to send him this reminder. And he should know how long his data (his e-mail address) is being saved.

Shortly said, for hobby forums the GPDR is a real fuzz if you want to do it the correct way. Therefore I will never enable posting before registering. I don't want issues so before anything happens they have to agree to my full AVG policy. AVG is the Dutch short for GPDR.

 

[PoC2]

9 hours ago, Black Tiger said:

Only when it also is stated somewhere that the user's email address is only saved for that purpose and automatically removed afterwards or something like that.

OK, do that then. One extra line of text.

[Unlucky]

9 hours ago, Black Tiger said:

Therefore I will never enable posting before registering. I don't want issues so before anything happens they have to agree to my full AVG policy. AVG is the Dutch short for GPDR.

Hi, Where is the setting to disable post before registering?

Thanks

[Nathan Explosion]

[Matt]

I do not see this as a GDPR issue.

We're sending a transactional email directly related to an action the user performed.

It is not a marketing email, nor is it trying to persuade them to do anything other than remind them to complete an action they started.

Therefore, it should not fall under any of the GDPR restrictions as there is a direct legitimate interest for sending that email.

Just like sending password reminders, etc. 

 

10 hours ago, Black Tiger said:

 

 

No. Only when it also is stated somewhere that the user's email address is only saved for that purpose and automatically removed afterwards or something like that.

Because according to the GPDR it's not only "unsollicited mail" which is more like spam, but the bigger issue is the data protection. You need consent to save personal data of a user and an e-mail address belongs to personal data (also IP address for example).

So if you want to comply with GPDR you can better have the user consent to saving his e-mail address and for the use of his e-mail address to send him this reminder. And he should know how long his data (his e-mail address) is being saved.

Shortly said, for hobby forums the GPDR is a real fuzz if you want to do it the correct way. Therefore I will never enable posting before registering. I don't want issues so before anything happens they have to agree to my full AVG policy. AVG is the Dutch short for GPDR.

 

If the user chooses not to complete their registration, then the email address is removed from the database. It's stored for long enough to allow the user to complete the registration only.

[Unlucky]

Matt if you speak directly to the Information Commissioners Office here: https://ico.org.uk/global/contact-us/live-chat/ or the telephone number is: 0303 123 1113 

They will confirm explicit consent is required to collect personal data which includes an email address.

I should have added that the email address is stored longer because the system sends out a follow up email with subject heading - "Did you forget to submit your post?". "

So someone can receive that email without even filling in any registration details other than adding their email to their post which they do before hitting the registration page

[Matt]

51 minutes ago, Unlucky said:

Matt if you speak directly to the Information Commissioners Office here: https://ico.org.uk/global/contact-us/live-chat/ or the telephone number is: 0303 123 1113 

They will confirm explicit consent is required to collect personal data which includes an email address.

I should have added that the email address is stored longer because the system sends out a follow up email with subject heading - "Did you forget to submit your post?". "

So someone can receive that email without even filling in any registration details other than adding their email to their post which they do before hitting the registration page

But we're collecting that email address to facilitate a registration which is made clear on the next page.

However, we are going to add a "remove my submission" button on that page to make it clearer and allow the user to remove all their data.

[Unlucky]

Hu

We have spoken to the Information Commissioners Office this morning and are posting the details of the conversation here to help everyone.

We have a larger version if this one is difficult to read - let us know.

 

[Unlucky]

Hi,

We have just been sent the transcript - this should make things easier to read:

 

Hi, Please find attached a transcript of your online conversation with us. Regards, Information Commissioners Office

