Jump to content
You're invited! Join our 4.6 Live Event on ZOOM 6/24 ×

Invision Community Blog


Managing successful online communities

Matt
 Share


Your GDPR questions answered

You've no doubt heard about GDPR by now. It's a very hot topic in many circles. Lots of experts are weighing in on the best approach to take before the May 25th deadline.

Which reminds me of my favorite joke:

"Do you know a great GDPR expert?”

Yes, I do!

“Could you send me his email address”

No, I'm afraid not.

I wrote about how Invision Community can help with your GDPR compliance back in December. I've seen a lot of posts and topics on GDPR in our community since then.

First, let's get the disclaimer out of the way. I'm a humble programmer and not a GDPR expert or a lawyer. The information here is presented to assist you in making decisions. As always, we recommend you do your own research and if you're in any doubt, book an appointment with a lawyer.

It is also worth mentioning that GDPR is very much a living document with phrases like "legitimate interest" and "reasonable measures". None of these phrases have any real legal definition and are open to interpretation. Some have interpreted them severely, and others more liberally.

GDRP is about being a good steward of the data you store on a user. It's not designed to stop you from operating an engaging web site. There's no need to create stress about users linking to other sites, embedding images, anonymizing IP addresses, and such on your site. These don't impact any data you are storing and are part of the normal operation of how the web works. Be responsible and respectful of your users' data but keep enjoying your community.

Let's have a quick recap on the points we raised in our original blog entry.

Individual Rights

The right to be informed
Invision Community has a built in privacy policy system that is presented to a new user, and existing users when it has been updated.

Terms1.png.3d027181ba57709cf44aee4d4062f371.thumb.png.13eeb5cea4329bbd61db410565627b49.png

 

What should your privacy policy contain? I personally like the look of SEQ Legal's framework which is available for free.

This policy covers the important points such as which cookies are collected, how personal information is used and so on.

There may be other services out there offering similar templates.

Right to erasure
I personally feel that everyone should listen to "A Little Respect" as it's not only a cracking tune, but also carries a wonderful message.

The GDPR document however relates to the individuals right to be forgotten.

Invision Community allows you to delete members. When deleting members, you can elect to remove their content too. There is an option to keep it as Guest content, thus removing the author as identifiable.

It's worth using the 'keep' option after researching the user's posts to make sure they haven't posted personal information such as where they live, etc.

Emailing and Consent
Invision Community has the correct opt-in for bulk emails on registration that is not pre-checked. If the user checks this option, this is recorded with the member's history. Likewise, if they retract this permission, that action is also recorded.

consent3.png.faf513cca718f5be919f0ba9b24076a6.thumb.png.18dd0b7272f5561e75a8428fc92eb1eb.png

 

When you edit the terms and conditions or privacy policy, all users are required to read it again and opt-in again.

Cookies
A lot of GDPR anxiety seems to revolve around these tiny little text files your browser stores. If you read the GDPR document (and who doesn't love a little light reading) then you'll see that very little has actually changed with cookies. It extends current data protection guidance a little to ensure that you are transparent about which cookies you store.

Invision Community has tools to create a floating cookie opt-in bar, and also a page showing which cookies are stored and why.

This is the page that you'd edit to add any cookies your installation sets (if you have enabled Facebook's Pixel, or Google Analytics for example).

Your GDPR Questions
Now let's look at some questions that have been asked on our community and I'll do my best to provide some guidance that should help you make decisions on how to configure your Invision Community to suit your needs.

300863890_Monosnap2018-05-1113-48-57.thumb.jpg.8e5bfdcf308f51274e1e731139224d5d.jpg

Alan!!

Is the soft opt-in cookie policy enough? What about the IP address stored in the session cookie?
Great question. There's conflicting advise out there about this. The GDPR document states:

Quote

Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

The ICO states that session cookies stored for that session only (so they are deleted when the tab / window is closed) are OK as long as they are not used to profile users.

