Jump to content

Invision Community Blog


Managing successful online communities

Matt
 

Your GDPR questions answered

You've no doubt heard about GDPR by now. It's a very hot topic in many circles. Lots of experts are weighing in on the best approach to take before the May 25th deadline.

Which reminds me of my favorite joke:

"Do you know a great GDPR expert?”

Yes, I do!

“Could you send me his email address”

No, I'm afraid not.

I wrote about how Invision Community can help with your GDPR compliance back in December. I've seen a lot of posts and topics on GDPR in our community since then.

First, let's get the disclaimer out of the way. I'm a humble programmer and not a GDPR expert or a lawyer. The information here is presented to assist you in making decisions. As always, we recommend you do your own research and if you're in any doubt, book an appointment with a lawyer.

It is also worth mentioning that GDPR is very much a living document with phrases like "legitimate interest" and "reasonable measures". None of these phrases have any real legal definition and are open to interpretation. Some have interpreted them severely, and others more liberally.

GDRP is about being a good steward of the data you store on a user. It's not designed to stop you from operating an engaging web site. There's no need to create stress about users linking to other sites, embedding images, anonymizing IP addresses, and such on your site. These don't impact any data you are storing and are part of the normal operation of how the web works. Be responsible and respectful of your users' data but keep enjoying your community.

Let's have a quick recap on the points we raised in our original blog entry.

Individual Rights

The right to be informed
Invision Community has a built in privacy policy system that is presented to a new user, and existing users when it has been updated.

Terms1.png.3d027181ba57709cf44aee4d4062f371.thumb.png.13eeb5cea4329bbd61db410565627b49.png

 

What should your privacy policy contain? I personally like the look of SEQ Legal's framework which is available for free.

This policy covers the important points such as which cookies are collected, how personal information is used and so on.

There may be other services out there offering similar templates.

Right to erasure
I personally feel that everyone should listen to "A Little Respect" as it's not only a cracking tune, but also carries a wonderful message.

The GDPR document however relates to the individuals right to be forgotten.

Invision Community allows you to delete members. When deleting members, you can elect to remove their content too. There is an option to keep it as Guest content, thus removing the author as identifiable.

It's worth using the 'keep' option after researching the user's posts to make sure they haven't posted personal information such as where they live, etc.

Emailing and Consent
Invision Community has the correct opt-in for bulk emails on registration that is not pre-checked. If the user checks this option, this is recorded with the member's history. Likewise, if they retract this permission, that action is also recorded.

consent3.png.faf513cca718f5be919f0ba9b24076a6.thumb.png.18dd0b7272f5561e75a8428fc92eb1eb.png

 

When you edit the terms and conditions or privacy policy, all users are required to read it again and opt-in again.

Cookies
A lot of GDPR anxiety seems to revolve around these tiny little text files your browser stores. If you read the GDPR document (and who doesn't love a little light reading) then you'll see that very little has actually changed with cookies. It extends current data protection guidance a little to ensure that you are transparent about which cookies you store.

Invision Community has tools to create a floating cookie opt-in bar, and also a page showing which cookies are stored and why.

This is the page that you'd edit to add any cookies your installation sets (if you have enabled Facebook's Pixel, or Google Analytics for example).

Your GDPR Questions
Now let's look at some questions that have been asked on our community and I'll do my best to provide some guidance that should help you make decisions on how to configure your Invision Community to suit your needs.

300863890_Monosnap2018-05-1113-48-57.thumb.jpg.8e5bfdcf308f51274e1e731139224d5d.jpg

Alan!!

Is the soft opt-in cookie policy enough? What about the IP address stored in the session cookie?
Great question. There's conflicting advise out there about this. The GDPR document states:

Quote

Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

The ICO states that session cookies stored for that session only (so they are deleted when the tab / window is closed) are OK as long as they are not used to profile users.

This is re-enforced by EUROPA:

Quote

Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29 include:

  • user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
  • user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
  • load‑balancing cookies, for the duration of session
  • user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
  • third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.


My feeling is that GDPR isn't really out to stop you creating a functioning website, they are more interested in how you store and use this information.

Thus, I feel that storing a session cookie with an IP address is OK. The user is told what is being stored and instructions are given if they want to delete them.

Given the internet is very much driven by IP addresses, I fail to see how you can not collect an IP address in some form or another. They are collected in access logs deep in the server OS.

