Markus Jung

This is really good news, I'd been hoping to see a performance-based release for some time as traditionally IPS does rate low in Page SpeedGTMetrix/Yslow tests and we've been waiting for some of these overdue improvements for quite some time. So huge thanks! 
Lazyloading should really help with Gallery in particular, I currently get a poor Pagespeed score of F42 on one of my sites.
Please consider adding to your to do list (if not already added):
Serve scaled images (current GTMetrix reports a score of F0 with a 1.2MiB 80% possible saving is possible on my Gallery index page) Where static content is uploaded to Amazon S3 and Cloudfront (it should be copied, not moved!), often there is missing header metadata such as cache-control, expires etc. Whilst investigating poor Cloudfront cache hit ratios of just 5%, I noticed this week an IPS uploaded .png image placed in my S3 bucket with a content-type of image/jpeg instead of image/png.  Leverage Browser Caching (you can't do anything about Amazon and Google external resources, but IPS could and should add more to improve caching of its static resources) Specify Image Dimensions - I get awful scores for this both on Gallery and Forums where images are missing width and height attributes. This happens particularly in grid view layout and where you upload an image attachment into forum description fields via AdminCP.  Remove query strings from urls - Have raised this several times, and keep getting told it's needed to allow cache busting, but the string token could be built into the actual filename/url itself. If CSS for example is later rebuilt, a new url is created and immediately browsers see the updated resource and recache it. All of the separate CSS and JS files should be grouped into one or two files, not like 10-12. Pages article images should have medium sized thumbnails available instead of just tiny thumbnails which look awful stretch to cover on 4K displays. The alternative is full-sized (in my case massive 1920x1080 images) which kill page loading times are are such overkill for article listing previews.  
 
 
 

@Mr 13 We've actually optimized all images in the suite too; the default coverphoto image is now ~280KB. Also, cover photos across the suite are indeed lazy loaded too.
@Joel R Yes there's a background task that will clean up the existing letter photos.
For developers, I wanted to add that our lazy loading utility is very flexible, so you can actually use it to lazy load whatever you want, and pretty finely control what happens (with preload, load and post-load callbacks). We hook into IntersectionObserver which is a new(ish) API in browsers that make it super efficient to check when an element comes into view. Of course, our regular content controllers already handle lazy loading images and videos in UGC for you, but if your apps have other areas where it'd be useful, you can do that quite easily 🙂 

Does lazy loading work on all applications, especially pages like Gallery albums or Our Picks that are rich in content? 
Edited this post to include Our Picks, which I use as my homepage and I have a terrible score in Pagespeed insights.  Number one recommendation is to lazy load offscreen images! 

I always see it as a literal “evolutionary” process. I constantly try out new “mutations”, i.e. features. If they turn out to be beneficial, I might put more work into them and make them more prominent. If they do not work, I scale them back slowly (e.g. by first demoting them in the menus) and remove them eventually. There certainly is a danger in adding too much stuff. Not just in regards to the software conflicts you will get, but also in the way you confuse your users. I even have tons of “display:none” declarations in my theme to hide stock functionality. Often less is more. 

Theme isnt outdated. No customizations in our friendly URL settings
edit: Fixed. I never touched friendy urls, but there was revert button to default settings. That worked.

Nice improvements ! Congrats @Matt @Charles
especially the canonical tags preventing duplicate content from being indexed
By the way we asked someone to develop a plugin that adds a noindex on topics in case a topic is less than XXX words (lets say 150 or 200)
counting all posts of the topic of course
it works fine (not in the marketplace yet)
This is nice as it prevents to index many topics with just a few words (thin content pages)
maybe this feature could be considered to be implemented "native" ?

I saw that you plan to set a redirection to a form next to a guest post, there might be an easier way to do this, the best way to do it is like this :
https://www.commentcamarche.net/forum/linux-unix-13/new
right below the post form,  ask a login / email / password
much easier, and the visitor stays on the same page :)

Great to see this feature coming!
I like this idea.

We can take this big step to have a form before the list of forums for the user already insert content, something similar to the attached figure?
This is the type of UI most commonly used in the social networks. Users are already familiar with this, it would help a lot. 
 