This is re-enforced by EUROPA:

Quote

Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29 include:

  • user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
  • user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
  • load‑balancing cookies, for the duration of session
  • user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
  • third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.


My feeling is that GDPR isn't really out to stop you creating a functioning website, they are more interested in how you store and use this information.

Thus, I feel that storing a session cookie with an IP address is OK. The user is told what is being stored and instructions are given if they want to delete them.

Given the internet is very much driven by IP addresses, I fail to see how you can not collect an IP address in some form or another. They are collected in access logs deep in the server OS.

Finally, there is a strong legitimate interest in creating a session cookie. It's part and parcel of the website's function and the cookie is not used in any 'bad' way. It just allows guests and members to retain preferences and update "last seen" times to help deliver content.

Do I need to delete all the posts by a member if they ask me to?
We have many large clients in the EU with really impressive and expensive legal teams and they are all unanimous in telling us that there is no requirement to delete content when deleting a user's personal information. The analogy often given is with email: once someone sends you an email you are not obligated to delete that. The same is true with content posted by a user: once they post that content it's no longer "owned" by them and is now out in public.

Ultimately, the decision is yours but do not feel that you have to delete their content. This is not a GDPR requirement.

What about members who haven't validated? They're technically not members but we're still holding their data!
No problem. The system does delete un-validated users and incomplete users automatically for you. You can even set the time delay for deletion in the ACP.

1178220687_Monosnap2018-05-1115-17-41.thumb.jpg.a9098e7f8e737c9f57adcbad5279ccd3.jpg

 

What about RECAPTCHA? I use this, and it technically collects some data!
Just add that you use this service to your privacy policy, like so:

Quote

Spam Protection
Google reCAPTCHA (Google Inc.)
Google reCAPTCHA is a SPAM protection service provided by Google Inc.
The use of reCAPTCHA is subject to the Google privacy policy and terms of use.

Personal Data collected: Cookies and Usage Data.

Place of processing: United States – Privacy Policy.

I see many companies emailing out asking for members to opt back in for bulk mail, do I need to do this?
Short answer: No.

Since Invision Community 4.0, you can only ever bulk email users that have opted in for bulk emails. There's no way around it, so there's nothing to ask them to opt-in for. They've already done it.

There is a tiny wrinkle in that pre 4.2.7, the opt-in was pre-checked as was the norm for most websites. Moving forward, GDPR asks for explicit consent, so this checkbox cannot be pre-ticked (and isn't in Invision Community 4.2.7 and later). However, the ICO is clear that if the email list has a legitimate interest, and was obtained with soft opt-in, then you don't need to ask again for permission.

What about notifications? They send emails!
Yes they do, but that's OK.

A notification is only ever sent after a user chooses to follow an item. This falls under legitimate interest.

There is also a clear way to stop receiving emails. The user can opt-in and opt-out of email as a notification device at their leisure.

prefs.thumb.jpg.aed1f25b83178c657408a9f17d16d17f.jpg

 

Do I need to stop blocking embeds and external images?
No. The internet is based on cross-linking of things and sharing information. At a very fundamental level, it's going to be incredibly hard to prevent it from happening. Removing these engaging and enriching tools are only going to make your community suffer.

There's no harm in adding a few lines in your privacy policy explaining that the site may feature videos from Vimeo and Youtube as part of user contributions but you do not need to be worried. As stated earlier, GDPR isn't about sucking the fun out of the internet, it's about being responsible and transparent.

Phew.
Hopefully you've got a better understanding about how Invision Community can assist your GDPR compliance efforts.

The best bit of advice is to not panic. If you have any questions, we'd love to hear them. Drop us a line below.

Edited by Matt

 Share

Comments

Recommended Comments



19 hours ago, Charles said:

because they still had to manually and purposely check a box to say "Yes, I want emails from this site." so you're good.