Finally, there is a strong legitimate interest in creating a session cookie. It's part and parcel of the website's function and the cookie is not used in any 'bad' way. It just allows guests and members to retain preferences and update "last seen" times to help deliver content.

Do I need to delete all the posts by a member if they ask me to?
We have many large clients in the EU with really impressive and expensive legal teams and they are all unanimous in telling us that there is no requirement to delete content when deleting a user's personal information. The analogy often given is with email: once someone sends you an email you are not obligated to delete that. The same is true with content posted by a user: once they post that content it's no longer "owned" by them and is now out in public.

Ultimately, the decision is yours but do not feel that you have to delete their content. This is not a GDPR requirement.

What about members who haven't validated? They're technically not members but we're still holding their data!
No problem. The system does delete un-validated users and incomplete users automatically for you. You can even set the time delay for deletion in the ACP.

1178220687_Monosnap2018-05-1115-17-41.thumb.jpg.a9098e7f8e737c9f57adcbad5279ccd3.jpg

 

What about RECAPTCHA? I use this, and it technically collects some data!
Just add that you use this service to your privacy policy, like so:

Quote

Spam Protection
Google reCAPTCHA (Google Inc.)
Google reCAPTCHA is a SPAM protection service provided by Google Inc.
The use of reCAPTCHA is subject to the Google privacy policy and terms of use.

Personal Data collected: Cookies and Usage Data.

Place of processing: United States – Privacy Policy.

I see many companies emailing out asking for members to opt back in for bulk mail, do I need to do this?
Short answer: No.

Since Invision Community 4.0, you can only ever bulk email users that have opted in for bulk emails. There's no way around it, so there's nothing to ask them to opt-in for. They've already done it.

There is a tiny wrinkle in that pre 4.2.7, the opt-in was pre-checked as was the norm for most websites. Moving forward, GDPR asks for explicit consent, so this checkbox cannot be pre-ticked (and isn't in Invision Community 4.2.7 and later). However, the ICO is clear that if the email list has a legitimate interest, and was obtained with soft opt-in, then you don't need to ask again for permission.

What about notifications? They send emails!
Yes they do, but that's OK.

A notification is only ever sent after a user chooses to follow an item. This falls under legitimate interest.

There is also a clear way to stop receiving emails. The user can opt-in and opt-out of email as a notification device at their leisure.

prefs.thumb.jpg.aed1f25b83178c657408a9f17d16d17f.jpg

 

Do I need to stop blocking embeds and external images?
No. The internet is based on cross-linking of things and sharing information. At a very fundamental level, it's going to be incredibly hard to prevent it from happening. Removing these engaging and enriching tools are only going to make your community suffer.

There's no harm in adding a few lines in your privacy policy explaining that the site may feature videos from Vimeo and Youtube as part of user contributions but you do not need to be worried. As stated earlier, GDPR isn't about sucking the fun out of the internet, it's about being responsible and transparent.

Phew.
Hopefully you've got a better understanding about how Invision Community can assist your GDPR compliance efforts.

The best bit of advice is to not panic. If you have any questions, we'd love to hear them. Drop us a line below.

Edited by Matt


Comments



Recommended Comments

@Matt thank you for posting this. You talk about functional cookies in this posts and its good. But what about cookies that fall outside functional cookies what does IPS do with that.

Share this comment


Link to comment
Share on other sites
13 minutes ago, We are Borg said:

@Matt thank you for posting this. You talk about functional cookies in this posts and its good. But what about cookies that fall outside functional cookies what does IPS do with that.

Invision Community only ever sets functional cookies. These may be to track a session, or they may be a result of a user instigating a feature (like the shopping cart, clicking Mark as read, etc) which are fine to set.

What did you have in mind?

Share this comment


Link to comment
Share on other sites
Quote

Given the internet is very much driven by IP addresses, I fail to see how you can not collect an IP address in some form or another. They are collected in access logs deep in the server OS.

One thing is to collect IP addresses for a limited time, and in a way which does not allow you to directly associate IPs with specific users.  This can be easily justified by security reasons (I believe there are countries that require that info to be store for some time, so you would have legal reasons to do that).

Another completely different thing is to keep IP addresses indefinitely and associated with users, as it happens with many of the IPs stored by IPS in the database, I believe.

I'm wondering which legal basis your are going to use for this.