[11:39 AM] Ian has joined the room
[11:39 AM] ico_harryp has joined the room
[11:39 AM] ico_harryp has joined the room
[11:39 AM] ico_harryp:	Good morning. How can I help you today?
[11:39 AM] Ian:	Hello
[11:40 AM] ico_harryp has joined the room
[11:40 AM] Ian:	We use a software product calling Invision community software. The latest release has a feature called Post Before Registe
[11:41 AM] Ian:	Basically a guest visitor can visit the site, see a topic of interest and post a reply. However the form requires they enter an email address.
[11:41 AM] Ian:	There is no explicit consent box on the form
[11:42 AM] Ian:	Once they fill the form out they are taken to the register page for the website
[11:42 AM] Ian:	They can either choose to register or decline
[11:43 AM] Ian:	If th ey decline after a period of time they receive 1 email from the software which is auto generated with the subject heading " Did you forget to submit your post?".
[11:43 AM] ico_harryp has joined the room
[11:45 AM] Ian:	The content of the email reminds them "Your post hasn't been submitted yet" and they have a choice to finish submitting which involves taking them back to the site to complete their registration
[11:45 AM] Ian:	The email also states "If you do not take any action, we will delete your email address and not contact you again. There is no need to unsubscribe."
[11:46 AM] Ian:	Is this process GDPR compliant or not?
[11:48 AM] ico_harryp:	Ultimately, I am unable to specifically confirm whether something is compliant over livechat as this will depend greatly on the context and be for you as the data controller to justify. You do not need an individuals consent simply to obtain their email address. However, you would need to consider whether you had any reason for holding it. Would this simply be to allow them to use the software product?
[11:50 AM] Ian:	The software only hold the email address for a period of hours (not weeks etc) in order to send out that 1 reminder email. If that person ignores and deletes the email then the software automatically removes their email from the system again after a set number of hours
[11:52 AM] ico_harryp:	You would need to consider your justification for this. However, if the processing of their email address would not be necessary for you to be able to offer the service that you give to individuals then it may be difficult to justify why this needed to be obtained. But, ultimately, you would need to consider if you could satisfy a lawful basis for this. There is information about the various lawful bases for processing here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
[11:53 AM] ico_harryp has joined the room
[11:54 AM] ico_harryp has joined the room
[11:56 AM] Ian:	OK so yes if they wanted to ask a question on the website they must complete their registration in order to ask their question. If they fill out the registration form immediately then part of it is agreeing to the privacy and website terms and conditions. If for whatever reason they do not complete their registration at that point in time, they are sent a single reminder email that in order for their question to be added to the website, they need to complete registration. If they decide they don't want the question added to the website, and they ignore the reminder email, then the system deletes it, so there is no record stored.
[11:58 AM] ico_harryp:	Are individuals made aware of what this email will be used for?
[12:02 PM] Ian:	It does not mention on the form anywhere that they will receive the single reminder email. However when they fill out the form and click the submit button they are immediately taken to the registration page with the following text explaining they need to register before their question is visible
[12:02 PM] ico_harryp has joined the room
[12:02 PM] Ian:	Just need a few more details… Thanks for your submission! Before your content can be seen by other members, we need to create an account for you.
[12:03 PM] ico_harryp:	The General Data Protection Regulation also places an obligation on organisations to inform individuals as to how their personal data w ill be used. This obligation is explained here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/ This would need to factor in to your considerations as to whether this software would be appropriate to use.
[12:03 PM] Ian:	if they fill out the registration, their question appears on the website. As mentioned above, if they decide not to join at that point, then they get the reminder email
[12:04 PM] Ian:	OK so we need to explain if they do not complete their registration at that point in time, they will get the reminder email?
[12:05 PM] ico_harryp has joined the room
[12:07 PM] ico_harryp:	You would need to have a lawful basis for collecting this information in the first instance - https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ You would then need to make sure people are appropriately informed as above.
[12:10 PM] Ian:	So we do need to inform them on the form that if they do not complete their registration at that point in time, their email will be stored in order to send them a one time reminder to their email address? Or something along those lines to ensure we are GDPR compliant?
[12:10 PM] ico_harryp:	Correct, as well as iden tifying a lawful basis for this.
[12:11 PM] Ian:	Ok thank you for your help
[12:12 PM] ico_harryp:	You're welcome. Is there anything else I can help you with?
[12:12 PM] ico_harryp has joined the room
[12:12 PM] ico_harryp has joined the room
[12:12 PM] Ian:	No that is all thanks
[12:13 PM] ico_harryp:	Thank you for using our live chat service. Have a good day.
[12:13 PM] ico_harryp has left the room
[12:13 PM] Ian has left the room

[opentype]

It really doesn’t say much. It’s as vague as the law. 

If anything, I would add a small note to point to the privacy policy and then explain the procedure for Post before Register there. 

[Unlucky]

This is the key part really:

[12:10 PM] Ian:	So we do need to inform them on the form that if they do not complete their registration at that point in time, their email will be stored in order to send them a one time reminder to their email address? Or something along those lines to ensure we are GDPR compliant?
[12:10 PM] ico_harryp:	Correct, as well as iden tifying a lawful basis for this.

[Matt]

I am adding a "Cancel" button so the user can remove their submission and email address if they so choose.

But I still maintain that we are sending an email directly linked to an action the user took. It is not a marketing message, etc.

It's just a convenience reminder. We do not do anything with the email address outside of remove it after 6 days.

[opentype]

2 minutes ago, Unlucky said:

This is the key part really:

[12:10 PM] Ian:	So we do need to inform them on the form that if they do not complete their registration at that point in time, their email will be stored in order to send them a one time reminder to their email address? Or something along those lines to ensure we are GDPR compliant?
[12:10 PM] ico_harryp:	Correct, as well as iden tifying a lawful basis for this.

Well, you fed it to him … 😉 

[Matt]

Here's the changes for 4.4.1.

I'm satisfied that this deals with any concerns. It explains how the feature works and allows you to cancel the submission and remove your email immediately.

Consent is not required here as it's a transactional email sent after you have chosen to interact with the site.

Also, lets keep in mind we send just one email reminder.

It's not like we add them to a marketing list, or constant notification emails about events happening.

In my mind it's the same as the lost password feature which does not need consent because it's a transactional email sent after you have chosen an action.

 

 

[Unlucky]

28 minutes ago, Matt said:

changes for 4.4.1.

Brilliant.

Is 4.4.1 a long way off?

[Matt]

This week if all goes well.

[Black Tiger]

Quote

It is not a marketing email, nor is it trying to persuade them to do anything other than remind them to complete an action they started.

Therefore, it should not fall under any of the GDPR restrictions as there is a direct legitimate interest for sending that email.

You're speaking about spam again, anti spam rules talk about commercial e-mails. That's not really an issue in GPDR.

So this does not matter if it's spam or not. GPDR has it's own strict policy about not only the use of personal data, but also about saving personal data. This second part has nothing to do with sending out passwords and stuff.

It's the e-mail address itself. The user has to be informed about why his email address is used and also how long his personal data is kept. For a forum you can say for example "as long as you make use of the forums or until you want your account removed, to be able to present you with a decent login and good working forum" or something like that.

The GPDR also contains data protection and auditing rules. And that's the part you're totally missing here. The important part is that the user has to agree to both his e-mail adres being used to send him mails AND that is email address is stored for this use for a certain period of time.

Quote

If the user chooses not to complete their registration, then the email address is removed from the database. It's stored for long enough to allow the user to complete the registration onl

y.

Great, as long as the user is informed about this, then it's would be no problem. But it has nothing to do with a reaction to or commercial or not.

GPDR is not only for marketing!!