Your Discourse forum and the GDPR

1. Introduction

GDPR can be summed up in this one sentence – ask permission, respect the privacy of your users, value and protect their data.

This article tries to explain to you what you need to do in order to make sure that your Discourse forum is GDPR compliant by May 25, 2018, and guides you through the steps you will need to take.

40706157922_a170e92cb7_m

First of all, some definitions.

Personal data is any “information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Art 4.1).

Data processing in the context of this article equals to “running your forum”. After all, your forum is storing, retrieving, showing and e-mailing data from and about your users (Art 4.2).

Your users are not just the people that signed up to your forum, it’s everybody that is using your forum, so that includes people without an account that just come and who are browsing it.

Disclaimer: this article is for informational purposes only and should not be considered legal advice on any subject matter.

2. What you can, cannot and should do

2.1 Know your reasons for lawful processing

In order to legitimately process your users data you should be transparent to your users what data you are collecting and what you are using it for. You should limit the data that you are collecting and storing to the absolute minimum. It goes without saying that you are not allowed to use the data that you have collected about your users for any other purposes than you have told them.

In order to lawfully process personal data you must meet one of the following conditions:
GDPR names six different criteria (Art 6) but only these three will probably apply to you running your forum.

1. processing is necessary for the performance of a contract to which the data subject is party
This is the main reason for processing that you’re going to be using. When someone signs up for your forum, they can expect that you will be needing their name, e-mail address and a password. It will also be clear that you will be keeping records about what posts they have read and what messages they send to each other.

You do not need explicit permission in this case. Informing your users about what you are doing is sufficient. We’ll get back to this later.

You could even argue that sending e-mails is an integral part of the Discourse experience so you would not need explicit permission for that either.
If you do not agree with that point of view, then you need to change the following settings:

  • set Admin – Settings – User Preferences – default email digest frequency to 'never',
  • disable Admin – Settings – User Preferences – default email private messages,
  • disable Admin – Settings – User Preferences – default email direct

2. processing is necessary for the purposes of the legitimate interests pursued by the controller
This condition is being used in order to make sure that you are still able to perform certain activities that are in your own interest. Examples are logging in order to maintain network and computer security, or collecting information in order to perform fraud prevention or detection.
You must make sure that you are only storing data for a reasonable time. You can argue that you will keep IP addresses around for a day or five but convincing someone that 50-day old logs are still needed to prevent DoS attacks will be pretty hard.

3. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
For any kind of processing that does not fall into one of the two categories above, you will need to ask your users if they OK with it. If you use the data for any purpose that is not absolutely required in order to sign up for Discourse you should get explicit permission. GDPR calls this consent and we’re going to revisit that later as well. This condition does allow you to ask your users if they will allow you to gather and process certain kinds of data.

2.2 Know what data you are processing and why

Of course not everybody is processing and storing the same data about users or visitors. We’ll assume a regular Discourse instance and make an inventory of what kind of data is being processed and what the lawful basis for this is.

For visitors, regardless whether they have an account, browsing a Discourse forum, the following data is being collected:

  • Pages visited
  • IP address
  • Incoming and outgoing links
  • Reading times per post
  • User profiles viewed

If they have an account then there is some additional data being collected,

  • Likes given and flags being requested
  • Registration IP address

All this data is being processed in the legitimate interests of optimizing the forum, keeping statistics about what is popular and how people are using the forum, and keeping the forum free of bugs and attacks (like DoS or hackers). Most of this data is kept for a limited period of time (up to a few weeks) and then only kept in aggregated form (where any identifiable data has been removed).

When someone decides to sign up for a forum they provide their username, full name (optionally) and their e-mail address. This data is being processed in order to perform the “contract” between the user and the forum owner.

2.3 Honor the rights of your users

The GDPR provides the following rights for individuals:

  • The right to be informed about what data you are collecting about your users and how you are using that;
  • The right of access where users can request to get a copy of all personal data you have collected on them;
  • The right to rectification where users can demand to have inaccurate personal data rectified, or completed if it is incomplete;
  • The right to erasure where users can demand to have personal data erased (also known as ‘the right to be forgotten’);
  • The right to restrict processing where an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data;
  • The right to data portability which allows individuals to obtain and reuse their personal data for their own purposes across different services;
  • The right to object to the processing of their personal data;
  • Rights in relation to automated decision making and profiling.

