dataverse icon indicating copy to clipboard operation
dataverse copied to clipboard

Published 20 hours ago verified publisher icon IQSS

Prompt existing users to accept General Terms of Use after revision

Open philippconzett opened this issue 6 years ago • 5 comments

When the Terms of Use (ToU) for a Dataverse installation have been changed existing users should be made aware of the new ToU after log-in, and they should be prompted to accept them.

In our installation, we do not add the ToU in the user registration form, but only a short text and a link to our repository policies. Therefore, it should be possible to indicate that the ToU have been changed without having to edit the content of the ToU field in the user registration form.

philippconzett avatar Aug 20 '18 09:08 philippconzett

Good idea. This was also proposed in #1602 and #1650.

Maybe we'd want to implement some sort of timestamp on the authenticateduser table such as last_accepted_general_tou or something. In #3246 we added lastlogintime to this table.

Currently, we use :ApplicationTermsOfUse to store the General Terms of Use but there's no way to put a timestamp on it (or any database setting like this): http://guides.dataverse.org/en/4.9.2/installation/config.html#applicationtermsofuse . We'd need to store a timestamp somewhere so we could do a comparison.

@philippconzett any thoughts of what the consequences should be for someone who refuses to accept the new General Terms of Use?

pdurbin avatar Aug 20 '18 12:08 pdurbin

I forgot to check if this feature already had been requested - sorry!

@pdurbin If an existing user does not accept the new ToU, I would suggest that the user should be prompted to specify the reasons, and the user's answer would then be forwarded to the main contact email of the Dataverse installation.

In the window where users are prompted to accept updated ToU, it would be nice to be able to add some text where one can highlight the main changes, in addition to (referring to) the entire ToU.

philippconzett avatar Aug 21 '18 05:08 philippconzett

We'll be soon updating the ToU of Harvard Dataverse and are investigating how to proceed.

@philippconzett @BPeuch Did you consider emailing the users with a statement that the terms of use have been updated and that continued use of the service beyond a certain date constitutes acceptance? If so, was this considered not sufficient compared to the in-app acceptance? Thanks!

djbrooke avatar Jul 22 '20 17:07 djbrooke

Unhappy to say this, but we did not inform our users about our updated ToU.

philippconzett avatar Jul 23 '20 02:07 philippconzett

Hello, @djbrooke. Thanks for the poke: that's a very good question. I just verified that extracting a list of email addresses from the admin's dashboard is very easy, so that's indeed one way to do it. The other way I believe would be to simply add a temporary banner on the website warning that the ToS were updated and that users are invited to read them.

Indeed we know of many websites where the ToS contain imperative sentences along the lines of "The Terms of Service can be modified at any moment" and the idea that, as soon as they browse/use a website, users/visitors de-facto accept and submit to the ToS. However, our legal expert has warned us that, as a public service, we have stricter obligations than private companies. She insisted that we insert the full text of our General Deposit Agreement in Dataverse and that depositors click on a button that states "Accept & Continue" before they can complete the data deposit procedure. I think we will have to do the same with ToS updates. Adding a line (with or without a checkbox) that reads "By clicking on 'OK' you agree with the SODHA General Deposit Agreement [external link]" is not legally enough.

One well-known example dates back to when Google did a big update on their cookie policy, if I remember correctly, and a new window appeared on our screens that required that we explicitly consent to the policy before we could use the search engine again. I believe this can be done without much difficulty through a bit of Web programming.

BPeuch avatar Jul 23 '20 10:07 BPeuch

Hello, according to evolving regulations we also have to ensure that a user not just read the ToS, but explicitly acknowledges it (for example through checkbox). The fact and the time of the acknowledgment should be recorded as well. I mean, it is not necessarily mandatory to keep all history of the acknowledgment, but at least the most recent one should be kept. Something simple like:

  • The date of the last consent is kept at the user table
  • The administrator can anytime call the APi method "let_all_users_consent_tos" which records current consent_request timestamp.
  • Upon login, if the consent timestamp of the user is older than the consent_request timestamp, the user gets the ToS to read and has to consent through the checkbox to login.

sergejzr avatar Mar 07 '24 15:03 sergejzr