Developer forum

Currently discussing: Plans to implement a Consent module for GDPR compliance.

Join the discussion!

Forum » Feature requests » Consent module - any plans yet?

Consent module - any plans yet?

Kevin Steffer
Kevin Steffer
Reply

Are there any plans on how to implement a consent module for the new GDPR?

Replies

 
Adrian Ursu
Adrian Ursu
Reply

+1

 
Nicolai Pedersen
Nicolai Pedersen
Reply
This post has been marked as an answer

Hi All

We are working out the details - but yes, there will be a number of features related to this. So far I have these 3 on the agenda.

  • Show a users data (cookies, visits etc), maybe a couple of new features to the cookie manager
  • Right to be forgotten - delete or anonymize everything for a user/visitor
  • Explicit consent feature - updated version of "Allow email" but in a way that handles any number of consents related to users/visitors.
    • A related table with consents for users/visitors that cannot be imported. Have to click a link to provide the consent and a token and information about the consent will be generated
    • Forms, Users and Checkout are modules that will be able to create consents.

If you have furhter thoughts, please let me know.

Votes for this answer: 1
 
Adrian Ursu
Adrian Ursu
Reply

Hi Nicolai,

Very good to know you are on top of it :)

From what I understand from a couple of discussions with local lawyers, right to be forgotten means deleting everything. Anonimization is not enough.

And I believe there are a few points/options that we need to give to our customers:

Some of the personal data rights under the GDPR (copied from a document):

Right to Data Portability: Your “data subject” (visitor or customer) can receive any personal data he or she has provided to the “controller” (your organization), which that individual can then pass along to another enterprise without “hindrance” from you.

 

Right to Erasure/Right to be Forgotten: The “data subject” can request that you erase any personal data about him/her, “without undue delay.”

 

Right to Object: The visitor/consumer can object to you processing their personal data, unless you can demonstrate good reasons for doing so that override the person’s interests.

 

Right of Access: Individuals have the right to get confirmation from you as to whether or not you’re using their personal data, in which case, they are granted the right to access it.

 

Right to Rectification: A person can ask you to rectify/correct any inaccurate personal data you’re holding about him or her.

 

Right to Object to Profiling (by automated processes)- this is akin to tracking, and a consumer has the codified right to object to this activity. 

 

Maybe it would be useful to set up a sort of GDPR module similar with the Customer Center. Where you have templates and logic for multiple points and that can be extended in time.

I hope it helps.

If you think it is useful, I can send you relevant links and documents that can provide you with insights into how others are doing it or how lawyers recommend to prepare for GDPR.

Thank you,

Adrian

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Hi Adrian

Thanks, very useful and nothing I have not seen before though. But would always like the links for further input.

When I mean anonymize I mean deleting the user but not the activity (statistics/history) which is ok. So anonymizing an order i.e. would be removing name and address, but not the order it self.

I am also thinking module like you suggest, but also some other features. I.e. a consent system that can provide consent in different 'levels' (i.e. low, medium, high). Where low is when you cheat and add a consent programatically, medium is one where the constent has happened in the context of a user/visitor session (you could cheat by impersonating) and high where an email has to be sent to validate the consent. And basically be able to ask for consent for whatever you feel like - i.e. newsletters, acceptance of cookies, submitting a form and ask for consent to contact the customer etc.

BR Nicolai

 
Adrian Ursu
Adrian Ursu
Reply

Hi guys,

I have another point that I want to include in this discussion.
Breaches. I know that breaches can be of a various type and are very hard to prevent and identify.

According to GDPR requirements, we need to be able to prevent and identofy breacjhes as well as report them.

I am thinking maybe it worths considering an improvement of the Backend authentication that can include some sort of "approved device". Similar with what happens when you log-in in your dropbox account from a different computer. Ths can trigger a notification to the Master admin of the site (or the Data Protection Officer).

Not sure how this type of verification is done but it can present itself as a differentiator for the CSM industry while also solving a GDPR requirement.

Thank you,
Adrian

 

 
Anders Ebdrup
Anders Ebdrup
Reply

+1

 
Anders Ebdrup
Anders Ebdrup
Reply
+1
 
Peter Leleulya
Peter Leleulya
Reply

+1 Good to see you're on top of it ...

 
Adrian Ursu
Adrian Ursu
Reply

Hi Nicolai,

Any update on the date when we can start playing with the new GDPR modules?

Thanks,

Adrian

 
Nicolai Pedersen
Nicolai Pedersen
Reply

An example of how to collect and check for consents in code. A more high level and easy to use API will be ready in a later 9.4 release streamlining the process.

The code below requires that you have created an activity and have the ID of it.

        public string ConsentExample()
        {
            string currentVisitorId = Dynamicweb.Context.Current.Request.Cookies["Dynamicweb"]?.Values.Get("VisitorID");
            ActivityService activityService = new ActivityService();
            Activity activity = activityService.GetActivityById("Activity1");
            ConsentService consentService = new ConsentService();
            Consent consent = consentService.GetConsentById(activity.Id, currentVisitorId, "Visitor");
            if ((consent.Status == ConsentStatus.Given))
            {
                // Visitor has given consent - track or whatever.
                return "<script>trackingscript();</script>";
            }
            else
            {
                // Visitor has not given consent - display a "Give consent button" or record that the user has given us a consent
                
                if (Dynamicweb.Core.Converter.ToBoolean(Context.Current.Request.GetString("GiveConsentForTracking")))
                {
                    consentService.GiveConsent(activity.Id, currentVisitorId, "Visitor", ConsentRequestInfo.FromRequest(Context.Current.Request));
                    return "Thank you!";
                }
                else
                {
                    return "<a href=\"Default.aspx?ID=123&GiveConsentForTracking=True\">Yes, please track me</a>";
                }

            }
        }
 
Per Søgaard
Reply

Questions about GDPR module and Newsletter consent forms:

When will the GDPR module be ready so we can test try it out and see how much work we need to do to set it up and find out what to tell the customers about time/price?