Edited by ptprog

Share this comment


Link to comment
Share on other sites
15 minutes ago, ptprog said:

One thing is to collect IP addresses for a limited time, and in a way which does not allow you to directly associate IPs with specific users.  This can be easily justified by security reasons (I believe there are countries that require that info to be store for some time, so you would have legal reasons to do that).

Another completely different thing is to keep IP addresses indefinitely and associated with users, as it happens with many of the IPs stored by IPS in the database, I believe.

I'm wondering which legal basis your are going to use for this.

GDPR does not stop you storing information.

It just asks that you are transparent about what you store - and don't store more information that is needed.

The user can request that information be deleted. You'd use the "Delete member" feature to do this.

Share this comment


Link to comment
Share on other sites

Very useful Matt, thank you.  Although a  couple of conflicting messages that i'd like clarified if possible please.

 

Quote

When you edit the terms and conditions or privacy policy, all users are required to read it again and opt-in again.

So as soon as I edit the terms and conditions I will no longer be able to send bulk mail to members who have previously opted in?

This conflicts a little with the below quote in my eyes, as as soon as i update the privacy policy I am essentially losing my opt in members, unless I am totally misunderstanding something(which is quite likely)

 

Quote

I see many companies emailing out asking for members to opt back in for bulk mail, do I need to do this?
Short answer: No.

Since Invision Community 4.0, you can only ever bulk email users that have opted in for bulk emails. There's no way around it, so there's nothing to ask them to opt-in for. They've already done it.

There is a tiny wrinkle in that pre 4.2.7, the opt-in was pre-checked as was the norm for most websites. Moving forward, GDPR asks for implicit consent, so this checkbox cannot be pre-ticked (and isn't in Invision Community 4.2.7 and later). However, the ICO is clear that if the email list has a legitimate interest, and was obtained with soft opt-in, then you don't need to ask again for permission.

 

 

Share this comment


Link to comment
Share on other sites
10 minutes ago, Steve Bullman said:

So as soon as I edit the terms and conditions I will no longer be able to send bulk mail to members who have previously opted in?

Not really. They would have still opted-in already even if you change your terms and conditions. Now of course if you were to do something really strange to your terms then maybe that's different but that would be an abnormal thing to do.

In the end, GDPR is about being a responsible steward of user data. In this case, your user DID opt-in to receiving emails so sending them emails is well within a reasonable scope. You would not be spamming them or breaking and "rules" because they still had to manually and purposely check a box to say "Yes, I want emails from this site." so you're good.

Share this comment


Link to comment
Share on other sites
3 minutes ago, Charles said:

Not really. They would have still opted-in already even if you change your terms and conditions. Now of course if you were to do something really strange to your terms then maybe that's different but that would be an abnormal thing to do.

In the end, GDPR is about being a responsible steward of user data. In this case, your user DID opt-in to receiving emails so sending them emails is well within a reasonable scope.

Ok.  How I interpreted Matts original sentence was that saving a change to the privacy policy would change the users opt in setting.  But its more a case of I should email them following the change and give them the option?

 

I had an email from a company the other day letting me know they had changed their privacy policy, invited me to read it, but didn't mention about opting in again.

There was an opt out link in the mail footer though.

I would preferably like my email I send out to be similar

 

Share this comment


Link to comment
Share on other sites
1 minute ago, Steve Bullman said:

Ok.  How I interpreted Matts original sentence was that saving a change to the privacy policy would change the users opt in setting.  But its more a case of I should email them following the change and give them the option?

Ah ok I see where that could be confusing. What Matt was referring to was a nice feature where, if you change some of your policy or terms text, you can optionally make a user re-read that text and click "agree" the next time they visit your site. It doesn't impact the opt-in statuses of things like bulk email, follow notifications, and such.

Share this comment


Link to comment
Share on other sites

Sorry, could you also clarify what would be considered a soft opt-in?

For the first 2 years of my forum running I had opt-in set by default.  Would be nice if I could include these in my bulk mail if that is considered soft opt-in

Quote

However, the ICO is clear that if the email list has a legitimate interest, and was obtained with soft opt-in, then you don't need to ask again for permission

 

Share this comment


Link to comment
Share on other sites
Just now, Steve Bullman said:

Sorry, could you also clarify what would be considered a soft opt-in?

