yii2-usuario icon indicating copy to clipboard operation
yii2-usuario copied to clipboard

Published 20 hours ago verified publisher icon 2amigos

GDPR: force users to accept new privacy policy

Open maxxer opened this issue 6 years ago • 7 comments

Implement some way to force users who haven't accepted privacy policy yet to be forced to do.

Consider the case when you add GDPR support to an existing site, and you want existing users to see and accept the document

maxxer avatar Jul 13 '18 07:07 maxxer

from #187

An additional great feature would be to force users who haven't accepted privacy policy yet to be forced to do. Consider the case when you add GDPR support to an existing site, and you want existing users to see and accept the document

I would like to discuss how we should do this.

There are many options

  1. Add a flash on the app until the user gives consent
  2. Prevent access to any action and redirect to consent page.

Eseperio avatar Jul 13 '18 09:07 Eseperio

We could add a config param for the two options, but I'd rather go only with the second. If we have to record when the user has done so, and we need to take it asap, we must face the user with the policy and accept it

maxxer avatar Jul 13 '18 10:07 maxxer

According to law must be ASAP and a site can not operate until consent is given. So second option seem to be the winner.

Eseperio avatar Jul 13 '18 11:07 Eseperio

@Eseperio @maxxer my two cents:

As we do with Two Factor Auth, I think that (based whether there is a GPDR enabled configuration - a GeoLocation feature would be nice to be added in the future), we should display the consent as the first page after user is logged and forbid any action.

As a side note, @Eseperio, how is the law applying to financial elements? That is, a user is directly linked to a transaction (currently working on the cryptocurrency world and this is something that may affect our work). What happens if the user wants to be forgotten?

Thanks for your hard work guys... I am truly amazed by the community.

tonydspaniard avatar Jul 16 '18 15:07 tonydspaniard

GeoLocation, to work well, requires third party services. Also could be a mess mixing up user management with geolocation module. Actually with the events it is pretty easy filter access by GeoIp.

--

@tonydspaniard If personal data is required to provide a service it cannot be fully deleted under some circumstances. Take a look at the Art.17 that explains when the right to be forgotten can be applied. Art 17 in spanish Take care, translation is not as helpful as it should be.

Saludos desde la península!

Eseperio avatar Jul 16 '18 16:07 Eseperio

@Eseperio agreed with geolocation. One reliable service could be the maxmind db. And can be added as an optional feature (in fact TwoAuth should be optional too)

Thanks for the information on the articles. Y saludos desde Mallorca!

tonydspaniard avatar Jul 18 '18 15:07 tonydspaniard

A little bit off topic, but a few months ago I had to implement a geolocation thingy. But the problem with the maxmind db (or any other ip to country db) is that it's slow. So we used the CloudFlare's IP Geolocation service which adds a CF-IPCountry header to every request so you can offload your server and everything is flawless.

I know that that it's not possible to use it in the usuario module, but I thought that it would be a good idea to share this :)

mrbig00 avatar Aug 02 '18 17:08 mrbig00