Compliance with GDPR

Looking for an Extension? Have an Extension request? Post your request here for help. (Note: This forum is community supported; while there is an Extensions Development Team, said team does not dedicate itself to handling requests in this forum)
Get Involved
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Compliance with GDPR

Post by tojag »

Hello
Referring to this viewtopic.php?f=64&t=2419821&start=30.
An extension is needed, which, like COPPA for the US, will make phpbb-based forums comply with EU law.
I'd like to see it in the core, but the extension for EU users will be ok too.

GDPR says:
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."

In my opinion, we need:
1. Additional box of consent for the collection and processing of data for the purposes of the forum's functionality accordance to forum regulations. This is to be the field required for registration. It should contains short descpription about forum regulations with link to full text of Regulation. Currently I have it done as an additional custom field. But this is not technically perfect. This field can be implemented on current register info form. Now this form contains agree and don't agree buttons but this seems not comform whit GDPR regulations.
2. Additional field of consent for sending marketing informations from forum.
3. Additional field of consent for sending marketing informations by biznes partners of forum.

Every one of this consent should have description modificable by forum owner with possibility placing links to full text of particular regulations.

This consents schould be visible in UCP. User can change 2 & 3 but can't change 1 because it means to delete account.

Forum owner and/or marketing extensions should respect this marketing consents for sending emails to users.

Optional:
Additional field of consent for sending not marketnig emails from forum. If user check YES, this turns on notifications and contact by email. Or communication & notify setting can be displayed in order to presetting by user durning registration with default setting NO.

All of this would be meet the requirements of GDPR with an informed choice of individual data processing goals.

Currently I have done position 1 as an additional custom field. But this is not technically perfect.
User avatar
Scanialady
Registered User
Posts: 432
Joined: Thu Jan 17, 2013 7:09 pm
Location: Germany
Name: Annette

Re: Compliance with GDPR

Post by Scanialady »

I agree.

And I would wish to add information about the used cookies and why and for what they are used. (data collection) Basically they are the same in every phpBB installation, we should be able to add more info for additionial extension cookies.

We should be able to force all existing users to agree again after installation, update or changes on this extension :D

And what about the copy of existing data that a user can request. We need a way to provide it. (get all users profile info, postings and so on and put it in an export)
My 2 cents: Whether an extension is in the CDB says nothing about its quality. It is more important to read the support topics for it. Better to avoid authors who do not answer support questions themselves, who do not update their stuff, and who do not fix bugs for years.
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: Compliance with GDPR

Post by tojag »

Cookies are based on a different EU directive and information about them must be displayed even if someone only browses the site without registration. Saving cookies depends on the browser settings, so consent will not affect whether you save cookies or not, because the browser will do whatever it wants - allows or not.
Scanialady wrote: Tue Mar 13, 2018 12:20 pm Basically they are the same in every phpBB installation
No. The same are just an email and nickname because these are required by phpBB, but the owner / admin can collect other data - I use additional fields in the profile and this is personal data. Everyone can gather there what he wants, for example, date of birth, surname, illness.

Export data...
According to GDPR, we can use, for example, a csv file to export data. The profile data should be exported. However, in GDPR it is about personal data and here I still have a doubt raised by many people - whether posts are personal data? (Because posts are published). If so, then you would need to export them. Then it is necessary to delete them along with deleting the account. (This does not present any technical difficulties).
Scanialady wrote: Tue Mar 13, 2018 12:20 pm We should be able to force all existing users to agree again after installation, update or changes on this extension :D
No, if the information about consents is stored in the database, the technical solution of the extension does not matter.
What matters is the change of Regulations. If you change the terms and privacy policy, user should find out about it and approve at the next visit or delete your account.