3. Implementing GDPR processes in Discourse

3.1 Get your Privacy notice and Terms of Service right

The first thing you should do is review and adjust your privacy notice and Terms of Service (ToS). This should cover the right to be informed, as well as provide guidance to your users on how to exercise their rights related to the GDPR.

The defaults that come with Discourse are made by someone else. That means that they will never reflect the way you are dealing with your users data, so you should adapt them so they will suit your situation and needs. In order to edit your ToS and Privacy Policy, log in as an admin user and head over to /tos and /privacy on your forum and use the Edit button to modify them.

You can find some tips for your Terms of Service here.

Make sure that your Privacy Policy clearly describes all distinct kinds of processing that you are going to perform. If you have different kinds of processing that you should be getting consent for, put their description in separate chapters, so you can refer to them separately in the signup screen. We will discuss that below.

As a hosting provider, we collect IP addresses for the purpose of the legitimate interest of protecting your forum and our infrastructure from attacks and spam. Your forum does the same thing in your legitimate interest. You should make sure that you mention this in your Privacy Policy.

The Privacy Policy on meta.discourse.org might be a good starting point for your own privacy policy.

3.2 Asking for consent

Asking for consent means that you have to ask permission from your users to handle their data. You should tell them exactly what you are going to do with the data you are collecting and you should not be doing anything else with it. That means that if you for example export the e-mail addresses of your forum users and feed them into Mailchimp so you can send them updates about your company, you should tell them in advance and ask them permission to do so.

First of all, let’s get a big misunderstanding out of the way: you do not need to ask for consent for the processing of data for the performance of the contract (i.e. for letting them participate on the forum you will need to collect and process their name, e-mail address and such) and the data you are collecting for a legitimate interest. You only need to inform your users. It is sufficient to have a link to the privacy policy and the terms of service in your sign-up screen. If you really want to, you could add a mandatory check box with a text ‘I have read and understand the privacy policy’. The check boxes you add for asking consent may not be mandatory though!

So what does the GDPR say about giving consent? In Recital 32 it states:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement

Ok – what does this all mean?

A clear affirmative act means that the user should explicitly agree, they should take some kind of action and they should not be thinking they are agreeing to something else. So there cannot be a pre-checked checkbox. You have to leave it empty and the user has to check it.

Consent should be freely given so if a user does not agree with extra processing like the Mailchimp example described above, then you cannot forbid them to create a forum account. You can only require things that are absolutely necessary for you in order to run the forum (i.e. a user cannot refuse permission to store their email address, since your forum needs that in order to be able to distinguish between different users). So you cannot require those checkboxes to be checked before granting access to your forum to someone.

Specific is explained in another paragraph of Recital 32: Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.. So the purpose must be leading here, and for different purposes you should ask consent specifically and separately. So no more we will store your email address because we need it to run this forum service for you and we will also sell it to others. Those should be two separate questions.

Informed and unambiguous means that you have to actually tell people what you are going to do. So no more Yes, I want to receive interesting offers from selected partners but I understand that and agree to the fact that you are going to sell my name and e-mail address, together with information about my age, gender and area I’m living in, to anyone who will pay enough, so they can send you all kinds of e-mails and even resell your data to other companies that are going to do the same.

The best way to do this is to create custom User Fields and require them upon signup.

  • Go to Admin – Customize – User fields
  • Add a field
    • Field type: confirmation
    • Field name: Data processing
    • Field description: I understand that this forum will use my name and e-mail address in order to send me emails as described <a href=”/tos#3″ target=”_blank”>here</a>
    • Editable after signup

Have the number in the ToS-link point to the correct chapter of your privacy policy. If you have multiple kinds of data processing, you need to configure separate fields: the requirement to be ‘specific’.

Remember the ‘freely given’ part of the law: when a certain kind of processing is not required for the correct workings of the forum (for instance if you use the e-mail addresses to send them a newsletter about your products), you may not require them at signup, and you must check ‘Editable after signup’ so your users will be able to revoke consent.

Since there is not much room for the labels, you could make them a bit wider by adding some CSS in the Admin – Customize – Themes section of your forum:

.create-account table td.label, .create-account .user-fields .control-label {
   width: 130px;
}

3.3 Getting an overview of who consented

In order to see which users consented to the extra data processing you can use a Data Explorer query:

SELECT u.username, uf.name, ucf.value, ucf.updated_at
  FROM users u
  LEFT JOIN user_custom_fields ucf ON u.id = ucf.user_id
  LEFT JOIN user_fields uf ON ucf.name = concat('user_field_', uf.id) AND uf.name='Name of your custom field' ;

Make sure that you only perform the extra processing for the users that gave their consent!

