• Members 50 posts
    May 18, 2018, 2:23 p.m.

    Hi rafalp,

    Right now the registration box says "By registering you agree to site's terms and conditions.". Will it be possible to also add an "By registering you agree to site's privacy policy." and maybe make it a checkbox too. Again this is in relation to GDPR.

    Best regards
    Mike

  • May 18, 2018, 3:49 p.m.

    Before addressing actuall feature request directly, I would like to take a minute to clear up some misconceptions:

    Privacy policy is not a legal agreement. Some sites like to present it as such but more accurate description for it is "accurate information document for user". It may not make conditions or requirements to user. GDPR makes it explicit that this document should avoid overly-formal and technical form, be concise, quick to read and easy to digest by your users. Its like how law requires property owner to provide accurate but simple floor plan with evacuation routes in case of emergency.

    GDPR states that entity bound by its terms requires explicit consent from user in order to lawfully process user's data in following manner:

    • transfer it to other entity or outside of GDPR jurisdiction (like adserver)
    • using their personal data for profiling (forum doesn't do that)
    • processing sensitive data (eg. sexual orientation, ethnic background or religion)

    GDPR also introduces two additional conditions here:

    • withdrawal must be possible at any time
    • withdrawal should not result in termination of service

    The intention behind those conditions is to let user decide "I don't want you to send my data to US" as well as avoid being profiled during business process (eg. UK bank finding out from your surname that you are Polish immigrant and offering you worse deal in return). Also, those two conditions don't make sense in context of registering account on internet forum per se, unless your "product" is option to have an account on your site. Registration on internet forum falls under the implicit consent part of GDPR where user agrees to share their non-sensitive data with you to meet basic requirements of the service: email, username, ip address.

    Registration becomes explicit consent when your site allows registration from minors, because GDPR considers all personal data as sensitive if it belongs to minor. But if your terms of service require users to be of age 16 and up and you will delete personal data of minors if you are contacted about it, you are in the clear.

    Lastly, in order to be bound by terms of GDPR you need to legal person. This forum is exempt from GDPR because its ran by me, and I am natural person.

    Now, to address feature request: I understand the importance of the matter and will implement features for automating GDPR compliance in Misago 0.19: automatic personal data export and defining explicit consents. I'm not sure if it will happen before May 25, we may have to delay automatic data export for after that and just do quick release with explicit consents earlier, because thats more important for people wanting to run ads on their sites.

  • Members 50 posts
    May 22, 2018, 8:30 a.m.

    Thanks for the detailed answer. Even though you are right, I still have to be on the safe side and make sure my users have read and understand the privacy policy.
    I'll look forward to Misago 0.19 or 0.18 :-)

    Best regards