At the beginning any solution requiring user's consent to collect and process data and save this consent will be ok.
As I wrote, currently I have it done as an additional field of profile but it is not a good solution.
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26870
Joined: Fri Aug 29, 2008 9:49 am

Re: Compliance with GDPR

Post by Mick »

As far as I’m aware phpBB is compatible with the cookie laws, session cookies don’t count.
  • "The more connected we get the more alone we become” - Kyle Broflovski© 🇬🇧
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Compliance with GDPR

Post by david63 »

David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: Compliance with GDPR

Post by tojag »

David, you're doing a great job. I admire you. I hope that your extension will be able to fully meet GDPR requirements.
Meanwhile... the solution that I use now is a bit problematic, because I can not insert the active link in the description of additional fields.
This is what it looks like at present: Links in custom profile fields descriptions
I have analyzed many websites of major institutions, eg banks, offices - they have it done in a similar way. So the check box or combo box with a description of the agreement and an active link to the document to which consent applies. Perhaps this is the way the GDPR problem should be solved in this way? It is necessary to place active links in field descriptions.
To this end, I asked for an extension here viewtopic.php?f=496&t=2465066
Regards
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: Compliance with GDPR

Post by tojag »

I just received this:
Google wrote:Dear Partner,
Over the past year we've shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force on May 25, 2018. The GDPR affects European and non-European businesses using online advertising and measurement solutions when their sites and apps are accessed by users in the European Economic Area (EEA).
Today we are sharing more about our preparations for the GDPR, including our updated EU User Consent Policy, changes to our contract terms, and changes to our products, to help both you and Google meet the new requirements.
Updated EU User Consent Policy
Google's EU User Consent Policy is being updated to reflect the new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consents from, end users of your sites and apps in the EEA. The policy is incorporated into the contracts for most Google ads and measurement products globally.
Contract changes
We have been rolling out updates to our contractual terms for many products since last August, reflecting Google's status as either data processor or data controller under the new law (see full classification of our Ads products). The new GDPR terms will supplement your current contract with Google and will come into force on May 25, 2018.
In the cases of DoubleClick for Publishers (DFP), DoubleClick Ad Exchange (AdX), AdMob, and AdSense, Google and its customers operate as independent controllers of personal data that is handled in these services. These new terms provide clarity over our respective responsibilities when handling that data and give both you and Google protections around that controller status. We are committing through these terms to comply with our obligations under GDPR when we use any personal data in connection with these services, and the terms require you to make the same commitment.

* Shortly, we will introduce controller-controller terms for DFP and AdX for customers who have online terms.
* By May 25, 2018 we will also introduce new terms for AdSense and AdMob for customers who have online terms.

If you use Google Analytics (GA), Attribution, Optimize, Tag Manager or Data Studio, whether the free or paid versions, Google operates as a processor of personal data that is handled in the service. Data processing terms for these products are already available for your acceptance (Admin → Account Settings pages). If you are an EEA client of Google Analytics, data processing will be included in your terms shortly. GA customers based outside the EEA and all GA 360 customers may accept the terms from within GA.
Product changes
To comply, and support your compliance with GDPR, we are:

Launching a solution to support publishers that want to show only non-personalized ads.
Launching new controls for DFP/AdX programmatic transactions, AdSense for Content, AdSense for Games, and AdMob to allow you to control which third parties measure and serve ads for EEA users on your sites and apps. We'll send you more information about these tools in the coming weeks.
Taking steps to limit the processing of personal information for children under the GDPR Age of Consent in individual member states.
Launching new controls for Google Analytics customers to manage the retention and deletion of their data.
Exploring consent solutions for publishers, including working with industry groups like IAB Europe.

Find out more
You can refer to privacy.google.com/businesses to learn more about Google's data privacy policies and approach, as well as view our data processing terms and data controller terms.
If you have any questions about this update, please don't hesitate to reach out to your account team or contact us through the Help Center. We will continue to share further information on our plans in the coming weeks.
Thanks,
The Google Team
and it follow to this
Google wrote: EU user consent policy

Please note: The text on this page will replace the existing EU User Consent Policy on May 25, 2018.

If your agreement with Google incorporates this policy, or you otherwise use a Google product that incorporates this policy, you must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area. If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement.
Properties under your control

For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area.

You must obtain end users’ legally valid consent to:

* the use of cookies or other local storage where legally required; and
* the collection, sharing, and use of personal data for personalization of ads or other services.