For the first 2 years of my forum running I had opt-in set by default.  Would be nice if I could include these in my bulk mail if that is considered soft opt-in

 

On older versions the opt-in box was prechecked so you can consider that "soft" since it was shown to them before signing up. You do not need to reconfirm permission in that case and you are good to continue to email them. On newer versions of Invision Community that box is not prechecked.

Share this comment


Link to comment
Share on other sites

Great follow up GDPR post by Matt, thank you. 

At the end of the day, do no evil! When you make a decision, don't be evil. Do the right thing, for the right reasons and with the best of intentions, just like we all do with many things In life. Why not reset your list and give everyone the opportunity to opt-in afresh. Your members will be reassured if they see you taking a responsible review and stance because you collect, process and store their data and you're being open about what you do and won't do with their personal information.  

As a responsible and well-meaning administrator, why would you worry or be unduly concerned about being seen to be open and transparent in your stance, by contacting your existing members who are currently opted-in (and/or putting a reminder on your site), that they are currently considered opted-in but that your inviting them to remain so and/or that you're resetting everyone's preferences to opted-out by default on a certain date. (You think they'll want to because of the benefits and service improvements that will be of interest to them, but you respect their decision and choice either way). 

Invite them to continue to receive email notifications (called transaction emails that are mostly automated and sent in response to an action) but not about every single little thing (after all you spent 20 minutes reviewing the current default notifications and have reduced them by resetting them to minimal or none for all existing and new members, because you want them to reach the mythical Inbox Zero and you too care about the planet, but this is how you can quickly review and enable/disable them at any time). 

If you've ever used a service like, ahem, Sparkpost, in the past (there are other email providers available), remember they will likely have a suppression list from members who have previously declined emails or bounced due to policy, so ideally that list should be replicated in IPS if you can, if you are keeping your current opted in member list and not restarting afresh, as sensible best practice (because it's the right thing to do, and you're not evil!). In fact, they remind you to import it from your old provider, if you have one, when you join.

We're all getting a deluge of emails these days from companies who are either resetting on or before GDPR day, inviting us to stay opted-in or to opt-in again. I'd always value a company or service provider more who goes the extra mile, doesn't brow beat me, and is open.

It's nice to be able to reset the switch and for a lot of companies, restrict your inbox and take some control back.

Share this comment


Link to comment
Share on other sites
2 hours ago, Matt said:

GDPR does not stop you storing information.

It just asks that you are transparent about what you store - and don't store more information that is needed.

The user can request that information be deleted. You'd use the "Delete member" feature to do this.

Two points:

  • I would say that storing the IP address from which a post was made 5 years ago is storing more information than is needed.
  • I just checked some private messages exchanged with a member that was deleted, and its IP address is still there (I did not check if posts also preserve this info), so it seems the possibility to delete a member is not enough to delete its personal data.

Share this comment


Link to comment
Share on other sites

Yes, I was wondering the same as @ptprog. If you delete a member, but without deleting his posts, there is no way to delete the IP address. I definitely want to keep the posts - as you mentioned they are in public domain and it is ok to keep them as Guest. 

However, they will still carry the IP address, which will be a problem. Right now it seems that if you want to get rid of the IP, you need to delete the posts/pms as well, which shouldn't be the case. 

Share this comment


Link to comment
Share on other sites
3 hours ago, jair101 said:

Yes, I was wondering the same as @ptprog. If you delete a member, but without deleting his posts, there is no way to delete the IP address. I definitely want to keep the posts - as you mentioned they are in public domain and it is ok to keep them as Guest. 

However, they will still carry the IP address, which will be a problem. Right now it seems that if you want to get rid of the IP, you need to delete the posts/pms as well, which shouldn't be the case. 

Once an account is deleted, the IP address then becomes associated with the Guest account and not user account Fred. As that is an anonymous account the IP is no longer Personally Identifiable Information and is therefore GDPR no longer applies to it.

 

Share this comment


Link to comment
Share on other sites
13 hours ago, Matt said:

Invision Community only ever sets functional cookies. These may be to track a session, or they may be a result of a user instigating a feature (like the shopping cart, clicking Mark as read, etc) which are fine to set.

What did you have in mind?

Well IPS might be save because you use functional cookies, but what about add-ons and what about people that uses for example Google Ads and Google analytics. While you are correct with functional cookies that you only need to press OK but if people  uses other products like i said you’ll need two cookie banners one thats IPS and one thats external. Why not a banner that add-on developers can tie in to and Google stuff can be set in to. This way you only need one banner and IPS can controll it all, you can then also see if developers uses the banner if not people can address the add-on developer to make it compliant.

