Strengthening Community Trust with Privacy and PII Data Features

[Daniel F]

Our June release of Invision Community introduces several new improvements for your community to increase privacy controls and consent of personally identifiable information.

In today's digital age, privacy and the protection of personally identifiable information (PII) have become increasingly important. By incorporating improved privacy and PII data features into Invision Community, we are creating a more secure and inclusive environment within your community. In this blog post, we will take a quick look at what PII is, and the new features Invision Community has to improve privacy within your community.

What is PII?

PII, or personally identifiable information, refers to any data that can be used to identify, contact, or locate an individual member. When users sign up and visit your community, they may provide various types of PII, either voluntarily or as required by the platform's registration process. For example, an email address is required to complete the registration, and in some cases and IP address may be logged to authenticate a session, or to provide some context to the person posting content. 

Invision Community introduced new data control tools in a previous release, so let's take a look at the improvements coming in our June release that improves cookie management, IP address management, PII data requests, and the right to be forgotten.

PII Data Request and Right to be Forgotten

Your members now have the ability to request their Personally Identifiable Information (PII) data directly from their account settings page. Upon submitting a request, administrators will receive a notification alerting them to the new inquiry, where they can choose to either approve or deny it.

If approved, the member will be notified and provided information on how to download their requested data.

 

Additionally, members now have the option to request account deletion. After submitting this request, they will receive a confirmation email to verify their intent. Once confirmed, the request is forwarded to administrators, who can then decide whether to approve or reject the account deletion.

IP Address Management

Invision Community has had tools to prune IP addresses within a timeframe for a while, but we have conducted a thorough evaluation of the data framework in Invision Community to ensure that all recorded IP addresses are systematically purged according to the designated timeframe.

Cookie Management

Empowering members to control which cookies are stored is an important aspect of fostering trust and security within an online community. By granting users the autonomy to manage cookie preferences, you demonstrate a commitment to respecting their privacy and protecting their personal data. This level of transparency not only helps build a strong sense of trust between the community and its members but also helps with compliance, ultimately contributing to a more engaging and responsible user experience.

The Invision Community cookie consent page has been revamped and now displays a list of essential cookies. Visitors have the option to opt out of non-essential cookies for a more customized browsing experience.

Additionally, we've introduced a new feature that allows for the inclusion of an optional third-party Cookie Description on the cookie consent page, further enhancing transparency and user control.

We trust that these enhancements to privacy and data collection practices will simplify compliance with various regulations and, most importantly, ensure that your community members feel secure and well-protected while engaging with your platform.

The features and changes presented here are available in the following packages:

• Beginner
• Creator
• Creator Pro
• Team
• Business
• Enterprise

These features are also available in the Invision Community Classic (self-hosted) product.

If you do not see your product or package listed, please contact us to talk about upgrading your Invision Community.

View full blog entry

[Dreadknux]

A great step forward for community managers looking to be more compliant, thanks for this. A quick question; if a user requests account deletion through these new features, can an administrator approve to delete all user PII but anonymise their content so that can be kept on the community? Or does a deletion approved in this way remove absolutely all content as well as PII?

[Charles]

59 minutes ago, Dreadknux said:

A great step forward for community managers looking to be more compliant, thanks for this. A quick question; if a user requests account deletion through these new features, can an administrator approve to delete all user PII but anonymise their content so that can be kept on the community? Or does a deletion approved in this way remove absolutely all content as well as PII?

Yes, you can choose to anonymize content. In fact, that is what I recommend to clients 🙂 

[SjorsK]

Awesome! Some more GDPR compliance features! This is great!

[Square Wheels]

Looks interesting.  If an account is deleted, does that delete their posts also?

If the deleted user had previously been quoted, are those posts also edited to indicate it's a deleted account?

[Matt]

You can choose to delete, or anonymise the posts (the IP addresses are removed, and the content presented as if it was from a Guest). When a member requests to be forgotten, it will anonymise their content.

Cleaning embedded quoted content is something we're working on for a future version.

[MMXII]

Those are very nice and much needed features! 👍 Really looking forward to it.

1. Will there be options to enable/disable either of these fontend buttons? Say, I'd like to have the button for account deletion requests, but not for PII data requests.
2. Will there be options to optionally automate account deletion in some way? E.g. 14 days after an account request for deletion has been sent and with no admin reacting in this timeframe, the account will be gone automatically?

[Hisashi]

7 hours ago, MMXII said:

Will there be options to optionally automate account deletion in some way? E.g. 14 days after an account request for deletion has been sent and with no admin reacting in this timeframe, the account will be gone automatically?

This is extremely important, for the security of hacked accounts or if the user gives up deletion within a period of time. An example of this is google, facebook and twitter.

Ways to do this...

• The administrator has the ability to set the revoke time.
• During the period of exclusion, the content remains anonymous only with the ability of the moderators to identify.
• After the deadline, the administrator can set an automatic action for the account (or manually if desired).

It would be great to remove this obligation from the administrator having to evaluate everything, if he wants to make everything automatic and use his time for other matters.

Edited May 11, 2023 by Hisashi

[Matt]

For now, we'll keep it so administrators must approve until we get a little more comfortable with the features. We wouldn't want large parts of an established community destroyed by content being de-attributed or removed without a final admin check.