Will the newletter signup 2 x consent functionality (confirm by clicking link in a mail) be free for all or a part of the GDPR module?
When will this be ready so we can test try it out and see how much work we need to do to set it up and find out what to tell the customers about time/price?

 
Adrian Ursu
Adrian Ursu
Reply

Hi Nicolai,

I am also concerned about the modules and my customers are pressing me for details about GDPR compliance and I have very little I can tell.

9.4 seems to have a lot of performance issues (at least current versions) and there is no sign of the GDP modules apart from a video screencast.

Please give us some visibility on the plans.

Thank you,

Adrian

 
Nicolai Pedersen
Nicolai Pedersen
Reply

The first version of the consent module was released on April 11th in 9.4.9

The plan as communicated on https://www.dynamicweb.com/gdpr

  • We will release 2 modules/apps
    • Consent module for collecting and managing consents. Release in first version. Can collect consents from forms and newsletter signups (Create user) and using email marketing you can sort out users who did not give a specific consent. Next version will contain the ability to collect consents from checkouts and view and withdraw consents from the frontend.
    • Data protection module to support "Right to access, portability and to be forgotten". In progress and due for release within the next 2 weeks.

The module was covered and demoed in this webinar: https://www.dynamicweb.com/resources/downloads/gdpr-website-compliance

Here you can find a short internal demo: https://www.useloom.com/share/6875f73f552c487daf15bc6986a01ac0 and I also attached some screendumps.

Free, Express and standard will only get the modules if the add-ons are purchased. This has been communicated in newsletters. All-in-one full version have the feature included.

BR Nicolai

Capture.PNG Capture1.PNG Capture2.PNG
 
Adrian Ursu
Adrian Ursu
Reply

Thank you Nicolai.

Adrian

 
Per Søgaard
Reply

So the GDPR "module" is all GDPR related functionality and the Newsletter signup with e-mail verfication is a part of the "module" and is not availible on small licenses without bying the add on module?

 

 
Nicolai Pedersen
Nicolai Pedersen
Reply

@Per: Yes - GDPR is 2 modules, "Consent" and "Data protection" collected in one administration called "Data Processing". All the features are only available if you have the add-on on small licenses.

It would not make sense to have the Email marketing consent sorting if you do not have the collect consent feature...

 
Jan Sangill
Reply

Hi,
I was testing the consent module, and I have one question in regards to that one.
- At the moment you cant tell if a anonymous form submit - what formsubmit the data is given. is this planned?

The other modules that was planned to be released already I think. When is the new release schedule for these? I need something to report back to our customers.

//jan

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Hi Jan

I do not understand your question. The forms module will register a consent on either the userid (if the user was logged in), the email (if email field is specified on the form) and/or on the visitorId (If we have no user or email). The rest of the form data submitted is in the forms module under the data tab on the form.

Yes, unfortunately we have a delay on the rest of the module - the access to data and right to be forgotten, named "Data protection" in Dynamicweb. But it will be out there as soon as we have a stable and tested version of it. Sorry about the delay.

BR Nicolai

 
Martin Christensen
Reply

The extranet app has the option to associate a consent activity with the signup. The forms app currently doesn't have that option as far as I can tell.

The forms app stores the submitted data, so don't we need to be able to use the consent functionality with forms as well?

 
René Poulsen
René Poulsen
Reply

@Nicolai, in theend of the video (https://www.useloom.com/share/6875f73f552c487daf15bc6986a01ac0) you talk about the ability to give consent directly from a newsletter, instead of leading the user to a landingpage to do it. Is this possible now? If yes, how?

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Hi Rene

Right now it is possible using a Razor template - we just did it in our recent newsletter last week.

Attached find the example code. It is called "Consent.cshtml" which you include in another template:

@Include("Consent.cshtml")

and then call:

@RegisterConsent()

And then in your newsletter insert a link like this:

http://www.dynamicweb.com/Default.aspx?ID=1302&RecipientId={{EmailMessaging:Recipient.Id}}&RecipientSecret={{EmailMessaging:Recipient.Secret}}&GiveEmailConsent=True

And change the GiveEmailConsent=False if you want to provide a link to withdraw consents.

BR Nicolai

 
Nicolai Pedersen
Nicolai Pedersen
Reply

@Martin

The user app has it because you only have one checkbox for newsletter signup to map it to.

To use consents with forms, see the manual:

https://doc.dynamicweb.com/documentation-9/content/apps/forms-for-editors#7233

BR Nicolai

 
René Poulsen
René Poulsen
Reply

@Nicolai, just to be sure - could i include all the code in a newsletter razor template? Or does the @Include("Consent.cshtml") and @RegisterConsent() have to be on a page on the website (in your case the page iwith ID 1302, which you link to in the link from the email)?

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Hi Rene

No, you cannot include it in the newsletter template. It has to be on the destination page.

It would be awesome thoug if I could execute razor code in i.e. Gmail that reports back to my server!

BR Nicolai

 
Nicolai Pedersen
Nicolai Pedersen
Reply

PLEASE: NO MORE QUESTIONS ON THIS THREAD.

Just create a new one, thanks!

 

You must be logged in to post in the forum