Share this comment


Link to comment
Share on other sites

@We are Borg Since users can control their privacy through Google (through Google's personal privacy policy) as long as you make users aware that you are using google services and what you are tracking that is an unnecessary step. This is actually already a mandatory part of using things like Google Analytics and their ad service anyways.

Share this comment


Link to comment
Share on other sites
Quote

 Moving forward, GDPR asks for implicit consent, so this checkbox cannot be pre-ticked (and isn't in Invision Community 4.2.7 and later). 

Wrong, the GDPR calls for explicit consent; i.e. the user specifically declaring they are interested. 

Share this comment


Link to comment
Share on other sites
1 minute ago, Aaron M said:

Wrong, the GDPR calls for explicit consent; i.e. the user specifically declaring they are interested. 

That was what was intended there. Thus why the check isn't checked by default. It is explicit if the user intentionally checks the box.

Share this comment


Link to comment
Share on other sites
Just now, Jennifer M said:

That was what was intended there. Thus why the check isn't checked by default. It is explicit if the user intentionally checks the box.

Naturally, but to use the antonym while attempting to illustrate the difference only lends itself to more confusion.

Share this comment


Link to comment
Share on other sites
41 minutes ago, Aaron M said:

Naturally, but to use the antonym while attempting to illustrate the difference only lends itself to more confusion.

Yes, typo fixed. I meant explicit but my brain substituted the word incorrectly. The intention was always explicit consent as the surrounding text illustrated.

13 hours ago, ptprog said:

Two points:

  • I would say that storing the IP address from which a post was made 5 years ago is storing more information than is needed.
  • I just checked some private messages exchanged with a member that was deleted, and its IP address is still there (I did not check if posts also preserve this info), so it seems the possibility to delete a member is not enough to delete its personal data.

If you're more comfortable removing IP addresses from content data, then get in touch with support and we'll show you the queries to run on your database (assuming you make back-ups, and are comfortable with admin tasks like that, etc, etc).

Share this comment


Link to comment
Share on other sites
9 hours ago, DesignzShop said:

In many instances one could come up with many many reasons to retain data from "forgotten" users.

https://www.mycustomer.com/marketing/data/gdpr-and-the-right-to-be-forgotten-can-you-reject-a-request-for-erasure

Yes, in general you may have valid reasons to retain data.

For example, when you retain IP addresses, or even emails, of banned users and spammers, I see a reasonable reason to retain that data: prevent future abuses, from users that already have a historic of abuses (although I have some doubts about the real usefulness of this data...).

But I'm talking about a specific case.  In particular, my problem is with the indefinite storage of IP addresses as result of the "normal" use of IPS software.  I have used the IP data to detect abuses, but I never needed data from more than a few weeks ago.  So, even if the user does not want to be forgotten, I believe retaining this data indefinitely does not comply with the balance requirements of legitimate interest.

(This opinion is mainly based on my experience.  Others may have legitimate use cases to justify keeping such data, and if that's the case, I'm curious to know more about concrete examples.)

9 hours ago, GlenP said:

Once an account is deleted, the IP address then becomes associated with the Guest account and not user account Fred. As that is an anonymous account the IP is no longer Personally Identifiable Information and is therefore GDPR no longer applies to it.

IP address are considered PII even when they are not directly connected with a user account.  If you cannot associate the IP address with an account, you can still "track" the user.  In this case, the IP addresses are similar to many other online identifiers such as tracking cookies, which are considered PII even if not associated with user accounts.

28 minutes ago, Matt said:

If you're more comfortable removing IP addresses from content data, then get in touch with support and we'll show you the queries to run on your database (assuming you make back-ups, and are comfortable with admin tasks like that, etc, etc).

Thanks.  That may be enough for me.

Share this comment


Link to comment
Share on other sites
8 hours ago, Jennifer M said:

@We are Borg Since users can control their privacy through Google (through Google's personal privacy policy) as long as you make users aware that you are using google services and what you are tracking that is an unnecessary step. This is actually already a mandatory part of using things like Google Analytics and their ad service anyways.

Thats not the way it works you’ll need to be able to refuse the cookie on the site. 

Share this comment


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  Ask A Question ×