3.4 Implement the Right to Erasure

Article 17 of the GDPR is about the Right to Erasure.

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay

That means that a user can request to delete their personal data. Luckily this means that you do not have to actually delete the user, or the posts they have made. That would have a serious impact on your forum.

Instead of deleting the user, you can anonymize them: you will be decoupling and removing their personal details like e-mail address and full name, but their user will be intact. It will act as a placeholder for all their posts and there is a unique number at the end of their name so you will not be getting confused when you’re reading a topic that contains multiple anonymized users.

You can find the anonymize button on the bottom of the user profile page in the Discourse Admin panel.

anonymize

It will ask you again and then it will throw away all identifying data.

anon_popup

After anonymization, the user profile looks like this:

anon_profile

And posts made by this user will look like this:

anon_post

Wait. Posts? Yes, the “Right to Erasure” does not apply to posts made by users on your forum. When your users join your forum they accept the Terms of Service, and the ToS indicate that they will grant you a license to all the content they publish on your forum. And GDPR article 17.3 says that the right to Erasure shall not apply to the extent that processing is necessary for exercising the right of freedom of expression and information.

Of course it is possible that the user has included some identifiable information in their posts and in that case it is a good idea to remove that specific information on a case-by-case basis.

A user cannot anonymize itself so you should set up a clear process in your Privacy Policy stating how this can be requested. You could ask users to PM an admin but you could also set up an e-mail address for this. Authentication is important here, so if you allow people to request erasure via e-mail, make sure to e-mail back and forth in order to make sure that you are not dealing with a forged sender, and also verify that the user you’re anonymizing has the same e-mail address. Keep all PM’s and e-mails because GDPR states that you will need to document everything with respect to this process.

Important: Make sure that you have disabled the setting Admin – Settings – Legal – log anonymizer details. If you leave it to the default checked state then some of the user’s details will be kept in the log after being anonymized.

3.4.1 Automating anonymization

You might want to automate the anonymization process, for instance when your forum is only part of your business.

First, get the user information by username:

GET https://forum.yourhostname.com/users/username.json

or by email address (note that if you search for jsmith@domain.com this API call will also return ajsmith@domain.com so make sure to loop through the results and find the user with the exact email address):

GET https://forum.yourhostname.com/admin/users/list/active.json?api_key=APIKEY&filter=emailaddress

When you have found the user you want to anonymize, just parse the JSON structure to get the user id and make the following call:

PUT https://forum.yourhostname.com/admin/users/UserID/anonymize.json?api_key=APIKEY

3.5 Implement the Right of Access / Right of Data Portability

We have installed the Discourse Legal Tools Plugin on all forums and enabled it by default. That means that the “Download All” button on the Activity tab of your users User Profile Page will include all personal data that the forum has collected about them.

3.6 Implement the Right to Rectification

Most personal information that is being collected by the forum can be rectified by the user themself. However, it would not hurt to mention this right in the Privacy Policy and inform your users that they can always reach out to you in case they are not able to rectify their information.

3.7 Implement the Rights to Restrict Processing and Object to Processing

If you have some processing that requires extra consent then the user should always have the opportunity to withdraw that consent. That means that the User Profile Fields that you implemented in 3.2 must be editable after signup.

If the user wants you to restrict processing of the data that you need to use in order to let them participate on the forum, then you need to explain to them that this means that they will need to exercise their right to Erasure instead and they will not be able to be participate on the forum any more. It would be good to put this in your Privacy Policy.

Note that if you extract information from Discourse using the Data Explorer or the API then you will need to check if they happened to withdraw consent every single time.

3.8 Inform your users about automated decision making

Discourse has some mechanisms in order to make automated decisions about your users based on their behaviour on the forum. You should inform your users about this in your Privacy Policy.

This is explained very well in the Privacy Policy on meta.discourse.org:

the forum may use data about your posts and activity to award you badges and calculate a trust level for your account. Your trust level may affect how you can participate in the forum, such as whether you can upload images, as well as give you access to moderation and management powers in the forum. Your trust level therefore reflects forum administrators’ confidence in you, and their willingness to delegate community management functions, like moderation.

If you think your trust level has been set incorrectly, contact an administrator of your forum. They can manually adjust the trust level of your account.

If people object to the automated decision making, you can offer them to manually lock their trust level and do manual upgrade reviews upon request.