When seeking consent you must:

* retain records of consent given by end users; and
* provide end users with clear instructions for revocation of consent.

You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.
Properties under a third party's control

If personal data of end users of a third party property is shared with Google due to your use of, or integration with, a Google product, then you must use commercially reasonable efforts to ensure the operator of the third party property complies with the above duties. A third party property is a site, app or other property that is not under your, your affiliate's or your client's control and whose operator is not already using a Google product that incorporates this policy.
And I think maybe we will need more changes or improvements in phpBB to be able to display ads.
Surely we will have to add something in the privacy policy and maybe get further consents to profiling the user of the site. I do not know it yet, but it does not sound happy.
I am waiting for what they will come up with. :evil: :evil: :evil:
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Compliance with GDPR

Post by david63 »

tojag wrote: Fri Mar 23, 2018 1:21 pm And I think maybe we will need more changes or improvements in phpBB to be able to display ads.
Vanilla phpBB does not have any mechanism to display ads - they are either by an extension or custom coding and totally at the discretion of the board owner, therefore it is the board owner's responsibility to comply with any law appertaining in their country.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: Compliance with GDPR

Post by tojag »

Of course, but most sites on phpBB, however, display ads. Otherwise, there would be no financing of the activity. So it's important for everyone who displays ads of third-party entities like Google. This includes not only ads but also analytics like Google Analitycs.
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Compliance with GDPR

Post by david63 »

tojag wrote: Fri Mar 23, 2018 2:25 pm most sites on phpBB, however, display ads
Are you sure about that? There are many (possibly the majority) that don't.
tojag wrote: Fri Mar 23, 2018 2:25 pm So it's important for everyone who displays ads of third-party entities like Google. This includes not only ads but also analytics like Google Analitycs.
Not everybody - only those where the law in their country require it.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: Compliance with GDPR

Post by tojag »

Ok. Thanks for clarifying :)
jellobaby
Registered User
Posts: 13
Joined: Wed Apr 25, 2018 1:11 pm

Re: Compliance with GDPR

Post by jellobaby »

The date is getting v close now. Anyone working on an extension for gathering the relevant permissions? (And ideally one that uses IP addresses to determine if someone is in the EU so it doesn't limit non-EU members registering.)
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Compliance with GDPR

Post by david63 »

jellobaby wrote: Wed Apr 25, 2018 1:17 pm Anyone working on an extension for gathering the relevant permissions?
Yes - me
jellobaby wrote: Wed Apr 25, 2018 1:17 pm deally one that uses IP addresses to determine if someone is in the EU
Not possible - IP addresses are not accurate plus there is the problem of using a proxy - all IP addresses can be masked.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
dr.house
Registered User
Posts: 17
Joined: Mon Jun 05, 2017 6:46 pm

Re: Compliance with GDPR

Post by dr.house »

hi David,
I am also a member of the EU member states (Italy) and use google adsense.To date the law is not clear, each site explains the gdpr differently. :?
You who wrote a excellent extension,do you think you can integrate it with this damn gdpr? :oops:
The month of May is approaching and we do not know what to do.
Best regards and thank you. ;)

p.s. sorry for my bad english written.
User avatar
martti
Registered User
Posts: 914
Joined: Thu Jul 31, 2014 8:23 am
Location: Belgium

Re: Compliance with GDPR

Post by martti »

tojag wrote: Sun Mar 11, 2018 12:04 pm ...
In my opinion, we need:
1. Additional box of consent for the collection and processing of data for the purposes of the forum's functionality accordance to forum regulations. This is to be the field required for registration. It should contains short descpription about forum regulations with link to full text of Regulation. Currently I have it done as an additional custom field. But this is not technically perfect. This field can be implemented on current register info form. Now this form contains agree and don't agree buttons but this seems not comform whit GDPR regulations.
2. Additional field of consent for sending marketing informations from forum.
3. Additional field of consent for sending marketing informations by biznes partners of forum.
...
  1. No. Registering to a board is already a clear act of confirmative consent itself.
  2. Certainly yes
  3. Certainly yes.
The EU is right.

Return to “Extension Requests”