EU/DE legal compliance of SMF, especially Imprint and Privacy Policy links

[DEG 1935]

According to EU and DE (Germany) regulations, a link to an Imprint (Impressum) is required where (at least) name, address, e-mail and phone number of the operator of the website need to be listed.

Furthermore, a link to a "data protection declaration" (= privacy policy) is required.

Both links need to be accessible from any page of the forum/website (like the current "Terms and Rules" link), also to guests.

I couldn't figure out yet how to do that with SMF. Does anyone have a good idea?

• Pages Mod (2010, 66 subscribers) and Footer Menu (2015, 14 subscribers) seem a) to be outdated and not compatible with 2.4.1, and b) not to do what EU/DE website operators really need. It's not sufficent to just create a link/menu or something, these links also have to present the relevant text when clicked (again like the "Terms and Rules" link).

• I tested Copyright & Footer Links, but this mod can also just create a link and nothing else. So I would have to create a complete external document.

• There is a privacy policy in SMF (which is empty), but this is not linked at the bottom (and therefore not accessible from any page of the forum).

• I can of course throw all three things (Imprint, Privacy Policy and Terms and Rules) in the current text of "Terms and Rules", but sorry, this can't be the solution (and I'm even not sure if this would be legal then). Furthermore I would then have the privacy policy at two different places within SMF.

• TinyPortal MIGHT be able to do what I and all users in the EU and DE do need, but this is of course overloaded for just a simple link with some text. And I'm even not sure if it would be able to JUST create these links along with their texts and totally forget about the rest (blocks, panels, shoutbox etc. pp.).

So what I would just need is: "Terms and Rules", but three times.

I know that this is fully over-regulated here and nothing else but an annoyance, but I didn't make these rules but have to stick to them. For many lawyers here it's a "sport" in the meantime to specifically search for such websites which violate any of these rules and then send out warning letters ("Abmahnschreiben") just to make money.

This is really a serious issue. I have read some threads about it here, but the non-solutions mentioned there are listed above.

[Kindred]

With 2.1, you can add the privacy policy and it will be visible under the terms & conditions link in the footer.
(agreement and privacy are both listed when you click)

[DEG 1935]

Aha! Great, that's better than nothing, although it MIGHT be mandatory to have separate links for each item (would have to check that legally).

But then we still need an imprint. Would it be codewise very hard to implement a third section for an imprint under this one link (just for the time being)?

The thing is that these texts are extremely long, see for instance (sorry for German, just look at the length):

• Privacy Policy ("Datenschutzerklärung")
• Imprint ("Impressum")

They are in itself that long already that nobody will read (nor understand) them. Imagine you have them even along with the "Terms and Rules" all at one place...

This is all just too absurd, I know. But if it is legal to have them all at one place, then I can very well live with that. A contents at the top of the document would make sense (as in the English help).

Anyone here who could (and would) add a third section for the imprint...? 🙏

[DEG 1935]

Aha! Great, that's better than nothing, although it MIGHT be mandatory to have separate links for each item (would have to check that legally).

After a quick Google check it looks as if two separate links for imprint and privacy policy are recommended and should exist, but if they are placed under the same link, the link needs to tell that (e.g. "Imprint and Privacy Policy"). I haven't found any regulation that it's not allowed to even add a third item ("Terms and Rules") under that same link (but that should then be the last topic, just to be safe).

Okay, renaming the link should be the least difficult thing. But then we still need something for the imprint.

Hmm hmm, as I think about it:

As long as we don't have a separate third item for the imprint ... well, the text of the privacy policy supports BBCode, so we could do for instance:

Code Select Expand

[b]Imprint[/b]

Bla blubb

[b]Privacy Policy[/b]

Bla blubb
Which would then show as:

(Uh, I pasted a very small screenhot here, is that not possible with SMF?! At least it was shown in the editor, but has then be replaced with "[ing]about:invalid[/ing]" upon posting, "ing" should read "img" of course).

We could also adjust the font size and color of "Imprint" and "Privacy Policy" (I think). Well, that could do the trick for the moment. ToDo list:

• Change the section title (couldn't find it at first attempt)
• Swap order of "Terms and Rules" and "Imprint and Privacy Policy"

If someone could point me at the right place in the code, that would help.