@Charles@Matt

We also nees this for the "Contact-us" Form. I we want to contact the user after he used the form, he have to agree before that we store his personal data, most likely his e-mail adress.

Two general additions

1) The above is all for self-hosted forums. In case a user booked your cloud services you should provide an "order processing agreement" document, which should be signed from both sides. Also it is a good idea Invision gets listed under https://www.privacyshield.gov.

2) I'm not sure for myself, but we (in Europe) should consider to enable age verification check because of https://gdpr-info.eu/art-8-gdpr/.

 

Edited by steel51
Link to comment
Share on other sites

1 hour ago, steel51 said:

We also nees this for the "Contact-us" Form. I we want to contact the user after he used the form, he have to agree before that we store his personal data, most likely his e-mail adress.

No! This is where people take GDPR too far and misunderstand the point. Of course a contact form requires contact data and contact data to be stored. Just as ordering a product requires a shipping and billing address to be stored. You don’t need addition consent. The GDPR changes nothing in that regard and requires nothing new. 

You just shouldn’t ask for more information than necessary and you shouldn’t use it for other purposes. When the contact form signs the user up for a marketing email list without his knowledge and consent – well, you can’t do that anymore. (And you shouldn’t have done it in the past.)

Link to comment
Share on other sites

  • Management

Yes, as opentype said, the contact form does not need anything for GDPR. No data is stored. It's no different than when someone sends you an email. It would be silly to include a line saying "you have permission to reply to me."

Don't overthink what GDPR is for ?

Link to comment
Share on other sites

  • Management
10 minutes ago, Markus Jung said:

My lawyer told me you do need at least a direct link to the privacy policy under the form.

Obviously I would not tell you to go against your lawyer's advice but I would note the contact us link in the footer is like 5 pixels to the right of the privacy policy link so you know... ?

As I said, the contact us form is basically a "send me an email" form so I do not personally see any GDPR impact anymore than someone just emailing you would have.

Link to comment
Share on other sites

23 hours ago, Charles said:

Yes, as opentype said, the contact form does not need anything for GDPR. No data is stored. It's no different than when someone sends you an email. It would be silly to include a line saying "you have permission to reply to me."

Don't overthink what GDPR is for ?

After some thinking about the contact form, it is propably right what you said, @Charles and @opentype.  So, I agree. For me it unclear if to enable a age verification check. I think it is neccessary, als Whatspapp did this also.

Link to comment
Share on other sites

I've posted about this a couple of times but no one from IPB has commented on it. 

It is clear in the GDPR that we need to give our users an automated way of downloading their data.

We need functionality for users to download all their entered data in the platform, e.g forum posts, registration info, messages etc. 

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
  1. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
  2. the processing is carried out by automated means.

 

Link to comment
Share on other sites

Hello Invision Community members! Does anyone of you already made any changes or addings to your sites regarding the GDPR law? Or, for now, simply, at the discussion stage? Do we have any practical experience yet?

Link to comment
Share on other sites

  • Management
16 hours ago, asigno said:

I've posted about this a couple of times but no one from IPB has commented on it. 

It is clear in the GDPR that we need to give our users an automated way of downloading their data.

We need functionality for users to download all their entered data in the platform, e.g forum posts, registration info, messages etc. 

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
  1. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
  2. the processing is carried out by automated means.

 

I personally do not feel that public posts or personal messages constitute 'personal data'. I see that more like email address, age, address, credit card details, etc.

Link to comment
Share on other sites

1 hour ago, Matt said:

I personally do not feel that public posts or personal messages constitute 'personal data'. I see that more like email address, age, address, credit card details, etc.

Note, however, that if you do not delete old IP addresses from the database, nor anonymize them, that is personal data.

Even for those like me that want to delete IP addresses after some time, the recent ones (and the ones from consents, for example) will be in the database.  I don't think anybody will request this for data portability, but people may request it as part of their "right of access" (Article 15).

