GDPR and a Public Forum

[Alfa-Man]

Apologies if something along these lines have been posted before.

Basic background. We are an online Forum that has approx 99K global members. Our Forum is online to provide support for Opensource software that we provide along with some other sections for general chat about electronics, media players etc...

We rely on a sole sponsor to cover all our running costs.

All members that sign up to our forum have always had to agree to marketing emails from our sponsor upon signing up, there's actually three steps involved that clearly state what they are agreeing too. Members are allowed and can easily unsubscribe from the emails at any time after they've joined the forum.

All emails have clear unsubscribe links.

Approx 1-2 marketing emails for our sponsor are sent weekly, although some weeks no emails are sent out.

1) The Forum does not actually sell goods or services.
2) Threads and posts wouldn't be considered "personal data" under this regulation unless they specifically contained publicly accessible personal identifying information. Real Name, Physical Address, Telephone Number(s), E-mail address(es), IP Addresses, Credit Card or Banking Information, etc.

We do not disclose any personal identifiable information to our sponsor or anyone.

Basically we want to carry on sending the marketing emails as per our Forum signup rules.

We're confused if we actually or legally obliged to make any changes. Without the sponsor the Forum would not remain online. Running costs are too high.

 

[twaen]

Email addresses are PII in most cases. You also send marketing emails which is a business activity. You definitely fall in GDPR area. You're not a personal blog posting about preferred music.

As per GDPR, you need to re-subscribe your list and delete those who do not re-subscribe.

GDPR-compliant lists must also be built by full opt-in consent, without pre-checked "i agree" options.

 

[Alfa-Man]

It's an online public Forum. Vbulletin has no way to make members re-join/sign up or re-accept rules. We're not about to delete over 99K of members, If we stop our marketing emails we might as well close it all down as we have no other way of paying for all the servers needed.

Imo these emails come under 'legitimate interest to our members' as they've been agreed to by members in order to join our Forum. If they don't agree to them, simple they shouldn't have signed up to the forum in the first place or they should have un-subscribed themselves if they didn't want the emails.

This email list started from 2010.

Could we send an email adjusting the forum joining rules stating that by joining they'd be waiving their GDPR rights. Then send an email out to all existing members clearly stating the changes. Giving them the choice of un-subribing themselves or requesting their forum account deleted if they no longer require the forum account.

We would also state the failure to do any of the above by a certain date would be an acceptance of the waiver.

 

[twaen]

I'm afraid my answer still stands. Ask the laywers in legal / GDPR forums or a consultant. They will tell you the same - you need to resubscribe. This has been discussed countless times already.

You might be looking to bypass the law, you can do that on your own risk and take the risk. There is no way to be compliant and still keep that list.

Look for technical ways to do it. Maybe a VBulletin plugin or add-on or something. There must be one for GDPR, or someone should be building one right now as it is definitely needed.

About waiving the GDPR rights... just ask a lawyer about what you're doing. (bad choice). GDPR is clear - consent must be given granular, not pre-checked, and you need to give them:

1) Clear information about what data is stored exactly (emails, names, usernames whatever ) - even usernames are PII as they can be used to identify a person in a given context

2) Clear information about what the information is going to be used for

3) Let them know how long the data is stored for (retention period). It should not be indefinitely. A re-subscribe action is probably recommended after certain time (2 years for example)

The GDPR has certain principles, like transparency, data minimization, and data retention. There are also others that apply.

I'm afraid there is no way to circumvent the law, but either become compliant or take the risk and NOT worry about it (I do not recommend that), or close the whole thing. The only sane option is to become compliant. Your case is actually a simple one - just find some technical ways to implement that and ask them to re-confirm into the list.

 

[Alfa-Man]

Sorry but I don't agree with your last post. I see that as scaremongering.

Forums would keep members data indefinitely, that's what forum posts are for. Members IP's, emails, posts, usernames are kept indefinitely, that's how forums are.

What is the forum going to do here then? Delete all members and ask them to re-subscribe every year, two years or whatever.

 

[twaen]

That's alright - you don't need to agree with me.

How about discussing it with your lawyer? Then, come here and share with us their interpretation of the law in your case.

 

[twaen]

Forums DID keep members data indefinitely. But the tide is about to change; GDPR has huge implications and it ripples across the world. It is no longer the Wild Wild West of the Internet where everybody could store whatever data and share it with whoever they want etc. All these aspects are now being regulated.

The GDPR introduces new principles, and data retention is very important under the law. The updated ePrivacy will hopefully add specific recommendations as to how to implement such things. Nevertheless, the principle is clear.