[Aleksi "Lex" Kilpinen]

If you want to simply change the text of the links, you probably should just add your own language strings in modifications.(language).php and then edit index.template.php to use your custom string.

You'll find the links after this line, around lines 458-469.

Code Select Expand

// Show the footer with copyright, terms and help links.

Or you could build a custom page from scratch, and just add another link in there.

[Deaks]

also if people are not reading them then the fault lies with theme not you aslong as you have the information you are covered.

[DEG 1935]

also if people are not reading them then the fault lies with theme not you aslong as you have the information you are covered.

Right. But in what way does that help in terms of the original issue?

There are certain rules which information needs to be presented how and to whom (all, also guests), and they are complicated, over-regulated and changing any day. This includes cookies (I believe I've never been asked for a cookie consent here), privacy policy (and not just reading, but explicitely accepting it upon registration), bla blubb etc. pp.

May I assume that you're neither from Germany nor from the EU?

[shawnb61]

The problem with questions like this is that you are asking for legal advice.  No lawyers here.  You're not going to get a proper legal opinion/answer.

I do know that SMF implemented a large set of GDPR enhancements, years ago, upon legal consultation.

The real complication is forum usage - what exactly you capture & what do you do with it.  This really is different for every forum.  And will dictate your privacy and cookie policies.

My (limited) understanding is that if you do not capture financial info, conduct financial transactions, sell anything (product or user info), give your user data away to anyone, use 3rd party cookies, use multiple site cookies, perform activity tracking, etc., (non-essential cookies), you are likely ok with vanilla SMF, which uses a technical cookie only.

If you need further clarifications, you should consult a lawyer. 

Again, no lawyers here.

https://www.cookielawinfo.com/cookie-consent/

[Julius_2000]

So if I understood it correctly, you would like to add Impressum and AGB links to the footer section?

You can add stuff within the index.template.php file and place it where you would like it to be. I've done that with some additional info about our forum team.

You cannot view this attachment.

The only thing that would need to be done then is create customized pages like for the Terms & Conditions one (Agreement page as defined in the Agreement.php). I'm not experienced enough to spit that out right away, but perhaps an adaptation + renaming of the Agreement.php could do the trick to create those.
@SMF Or is there an easy way in SMF to create a separate webpage, like if I wanted to add an "about" link?

[DEG 1935]

The problem with questions like this is that you are asking for legal advice.

No, I'm not. I'm asking (and trying) how to implement the EU/DE requirements in SMF.

• Mandatory and explicite cookie consent (everybody, also guests/visitors), even if just technical cookies are used.
• Three different texts (and preferably three links) within SMF for 1) Imprint, 2) Privacy Policy and 3) Terms and Rules, accessible from any publicly available page within SMF.
• Mandatory and explicite consent to the Privacy Policy (currently just the "Terms and Rules" need to be accepted, although the Privacy Policy contains (dummy) text, but is not shown upon registering).

Just in short, and that's what I KNOW. I'm NOT asking for any advice what should be written in those texts (this I can "steal" from elsewhere here).

The link from this "Cookie Law Info" is a good example for wrong information. They're saying for instance:

Strictly necessary cookies, i.e. cookies that do not track or collect personal data and are necessary for your website to function, are exempted from requiring consent.

This is simply not true here. At least the IP is logged during a session, and that only is considered as "personal data" already, according to our laws. Fun fact: This Cookie Law Info site doesn't even have an imprint which discloses who is running it...?

You can add stuff within the index.template.php file and place it where you would like it to be. I've done that with some additional info about our forum team.

Thanks for the pic, but I can't see the relevant part.

(Now my next question is how I can make an external link in the quote tag clickable...)

[Kindred]

We don't do any of that.
Our consultation with legal counsel instructed us that as we have implemented covers the core of thex requirements.
If you disagree, then it's up to you to enhance it, or find someone to do this the way you think they need to be done.


You see how the agreement and privacy are done.

We don't do a cookie notification /optout popup

The privacy policy IS shown during registration,  to the best of my knowledge

[DEG 1935]

The privacy policy IS shown during registration,  to the best of my knowledge

No "knowledge" needed, just test it. I DID test in my own board, and it was NOT shown (testing is what I usually do before making any statements). Just the "Terms and Rules" were shown. As I said already.

Our consultation with legal counsel instructed us that as we have implemented covers the core of thex requirements.

