Before addressing actuall feature request directly, I would like to take a minute to clear up some misconceptions:
GDPR states that entity bound by its terms requires explicit consent from user in order to lawfully process user's data in following manner:
- transfer it to other entity or outside of GDPR jurisdiction (like adserver)
- using their personal data for profiling (forum doesn't do that)
- processing sensitive data (eg. sexual orientation, ethnic background or religion)
GDPR also introduces two additional conditions here:
- withdrawal must be possible at any time
- withdrawal should not result in termination of service
The intention behind those conditions is to let user decide "I don't want you to send my data to US" as well as avoid being profiled during business process (eg. UK bank finding out from your surname that you are Polish immigrant and offering you worse deal in return). Also, those two conditions don't make sense in context of registering account on internet forum per se, unless your "product" is option to have an account on your site. Registration on internet forum falls under the implicit consent part of GDPR where user agrees to share their non-sensitive data with you to meet basic requirements of the service: email, username, ip address.
Registration becomes explicit consent when your site allows registration from minors, because GDPR considers all personal data as sensitive if it belongs to minor. But if your terms of service require users to be of age 16 and up and you will delete personal data of minors if you are contacted about it, you are in the clear.
Lastly, in order to be bound by terms of GDPR you need to legal person. This forum is exempt from GDPR because its ran by me, and I am natural person.
Now, to address feature request: I understand the importance of the matter and will implement features for automating GDPR compliance in Misago 0.19: automatic personal data export and defining explicit consents. I'm not sure if it will happen before May 25, we may have to delay automatic data export for after that and just do quick release with explicit consents earlier, because thats more important for people wanting to run ads on their sites.