Link to comment
Share on other sites

I have a question about the access we provide to IPS support when troubleshooting is needed. Technically, the support has access to the database and to the personal information (emails at least) of all members. Are you planning to include an explicit clause in the relations between us (the customers) and you (the provider of the software) that when the IPS staff access ACP in our communities they don't have permissions to copy or export any kind of data?

 

Link to comment
Share on other sites

  • Management
1 hour ago, jair101 said:

I have a question about the access we provide to IPS support when troubleshooting is needed. Technically, the support has access to the database and to the personal information (emails at least) of all members. Are you planning to include an explicit clause in the relations between us (the customers) and you (the provider of the software) that when the IPS staff access ACP in our communities they don't have permissions to copy or export any kind of data?

 

We have been doing this for over 16 years and I don't think anyone has ever asked me that ?  ... of course our staff never download your data while we are helping you with a support request. That's not a GDPR thing at all that's a case of simple ownership: it's not our data why would we download it?

Link to comment
Share on other sites

6 hours ago, Matt said:

I personally do not feel that public posts or personal messages constitute 'personal data'. I see that more like email address, age, address, credit card details, etc.

Hi @Matt 

Luckily this isn't subjective, the ICO clearly state the definition of what personal data is.

Quote

 

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/

Personal data

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

 

To meet GDPR requirements we need an automated way for a user to download all the data they've entered in to IPB. 
 

Quote

 

Data controllers are expected to transmit personal data in an interoperable format, although this does not place obligations on other data controllers to support these formats. Direct transmission from one data controller to another could therefore occur when communication between two systems is possible, in a secured way (29), and when the receiving system is technically in a position to receive the incoming data. If technical impediments prohibit direct transmission, the data controller shall explain those impediments to the data subjects, as his decision will otherwise be similar in its effect to a refusal to take action on a data subject’s request (Article 12(4)).

On a technical level, data controllers should explore and assess two different and complimentary paths for making portable data available to the data subjects or to other data controllers:

- a direct transmission of the overall dataset of portable data (or several extracts of parts of the global dataset);

- an automated tool that allows extraction of relevant data.

 

Are IPB working on building this functionality?

Link to comment
Share on other sites

55 minutes ago, Charles said:

We have been doing this for over 16 years and I don't think anyone has ever asked me that ?  ... of course our staff never download your data while we are helping you with a support request. That's not a GDPR thing at all that's a case of simple ownership: it's not our data why would we download it?

It is not that I don't trust you, believe me for most admins this GDPR thing is mainly a headache. I can also tell the authorities statement similar to yours here and just not create any privacy policy at all :). Not trying to open a can of worms here, really. But it is a fact that you have access to this data and the statement that you won't download/export/use it for whatever purposes I guess needs to be formalized. 

Again, not trying to accuse of dishonesty, not at all, just trying to be compliant as much as possible. In my privacy policy I am disclosing who has access to the data and IPS support is listed there. It would be nice if I can include an official statement that IPS supports never downloads and exports member data. 

 

 

Link to comment
Share on other sites

2 hours ago, O9C4 said:

Will my community be cut off from the European members and traffic after 25 may, if no actions from me as Administrator regarding the GDPR?

GDPR should be readily understood and easy to adopt.  The fact you asked your question means the people rolling out this new regulation failed to adequately inform the populace about it in a way that could be easily understood by one and all.  Lawyers themselves may find themselves puzzling over the wording of the regulation and it is quite likely many a law suit will be launched to bring clarity to various aspects of it.  Some if it is likely to be changed or deleted as consequence. You are responsible for adhering to GDPR even if it is flawed and you don't fully understand it.  Ignorance of the law is no defense in the court of law.

Nothing is likely to happen at first.  I imagine the individuals tasked with enforcing this regulation will focus their attentions on websites that inspired the adoption of this regulation in order to make an example of them.  They will probably move on to websites after that who have made no effort whatsoever towards trying to be compliant.