You need to store the data for as long as it is needed, that's what the law asks of businesses (emphasize: needed). There is no such word in the GDPR as "indefinitely".

Furthermore, if you are holding email lists for many years and not cleaning them, you're working with stale lists and that isn't good either. That's why a refresh is probably needed each few years, and in the process you also comply with GDPR. So this is also for your own benefit. You're also not pissing off users who are no longer interested in being in your list anymore.

Not trying to scaremonger you, but rather gave you some very specific tips on how to implement compliance. I'm sorry if you do not appreciate it. It seems you are taking it the wrong way, therefore I will not comment further.

 

[Alfa-Man]

There's forums out there that don't send out marketing emails and not affiliated to any business, surely they would be out of any kind of GDPR compliance?

 

[twaen]

Changed mind, here's just one more comment (on the positive side this time):

I still stand by the above posted and highly recommend you consult an laywer who deals with GDPR. Taking this aside,

Let's see the more practical approach in your case, taking your business size into account too.

The chance of you getting fined for this anytime soon is still very small. You don't need to panic now; rather to get informed and get going. Take time and implement measures one after another. I would start with a proper, revised opt-in and a proper Privacy Policy and Terms. Also with using an encrypted-at-rest database to hold that data.

Then, implement the list cleanup and list re-subscribe. Do it at your possible pace, I would say as soon as possible but not necessarily tonight. Take time to think it. I would personally do it before 25May; but again chances are that nobody is going to come after you any time soon. There are millions of forums and government agencies will get after the big firms first. Even if you get reported, they have much bigger fish to catch right now.

Then - if you are taking steps in the right direction, even if you are not ready yet, chances are nobody will fine you. Take steps and continue.

But yes, on the long term, you will probably need to get compliant anyway. It's a change in how the things are done in the world and it's here to stay.

Good luck!

 

[twaen]

There's forums out there that don't send out marketing emails and not affiliated to any business, surely they would be out of any kind of GDPR compliance?

It depends. They do hold PII (email addresses, names), therefore I guess the only question is if they can be classed as businesses or not.

If they earn money through the forum, even if indirectly, then yes that is a business not a hobby, and then the GDPR would apply.

 

[Alfa-Man]

Thanks for your replies, I have some ideas for changes in mind.

Even Vbulletin haven't got a clue about it, google 'vbulletin gdpr compliant' and you'll see a thread on their Forum.

 

[twaen]

Thanks for your replies, I have some ideas for changes in mind.

Even Vbulletin haven't got a clue about it, google 'vbulletin gdpr compliant' and you'll see a thread on their Forum.

That's the spirit. Walk the path and you'll be fine.

 

[Alfa-Man]

Theres only so much we can implement.

I've googled around the main Forum software's out there and none of them can clearly state they are GDPR compliant.

I'd even be surprised if this Forum is actually 100% GDPR compliant.

 

[twaen]

Probably not, but they can become. It's too much work to do it at once.

 

[Alfa-Man]

Probably not, but they can become. It's too much work to do it at once.

No out of the box forum software supports regularly deleting members forcing them to re-join after a period of time.

 

[twaen]

No out of the box forum software supports regularly deleting members forcing them to re-join after a period of time.

This is true, but again you can likely get a plugin for such purposes. And if one is not already made, you can hire a developer to write one for you.

In the end it's up to the forum owner to decide how they want to be compliant, the depth of compliance - and based on the advice received from their lawyer.

 

[Taxman99]

Sorry for jumping in on your thread but this is the exact kind of thing I need a little bit of advice on. I find my self on the opposite side of the table to this discussion as I am one of those users who wishes to be removed from a forum. I am a former admin / moderator on a UK based tech forum with over 33,000 posts and I wish to have my account fully removed from their system but upon reading their newest privacy policy this leaves me a little confused. From what I understand they basically say I can self delete my account but that all posts will still remain publically and even my username will remain. I know it’s early days as far as the GDPR but is this legal on their part ?.

 

[mattk]

I know it’s early days as far as the GDPR but is this legal on their part ?.

No.

Usernames are considered personal data.

 

[obscure]

"Your data will be stored until you delete your account". = not indefinite and it gives a clear indication of when the data will be deleted.

 

[twaen]

is this legal on their part ?.

Should they not comply with your request, you also have the legal path to consider on your end.

I guess you probably have important reasons for wanting to be removed. Besides, it is law.

Businesses often forgot that it's not just fines coming their way. GDPR opens an entirely new pathway for civil suits and class actions when the impact is widespread.