EU law: General Data Protection Regulation (GDPR)

[680fc5dc71f59Kolya]

At the end of May a new law (wikipedia) comes in full effect that applies to any website that stores data of EU citizens. It brings a lot of new rules and with it come serious legal sanctions.
The intent of the law is good and as a consumer of online services I welcome it. But as a guy who runs a hobbyist online forum it gives me headaches.

The principles of the GDPR are sound as far as I know them and we've actually been fulfilling many of its requirements long ahead of time:
- We only require as much information from users as is necessary to run this site.
- We automatically delete personally identifiable information that is not required anymore (after a year: inactive accounts, IPs of posts).
- We don't sell or otherwise give away such information to anyone.
 
But we will probably still need to make some changes. For example we may have to explain in our TOS for which purposes we need this data and how long we keep it.

I'll try to go through (some of) the questions and possible solutions in an open and transparent way here.
And you are welcome to ask questions or help clearing them up.

Scope of GDPR
By its intent GDPR is apparently aimed at companies [link] but the scope is phrased in such a way that it only excludes purely personal/family homepages ("a natural person in the course of a purely personal or household activity" [link]). For now I have to assume that GDPR may apply to this website.

Consent
We will be required to prove that the user has given consent to the processing of their data. This may mean a blocking banner/popup for first time users that links to the Terms of Service. Also in case of changes to the TOS we will have to keep records of older versions including their valid duration dates.

...to be continued...

[680fc5dc732bcAl_B]

There are legitimate interest reasons for the very limited collection and processing of information you hold on this site.  Emails allow users to be contacted to reset passwords, IPs allow spam control.  Being clear about what information is held and what it is used for and the security of the information is important and it's great to see you considering the implications.

(Obligitary IANAL)

[680fc5dc743eeKolya]

@Al_B Yes, it's great. And a lot of work.
On that note: Could you please check if it's possible to prevent IP logging on the server, while still allowing IP processing (banning) in htaccess?

Also a note: If this law affects Systemshock.org, then by my understanding it legally affects TTLG as well, even though their server and owner are in the USA.
The law's scope is any service that addresses and processes data of EU citizens, regardless of the owner's/operator's home country.
Whether that would have to bother a private forum owner in the US is another question, but I thought I'd mention it.

[680fc5dc7455aKolya]

I'm considering to disable guest posting in May. At least as a temporary measure until a better solution can be found.
While it would be a shame, it would also solve the problem of necessary user agreement and information about their data and rights.
If only registered users can post, then only their data is processed. During registration they have to agree to the TOS in which everything else can be defined. It would be easy to prove for me then, that the user has agreed to it. And it would prevent a huge blocking banner.

[680fc5dc7469eKolya]

The Discord chat widget in the sidebar is now behind a user setting that is off by default. I did this mainly because it loads the widget script from discordapp.com and sets a cookie for them, which might be a potential tracking issue.