And this legal counsel (in the US?) is familiar with the requirements in the EU and DE? I doubt it.

You see how the agreement and privacy are done.

We don't do a cookie notification /optout popup

That's why I started this thread.

[Julius_2000]

Thanks for the pic, but I can't see the relevant part.

Three different texts (and preferably three links) within SMF for 1) Imprint, 2) Privacy Policy and 3) Terms and Rules, accessible from any publicly available page within SMF.

Sorry, I obscured the names for privacy reasons . Click on my website icon under my avatar and scroll to the bottom. It's just an example of what you could do design-wise, giving you an idea how I added stuff to the footer, which is done by adding html elements to the index.template.php file.
The only question at this point would be how to create a customized page in SMF, like what I suggested with said adapted agreement.php. If that could be adjusted to refer to a customized page like "AGB" etc., I guess the better part of your problems would be solved.

[Aleksi "Lex" Kilpinen]

I do know Germany has some of the strictest interpretations of the regulation, but still I do think you are a little confused.

Some things I've come to understand about these:

- Cookie consent:
Not actually necessary in my understanding, unless you have added functionality on top of core SMF functions (such as advertising) that use cookies for those functions. The fact that SMF handles IP addresses is unrelated to this, completely. https://gdpr.eu/cookies/

Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

- Links:
A public Privacy Policy does not necessarily need explicit consent, it is not an actual agreement - It is simply a public document describing your data handling to your data subjects. https://gdpr.eu/privacy-notice/
Terms and Rules can be seen as an agreement, and is also a part of registration as is the Privacy Policy I think. ( Edit: Checked, there are two settings involved, Admin -> Members -> Registration -> Settings:  "Require new members to accept the registration agreement" & "Require new members to accept the privacy policy" )
Imprint is a strictly German (and Swiss) thing, that I really don't know much about, but I would wager a beer that you could get away with combining it with your Privacy Policy if you just change the link to "Privacy Policy and Impressum" or something - All it is in my understanding, is a mandatory contact info page.
The only link out of these that might need to actually be on every page, is the Impressum - The others only need to be easily accessible, and free of charge.

[DEG 1935]

Thanks for the pic, but I can't see the relevant part.

Three different texts (and preferably three links) within SMF for 1) Imprint, 2) Privacy Policy and 3) Terms and Rules, accessible from any publicly available page within SMF.

Sorry, I obscured the names for privacy reasons . Click on my website icon under my avatar and scroll to the bottom. It's just an example of what you could do design-wise, giving you an idea how I added stuff to the footer, which is done by adding html elements to the index.template.php file.

Huh, that looks appealing indeed. Different theme, though. Did you have to move the SMF stuff to the left by yourself, or was that part of the theme already?

The only question at this point would be how to create a customized page in SMF, like what I suggested with said adapted agreement.php. If that could be adjusted to refer to a customized page like "AGB" etc., I guess the better part of your problems would be solved.

Right (but I don't need "AGB" as I'm not running a business, this shall be just a fan forum). But there are so many issues to be solved in detail, code edits needed, and the issues apparently not always quite well understood, hmm...

[DEG 1935]

I do know Germany has some of the strictest interpretations of the regulation, but still I do think you are a little confused.

Some things I've come to understand about these:

- Cookie consent:
Not actually necessary in my understanding, unless you have added functionality on top of core SMF functions (such as advertising) that use cookies for those functions. The fact that SMF handles IP addresses is unrelated to this, completely. https://gdpr.eu/cookies/

Of course I'm confused. Everyone here is confused! That's an integral part of our politics. On the other hand, we may still carry tons of booze in a car across borders of federal states (unlike the USA), have no general speed limit, the lowest fines for violating them (although they've been increased recently), and we will not be shot dead in a traffic control. (Plus some other more relevant things.) So everywhere there are pros and cons. (And yes, I have seen that you're from Finland, never again seen so many funny words and names with the same double/triple vowels, but I must admit that I haven't been to Wales yet. )

You are mentioning a link to https://gdpr.eu/cookies/. Okay, but that (and other links) doesn't tell everything:

• These EU regulations must be transposed into national law, only then it applies. These national laws may be different from and more strict than the EU regulation.
• First we have the "Datenschutz-Grundverordnung (DSGVO)" from the EU.
• Then there are the national laws (in Germany actually the "Telemediengesetz (TMG)" and its successor "Telemedien-Datenschutzgesetz (TTDSG)"), partially totally independent from any EU regulation(s). Have fun reading and understanding them!
• And if that wouldn't be enough, there are single decisions by the "Bundesgerichtshof (BGH)" in Karlsruhe (sort of Supreme Court, this info for the US folks here) and probably some other local courts (don't ask me!).