Every website owner will have to make a personal determination if they feel comfortable that they can come to understand the GDPR enough to know what changes (if any) need to be made on their website and have the wherewithal to make those changes or sufficient resources to hire legal and technical expertise to handle it for them.  The GDPR is likely to cause many website owners to decide the effort to become compliant with GDPR and other initiatives around privacy and security is just too much.  You and others members of this forum will have to make that decision in the coming months.

Edited by Christopher Anderson
Link to comment
Share on other sites

11 minutes ago, Christopher Anderson said:

I imagine the individuals tasked with enforcing this regulation will focus their attentions on websites that inspired the adoption of this regulation in order to make an example of them. 

Probably. But there aren’t just the people working for the governments. It’s a common business model for private law firms to find legal problems on websites and send out formal warnings with a large fee. For those companies, the new regulations could be another gold rush. 

Link to comment
Share on other sites

I have a couple of apps on itunes and google play.  One is a guide to tying knots for climbing, and the other a fungi identification tool.  neither of these apps require a log in.  You simply purchase them and use.  And yep you've guessed it, google play have just removed one because it doesn't have a flipping privacy policy on it.  The amount of money I actually earn out of these apps I am seriously wondering if its worth fixing or not...utter stupidity

Link to comment
Share on other sites

39 minutes ago, Steve Bullman said:

I have a couple of apps on itunes and google play.  One is a guide to tying knots for climbing, and the other a fungi identification tool.  neither of these apps require a log in.  You simply purchase them and use.  And yep you've guessed it, google play have just removed one because it doesn't have a flipping privacy policy on it.  The amount of money I actually earn out of these apps I am seriously wondering if its worth fixing or not...utter stupidity

I fail to see the stupidity. Even free/guest-only apps (or maybe especially those) might try to make money by logging activity connected to the IP address and share it with others for ad targeting or things that are even worse. As I user, I want to have a way to find out about that, so a privacy policy requirement makes a lot of sense to me. And from platform providers like Google I expect that they protect me from possible misuse by setting up and enforcing such rules. 

Link to comment
Share on other sites

  • Management
13 hours ago, asigno said:

Hi @Matt 

Luckily this isn't subjective, the ICO clearly state the definition of what personal data is.

To meet GDPR requirements we need an automated way for a user to download all the data they've entered in to IPB. 
 

Are IPB working on building this functionality?

 

9 hours ago, Steve Bullman said:

Is the part of GDPR regarding removal of content the same as the recent ruling of the right to be forgotten?

 

8 hours ago, asigno said:

 

We have been told repeatedly by clients in the EU with very large legal teams that GDPR does not apply to content posted. These clients do more than just link to ICO and quote text, they pay large sums of money to investigate these issues and they are unanimous that once a user posts content to the community that content is then owned by the community. Much like when someone sends you an email: that email is no longer their property.

Of course you are free to interpret things as you wish but we are going off the very best advice possible and do not intend to muddy the waters between "personal information" and general content.

Link to comment
Share on other sites

2 hours ago, Charles said:

 

 

 

We have been told repeatedly by clients in the EU with very large legal teams that GDPR does not apply to content posted. These clients do more than just link to ICO and quote text, they pay large sums of money to investigate these issues and they are unanimous that once a user posts content to the community that content is then owned by the community. Much like when someone sends you an email: that email is no longer their property.

Of course you are free to interpret things as you wish but we are going off the very best advice possible and do not intend to muddy the waters between "personal information" and general content.

I agree to that what charles said. Theoretically, if a user submitted very good content (which is totally unique) to your website, he has the chance to claim for copyright. In Germany we have a word for it: "Schöpfungshöhe". It is, more or less, the value or the worth for the content a user submitted. I guess there will only be rare cases where you can think about this in a normal forum post. So, don't worry.

Link to comment
Share on other sites




Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy

×