[AlexJ]

Is it possible to add support for account de-activation i.e. user can de-activate account and no notification gets sent. If user gets interested again, they can re-activate account. 

 

[Matt]

Not in this version. This is more about data privacy than a general de-activate/re-activate function. With the functionality we have, when you enact the right to be forgotten, and it has been approved, the data is altered permanently with no way to undo it.

[beats23]

Is Cookie Management mandatory?  Is there an option to not show any cookie consent on the site?

[Matt]

No, it is not mandatory.

[opentype]

For my taste, “account deletion” is too well hidden under “security and privacy”. 

I would suggest to either change the tab name or to give this function its own tab, like this third-party solution does it. 

[Matt]

We can probably work on the labelling, but I'm not keen on making it a high level item like that. It's not something most people will want to think about when they are on the site.

[Vakarian96]

what about when someone posts a YouTube or Twitter link in a post. Is the content then only loaded after confirmation (opt-in)?

Edited May 12, 2023 by Vakarian96

[Charles]

On 5/12/2023 at 12:33 PM, Vakarian96 said:

what about when someone posts a YouTube or Twitter link in a post. Is the content then only loaded after confirmation (opt-in)?

In that case you would want to put those services in your third-party list if you are concerned.

We are looking into opt-in third party loading in a future improvement to privacy controls though. It's an ongoing project 😀

[Vakarian96]

14 hours ago, Charles said:

In that case you would want to put those services in your third-party list if you are concerned.

We are looking into opt-in third party loading in a future improvement to privacy controls though. It's an ongoing project 😀

Thanks for the reply :).

It would be nice if the opt-in list has priority. This point is unfortunately also a very important feature.

[Afrodude]

On 5/10/2023 at 2:00 PM, Matt said:

Cleaning embedded quoted content is something we're working on for a future version.

It would be nice if you guys imply this to normal setting "Display Name" whenever it gets changed.

https://invisioncommunity.com/settings/username/

[MeMaBlue]

Hello! I am confused as to  if this sollution will be able to replace other cookie bar popups that we might need to place, via other ways, 

like quantcast, cloudflare zaraz or other such services. 

I need to replace my settings right now to  incorporate cookie consent for GA4, and   3 network scripts Adsense, Project Agora, Underdog Media, so I am right in the middle of that process. 

Will someone be able to help me with using that new feature of yours (with a quote if necessary) because I dont have the time or the knowledge to set it up correctly. The variables triggers ets that those services mention above, are things I am not familiar with and I dont want to experiment. 

Or is the above suggested new feature not suited to combine the things I mention here and I am completely wrong and clueless asking here?. 

I know, that the best sollution is to choose the things that you put out which are always compatible with ips,  so this is why I am asking to make sure I dont miss out on something

 

[Dll]

Assuming you're in the EU or UK, for ad networks you're going to need to use a tcf compatible cookie prompt, such as quantcast, Google choices etc. Google is actually making it a requirement soon.

https://support.google.com/admanager/answer/13554116#zippy=%2Cgoogle-certified-cmps

 

[MeMaBlue]

Thank you , yes, I have mentioned that. but there is a problem.  I cant have 2 cookie pop up windows,  then .. right? One from Google and one from ips?  This is the thing , how and what do you choose?

  I will need to have someone to set this up for me.   A few years ago, where advertising was better I had someone set it up for me, paid, through the Google ad Manager and it served through the admanager. 

Now, I would like again someone to do this for me but it needs to be combined with the knowledge of ips, as all things, since ips is a specific platform, that already has requirements and attributes.

So even if I found someone from outside, It would not have the knowledge to combine with ips.  

[It takes specific knowledge, and since it is something legal and important that you do once  I don't have the time or ability to educate myself on such technical level.

Companies like quantcast don't do this for you. They want the user to set up all the variables. Its all territory that cannot be aquired in a couple of hours of reading!.. I have spent like 10 days at least already, it would be irresponsible of me to set it up on my own.  ]

So I wish it could be done as a  paid service somehow from a developer with ips knowledge or ips . 

Would the cloud owners perhaps get that service maybe as an extra fee? Me I am selfhosted. It is a need that needs to be fulfilled somehow, and important.

Monetization with combining adnetwork; scripts is giving more to the publisher/owner.  Having only one, is not enough or is lost revenue.
(example of combination, all display placements on a site are handled either via the automated adsense option or the advertisment section with the adunit tags with google adsense. (1st) ,    then. all sticky banners  are given to a second network (2nd) ,  and then all vigniette or exit ad units to a third network (3rd),   all of them together add to the revenue)

[hpcrazy]

On 5/12/2023 at 10:49 AM, opentype said:

For my taste, “account deletion” is too well hidden under “security and privacy”. 

I would suggest to either change the tab name or to give this function its own tab, like this third-party solution does it. 

I just updated my selfhosted community - I did not find the deletion feature in the Account Settings.

Where is it exactly located ?

[Daniel F]

49 minutes ago, hpcrazy said:

I just updated my selfhosted community - I did not find the deletion feature in the Account Settings.

Where is it exactly located ?

It's on the "Security and Privacy" page.

[Nathan Explosion]

49 minutes ago, hpcrazy said:

I just updated my selfhosted community - I did not find the deletion feature in the Account Settings.

Where is it exactly located ?

Admins won't see it - use a non-admin account.