Instead of the "Select Forum" popup it could be a "next step" form/page for the user to choose the best place to post the topic he just wrote. This would help in addition to other things to reduce the sending of topics in the wrong forums.
 

For GDPR compliance the user has to actively confirm that the mail address can be saved and confirm that he read the privacy policy. 

For GDPR compliance the user has to actively confirm that the mail address can be saved and confirm that he read the privacy policy. 

Sorry guys, while 4.3.3 has the GDPR improvements, it also contains numerous bug fixes and so we need to carry it through our normal release schedule. We avoid late-week releases because we are not open for general support on the weekends. Tuesday is our target release date. 
Have a good weekend!

Whats about Article 8 GDPR, https://gdpr-info.eu/art-8-gdpr/
How do we take care about this? @Matt, @opentype@DReffects2 Any plans and / or opinions regarding that?

Note that you can use the contact form without agreeing to the ToS, I believe.  Probably there are other guest forms in a similar situation.
I'm checking European Commission websites to see how they are complying with GDPR, and their contact forms (or at least some) have the consent checkboxes.  So, even though I'm not particularly concerned with this issue, I think it would be wise to add this to contact forms and some other guest forms (maybe put it in the same places where you may place a CAPTCHA for avoiding guest spam messages).

@Matt
I highly appreciate your efforts with this blog post. Your writing shows a lot of common sense and from a website publisher's perspective I do fully agree.
But (and that's a big but) unfortunately the courts over in Europe have time and time again surprised us with its findings and the new law (and even the old data privacy laws within the separate EU member states) do not share that common sense.
While US Courts effectively can make laws, the courts over here can not. Each and every case is subject to interpretation of the written law and as you've noticed: the law is far from being exact. I'd like to address a few flaws with the law and the effects on communities driven by IPS. As you I am not a lawyer but reside in the one country with the single most cease-and-desist orders in relation to online business, copyright infringement and intellectual property claims: Germany. Hallo und Guten Tag.
Let me go over the utilities the IPS suite now offers:
The right to be informed Thank you - the cookie bar was long overdue ? Right to DELETE
This is a unbelievably tricky subject. Reading through the comments and even your post about an EU customer I wonder if anyone has ever read the laws on intellectual property (over in Europe).
If any part of anything I post here or in any other online community reaches the threshold of originality ("Schöpfungshöhe") it is automatically protected by a copyright law. (If you stretch the interpretation to its limits even this post right here could be covered since I aim to provide helpful information.) This copyright never expires and is not transferable to anyone else. Your original content will always be yours. The only way for a website publisher to keep the more creative posts of former users is, if those users have transferred an non-restricted usage rights to the publisher. The one and only way by law to have a copyright transferred from one person to another is by death of the original author. So even if you delete a former member from the community and keep the posts you are not immune to the Abmahnung. Years and years later a relative who inherited the intellectual property of a deceased member of your community could come after you. This is very very relevant when users are posting self-taken photographs or write fanfiction. There are ways to transfer unrestricted usage rights via your terms of service and I strongly suggest anyone within the EU does implement those. I haven't deleted anyone recently but I do recall that once deleted, the posts from a deleted member that then are logged under a "guest" name cannot be selected collectively afterwards. So if you delete a member and keep the posts there is no way to do a second cleansing if this specific idiot tries to make your life hard. Also there's a requirement to inform any third parties about the deletion of a specific dataset. So if your community system transferred personal data to Facebook (status updates...) you need to inform Facebook about the deletion. There's an exemption if this would require a "high effort" but what that means is for the courts to decide ? Suggestions to solve this issues: Have users sign away usage rights during sign-up via a checkbox (like with the opt-in for emails) Make posts of deleted members search-able afterwards in the ACP to get rid of them if needed Another big issue I see is with IP addresses. While it is absolutely common sense that an IP address is NOT personal information, the courts ruled otherwise. Time and time again. I will spare you tons of links and just post this one about a ruling from Germany's highest court:
https://www.lto.de/recht/hintergruende/h/bgh-urteil-vizr13513-dynamische-ip-adressen-personenbezogene-daten-speicherung-internetseiten-bundesrepublik/
Within this ruling you find the following:
IP addresses in itself, even dynamic ones, are personal data that need to be protected While website publishers certainly have an interest to protect their infrastructure this interest only applies when there is a specific threat which is not the case during normal operations All in all the IPs are NOT needed to serve the website to the visitor and therefore are not to be documented Fun fact about this: the one that went to court was a member of a political party. The one he sued was the country Germany. The court ruled in his favor. The highest European court came to the very same conclusion in 2016.
Therefor we absolutely need an option to disable the collection of IP addresses and purge previously collected data. (since that's not new with the GDPR)
I recognize that you might be able to run a few db-queries to purge the IPs but since the GDPR requires companies to have a method description for all things related to IT this is not enough. Each tool used within your companies IT structure needs to be GDPR compliant on its own. Therefore the exclusion of IP address data collection has to be implemented within Invisionpower Software to be legal.
A few more features required in relation to GDPR:
A opt-in checkbox for the contact form that has to be checked before the user can send you his information with a disclaimer that tells the user that the information he sends will be stored and used to answer his question. YES, this is f*cking obvious and seems totally retarded... ? Needs to be documented... An option to export all user data (posts, images, profile information) in a "standardized machine-readable form" See the right of transfer (§20 GDPR) https://www.datenschutz-grundverordnung.eu/grundverordnung/art-20-ds-gvo/ Each and every opt-in by a user has to be documented. IPS has implemented this for the opt-in for emails since every opt-in is now for a predefined specific purpose I'd argue that also the opt-ins for thread-updates, personal message etc. need to be gathered and documented. Age verification (I saw this in previous version - does it still exist?) ISP needs to provide a Data Processing Agreement - even if you do not host my communites your support can access them via an admin account for support. Therefor the agreement is needed. I have attached a document in english from a large european hosting provider. Maybe that's of help to you. I need one by May 24th.  
You're dead wrong here, sorry.
Hallo "Abmahnung". That's the real problem. I suspect tens of thousands of Abmahnungen will leave the fax machines on May 25th at 00:01 am.
Data Processing Agreement.pdf