And as we're all confused (see at the top), almost any website here has a cookie consent plugin. At least one where you just have to click on an "Okay" button, others (also from overseas) extremely complicated. Of course depending on what they are doing.

Okay... So what I'm saying is that just looking into one single (non-official) website and quoting just one sentence from this website is not the equivalent way to deal with this complex issue. And if someone from the US tells me here "Our legal counsel says it's all okay", then I can't take that too serious, sorry.

The even bigger problem (than for me and my small site) is that even THIS website would have to stick to all these regulations if a person from the EU (or even worse, from Germany as me ) would access this site (and even sign up to it). At least this is my understanding. That's why some US media (New York Daily News, Los Angeles Times, Chicago Tribune, San Diego Union-Tribune and Baltimore Sun) instantly restricted the access to users with European IP addresses when this awkward "DSGVO" came in force on May 25th, 2018 (Link).

Terms and Rules can be seen as an agreement, and is also a part of registration as is the Privacy Policy I think. ( Edit: Checked, there are two settings involved, Admin -> Members -> Registration -> Settings:  "Require new members to accept the registration agreement" & "Require new members to accept the privacy policy" )

Uh, I would have to check that. When I tested it, the Privacy Policy didn't show up (although it did contain some dummy text). But if there's an own setting, shouldn't that be automatically enabled then (or simply removed as an option) as soon as it contains some text? Because if you click on "Terms and Rules", the Privacy Policy will automatically (and additionally) be displayed without the explicite need to enable it?! That's an inconsistency then, IMO.

But apart from all of the above I do still have the other possible showstoppers (pasting an image from the clipboard into the editor which gets deleted/removed upon posting, zoom reset to 100% with Firefox (Chrome not tested yet), external links in quote tags), plus the whole work with code editing which would be connected to that (and this for me as an PHP and CSS noob!), that I'm not sure if I should proceed with SMF.

I'm playing with SMF for 4-5 days now, and I can say that I like it in several ways and for some reasons, but it's anything else than "simple".

Have a good night, folks.

[Kindred]

Sorry, not sorry... but
1- we have talked with our legal counsel. It doesn't matter to us whether you accept it or not  - unless you are an actual lawyer, your opinion holds less weight.

2- I confirmed my original remembrance. As lex said, if you set the setting, then the privacy policy IS shown on registration.

3- your other issues are being dealt with in other threads. Let's not confuse matters by bringing them in here.

4- your understanding of US laws is mistaken.  Additionally,  I don't think you have any concept of how far most US citizens live from any federal border...

5- the reason that the media sites Block access is because they DO add cookies well beyond the basic ones needed for access/membership.

6- if you want features for policies and cookies beyond what we have, then you will either have to write it yourself or hire someone to write a mod for you (ask in the mod request or thr help wanted boards, if so)

[DEG 1935]

we have talked with our legal counsel. It doesn't matter to us whether you accept it or not  - unless you are an actual lawyer, your opinion holds less weight.

Thanks for the "support" and "understanding". And no, what I'm saying above is not an "opinion".

[live627]

This thread is going nowhere with these mountains made of molehills. SMF does have some goodies for GDPR compliance that seems to  satisfy most implementations with Germany being a notable exception because  their interpretation seems to be much more strict.

So  now I will try to list the requirements.

• New page with a global sitewide link in the footer
• Privacy policy is built in and I think it is added to the Terms page once filled out

[@rjen]

Running my forum in the Netherlands.

Can confirm that maintaining the privacy policy will add this under the registration agreement, and it will prompt users to consent BOTH registration agreement and privacy policy.

Both are also present under the link to terms and rules on every page.

In addition I have chosen to use the EU cookie mod so guests are also prompted for cookie consent.

Added a separate topic to the forum explaining the cookie policy and a link to the EU cookie message directing users there.

For us this effectively deals with the requirements