GDPR, Boards.ie and Vanilla, how does this work?

to whom it might concern, as it was not advertised or i didnt found... after heavy presurre here i believe, links finaly up and working. all other obviously still dead

https://www.boards.ie/content/privacy

https://www.boards.ie/content/cookie

Good morning @Boards.ie: Odhran, I appreciate the update.

I see in the Privacy Policy that you state that data won't leave the EEA, and that Vanila are down as software providers only (and not hosting), both of which are contradicted by statements from @Boards.ie: Niamh.

Can you post (or PM) the DPC incident number that they would have assigned to Boards following your chat with them?

For good order, can you clarify:

• Where the data is now hosted, and which company is actually hosting it?
• Do you consider a breach of personal data to have taken place?
• Which companies have read access to personal information such as users' Names, E-mail addresses, Social Media data accounts and IP logs?

I don't think anyone here is calling for GDPR fines or the like. Speaking for myself, I just want to know what you are doing with my data, if what you have recently with it complies with your polices and GDPR and what you are going to do in future to ensure that this sort of confusion and rather cavalier attitude towards your users' data doesn't happen again.

What is it that people dont get about boards.ie? Its a shithole vile site and has been for years,like a lot of others.i am in the unfortunate position of monitoring the mods and "admins" of this and other sites and i can tell you this is one of the most obnoxious sites ever,it has been for years. Do not trust it,personally i wouldnt.

So, considering Odhran's response [which address almost none of the points in this thread] and their new privacy policy, there is now a question on whether the full data set is still based in Ireland or Europe rather than Canada. Hopefully we get confirmation on that.

Looking at their cookie policy and consent. It's very unclear. They mention the companies who own the cookies but not what each cookie purpose is.

The Cookie Consent form looks to be fundamentally broken and not fit for purpose.

1. They use deceptive design patterns by having an ACCEPT ALL button in blue and a "Cookies Settings" button in white. The ACCEPT ALL button just jumps out. I actually accidentally clicked ACCEPT ALL one or twice by accident as it was the only button I saw at first glance. Now, I know many, many, many websites use this deceptive practice. This is blatantly trying to get their users to click the blue button and accept all cookies. This practice isn't illegal but enforces my newfound mistrust for Boards.
2. The Cookie Consent isn't GDPR compliant. I've listed the GDPR cookie compliance points below. A website MUST "Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.". Boards fail at this. They have an ACCEPT ALL button but no REJECT ALL [or REJECT ALL UN NECESSARY]. So, it takes one click to accept all cookies but two clicks. Clearly one choice is easier and much more prominent than the other.
3. Their cookie consent doesn't actually work. I cleared all of my cookies, opened up a new tab. Pressed F12 to view cookies and surfed to Boards.ie. The cookie consent popped up. But before I made a choice, four cookies were created already, two of which are Google Analytics. This just shouldn't happen. One is a vanilla cookie and one is a cloudflare cookie. It could be argued that two of the four cookies are necessary, definitely the cloudflare one but as Boards don't list the reasons for each cookie, it's hard to say. So, clicking "Cookie Settings", you see everything is disabled except "Strictly Necessary". Again, perfectly fine. Click "Save and Exit". Now 35 cookies are created, 27 of which belong to Google. So opting out of all non "Strictly Necessary" cookies, dumps 35 cookies on your computer, most of which belong to Google. Admittedly, all above was in Google Chrome. I'm not seeing this happen in Firefox to this extent. Wierdly, I ONLY get the Google Chrome experience if I DON'T have the devloper console open. If I open the dev console. I see only the cloudflare cookie regardless of settings. I'm seeing similar in Edge but nowhere near as many cookies as Chrome. Still 4 cookies created [including two ga ones] before Cookie Consent choice. With other GA ones created after rejecting them.

• Receive users’ consent before you use any cookies except strictly necessary cookies.
• Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
• Document and store consent received from users.
• Allow users to access your service even if they refuse to allow the use of certain cookies
• Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

Hi @Boards.ie: Niamh Can you please confirm how passwords are managed on the new site? Are they salted and hashed? I'm assuming that they weren't salted and hashed on the old site, given that were obviously exported from the old site and imported into the new site.

Actually, salting is automatic in php these days. They SHOULD be using the password_hash() function rather than the old, maybe crypt() function. Then they don't have to create and store their own salts. It's included in the hash.

More GDPR issues. https://www.boards.ie/discussion/2058201850/boards-ie-email-address-issue-july-2021#latest

That wasn't present in the old software, indeed, I've never seen that as an option in any forum.

Some users may have had it turned on during the migration.

Hi @Boards.ie: Odhran / @Boards.ie: Niamh,

Any chance of some answers to this?

Also, I note in the Privacy Policy that you have mailchimp down as email services (as well as google). Yet I note that your emails are coming through sendgrid? Who are owned by Twilio? A good company, one that I'm surprised you are hiding from your users.

I note this as your emails are failing SPF and DMARC tests, and are flagging as such.