Probably. But there aren’t just the people working for the governments. It’s a common business model for private law firms to find legal problems on websites and send out formal warnings with a large fee. For those companies, the new regulations could be another gold rush. 

@Charles@Matt

We also nees this for the "Contact-us" Form. I we want to contact the user after he used the form, he have to agree before that we store his personal data, most likely his e-mail adress.

Two general additions

1) The above is all for self-hosted forums. In case a user booked your cloud services you should provide an "order processing agreement" document, which should be signed from both sides. Also it is a good idea Invision gets listed under https://www.privacyshield.gov.

2) I'm not sure for myself, but we (in Europe) should consider to enable age verification check because of https://gdpr-info.eu/art-8-gdpr/.
 

Yes, I was wondering the same as @ptprog. If you delete a member, but without deleting his posts, there is no way to delete the IP address. I definitely want to keep the posts - as you mentioned they are in public domain and it is ok to keep them as Guest. 
However, they will still carry the IP address, which will be a problem. Right now it seems that if you want to get rid of the IP, you need to delete the posts/pms as well, which shouldn't be the case. 

Two points:
I would say that storing the IP address from which a post was made 5 years ago is storing more information than is needed. I just checked some private messages exchanged with a member that was deleted, and its IP address is still there (I did not check if posts also preserve this info), so it seems the possibility to delete a member is not enough to delete its personal data.

Will IPS host any Elasticsearch services itself, for example for use with CIC packages?

Is there a way to have custom emoji categories being displayed before standard ones in the editor ?
 

I second this question - I would like my custom Emoticons to show first in the drop down box.

Is there any way of sending a prompt to existing users, to opt in?
For example a bulk email, that gives users a link to opt in, or opt out - if they dont, they automatically get opted out?

It would be great to know in advance what IPB are working on in regards to GDPR compliance, I keep reading that something will be posted soon but we're only three weeks out now.
Wordpress are great in showing what they are currently working on;
https://core.trac.wordpress.org/query?status=accepted&status=assigned&status=closed&status=new&status=reopened&status=reviewing&keywords=~gdpr&order=priority
functionality for users to either request or delete their information Allow users to be able to download all their data entered, ie registration info, comments and/or posts Functionality to confirm a users request for deletion has been actioned  

Updated through admin CP. Took around 15 minutes and worked flawlessly, no issues :).
Everything seems MUCH faster.