GDPR, Boards.ie and Vanilla, how does this work?

So, considering Odhran's response [which address almost none of the points in this thread] and their new privacy policy, there is now a question on whether the full data set is still based in Ireland or Europe rather than Canada. Hopefully we get confirmation on that.

Looking at their cookie policy and consent. It's very unclear. They mention the companies who own the cookies but not what each cookie purpose is.

The Cookie Consent form looks to be fundamentally broken and not fit for purpose.

1. They use deceptive design patterns by having an ACCEPT ALL button in blue and a "Cookies Settings" button in white. The ACCEPT ALL button just jumps out. I actually accidentally clicked ACCEPT ALL one or twice by accident as it was the only button I saw at first glance. Now, I know many, many, many websites use this deceptive practice. This is blatantly trying to get their users to click the blue button and accept all cookies. This practice isn't illegal but enforces my newfound mistrust for Boards.
2. The Cookie Consent isn't GDPR compliant. I've listed the GDPR cookie compliance points below. A website MUST "Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.". Boards fail at this. They have an ACCEPT ALL button but no REJECT ALL [or REJECT ALL UN NECESSARY]. So, it takes one click to accept all cookies but two clicks. Clearly one choice is easier and much more prominent than the other.
3. Their cookie consent doesn't actually work. I cleared all of my cookies, opened up a new tab. Pressed F12 to view cookies and surfed to Boards.ie. The cookie consent popped up. But before I made a choice, four cookies were created already, two of which are Google Analytics. This just shouldn't happen. One is a vanilla cookie and one is a cloudflare cookie. It could be argued that two of the four cookies are necessary, definitely the cloudflare one but as Boards don't list the reasons for each cookie, it's hard to say. So, clicking "Cookie Settings", you see everything is disabled except "Strictly Necessary". Again, perfectly fine. Click "Save and Exit". Now 35 cookies are created, 27 of which belong to Google. So opting out of all non "Strictly Necessary" cookies, dumps 35 cookies on your computer, most of which belong to Google. Admittedly, all above was in Google Chrome. I'm not seeing this happen in Firefox to this extent. Wierdly, I ONLY get the Google Chrome experience if I DON'T have the devloper console open. If I open the dev console. I see only the cloudflare cookie regardless of settings. I'm seeing similar in Edge but nowhere near as many cookies as Chrome. Still 4 cookies created [including two ga ones] before Cookie Consent choice. With other GA ones created after rejecting them.

• Receive users’ consent before you use any cookies except strictly necessary cookies.
• Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
• Document and store consent received from users.
• Allow users to access your service even if they refuse to allow the use of certain cookies
• Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

Hi @Boards.ie: Niamh Can you please confirm how passwords are managed on the new site? Are they salted and hashed? I'm assuming that they weren't salted and hashed on the old site, given that were obviously exported from the old site and imported into the new site.

Actually, salting is automatic in php these days. They SHOULD be using the password_hash() function rather than the old, maybe crypt() function. Then they don't have to create and store their own salts. It's included in the hash.

More GDPR issues. https://www.boards.ie/discussion/2058201850/boards-ie-email-address-issue-july-2021#latest

That wasn't present in the old software, indeed, I've never seen that as an option in any forum.

Some users may have had it turned on during the migration.

Hi @Boards.ie: Odhran / @Boards.ie: Niamh,

Any chance of some answers to this?

Also, I note in the Privacy Policy that you have mailchimp down as email services (as well as google). Yet I note that your emails are coming through sendgrid? Who are owned by Twilio? A good company, one that I'm surprised you are hiding from your users.

I note this as your emails are failing SPF and DMARC tests, and are flagging as such.

Are you saying there was an option on the old Boards vBulletin site to allow users to see your email address?

That is verrry interesting!

While I totally understand that, it's possible that the DPC will come back and request you to exchaust all avenues with the company. They aren't replying here but you could send a formal letter of complaint via registered post, to their head office, addressed to their Data Protection Officer, giving them 30 days to reply. I know this is a pain but it's the final exhaustive measure before bringing in the DPC.

I'm just lazy! They explain this in the pinned post in Feedback. The bigger issue here would be, how would they execute a Right to be Forgotten request, and what would it involve.

Remember, they need a policy on the following.

Threads, Posts, PMs, Quoted messages, Aggregations / feeds, backup rotation (and purging when restored from pre the request), log rotation, long term storage (Tape / Cloud), as well as requests to third party processors that such a request was issued.

As well as requests to handle deleting / editing posts which contain PII data of another person.

Not everything has to be deleted immediately, but there is requirement that it eventually is removed.

Good question, just don't hold your breath waiting on an answer.

I’d imagine the likes of Liberty Insurance, and Bank of Ireland won’t like what’s going on. Especially considering how heavily regulated both the banking and insurance sectors are, boards.ie are falling short in their GDPR compliance with this PM issue and their Data Breach.

Quite possible they thought the same as we all thought, that a deleted message is actually deleted. I'd find it very hard to believe that they would just shut up shop and simply abandon the accounts without some form of clean up. Most likely that as each query received by them (or any of the talk to reps) gets resolved they "deleted" all associated messages.

Yes, I don't think it's unreasonable to assume that the Talk To forum reps deleted their private messages, and as far as they were concerned, that meant they were deleted for good.

Much like regular forum users, that was a perfectly valid assumption to make.

Why these PMs weren't completely deleted from the Boards back end is what needs to be answered. I wouldn't be holding Talk To reps accountable for that.

If anyone is having issues or had issues with old PMs reappearing and they were related to to any of the business from the TalkTo forums, contact those companies Data Controller. Most of these companies have a strict policy on where data should reside, and would be horrified to find out that boards.ie have made them non-compliant with their own terms and conditions regarding data.

They will follow up with the Data Commissioner for you. It’s not just the current TalkTo companies that you can contact, you can contact all of them including the archived companies. 

These companies will be very interested to find out that boards.ie moved their customers data outside of the EU.

it wasn't Odhran et al who retained the information, it was previous incarnations

willing to bet he wasn't even aware that data was sitting there because the last lot never told anyone

yeah but you sound like you know what you're doing.

That's Cloudflare, it's a gateway that sits between you and the host, it doesn't mean the data is hosted there at all, as it proxies the real host.