is Notepad++ compliant with GDPR

Matthieu gabrielli

Hi,

when registering, I was forced to consent to 2 conditions (data processing, receive emails)

This is very annoying, I had to create a fake google account just to be able to register here.

I’m not OK about these consents, and being in Europe, GDPR should protect me and this site should not force me to these consents.
2 years when we implement GDPR requirements for our websites, our lawyer cleary said we cannot force people registering on our website to accept emails or to force people to register with a social media account, due to privacy concerns.

I wonder if Notepad++ even care about GDPR

PeterJones

@Matthieu-gabrielli ,

You registered for the forum, not for Notepad++. Notepad++ does not require registration. There is no requirement that you register a forum account to use Notepad++.

If you would like to make use of the forum, then you have to use an OAuth provider for your security. If you don’t like their terms, don’t sign up for one, and don’t use the forum. In my 4+ years on the forum, I have received 0 email messages from the forum. The only “personal information” that it gathered from whatever you put in your OAuth-provider account was your user name and enough to fill out your profile; you can then edit any piece of information in that profile that you want.

If you don’t like those restrictions, then don’t use the forum.

Luke Parkes-Haskell

This post is a little old, but I have to complain about the same thing;

If you don’t like those restrictions, then don’t use the forum.

Requiring a user to sign up to a mailing list in order to access a support forum is not GDPR compliant; it’s one thing to ask a user to create an account to authorise them, but making it mandatory to sign up for a mailing list is a clear-cut violation of the GDPR, even if that mailing list isn’t particularly active.

Alan Kilborn

@Luke-Parkes-Haskell

To one point: I don’t think you’ll ever be sent an email from this.

PeterJones

@Luke-Parkes-Haskell said in is Notepad++ compliant with GDPR:

Requiring a user to sign up to a mailing list in order to access a support forum

There are two factual errors in that statement alone.

1. You are not signing up for a mailing list; you are signing up for a forum. The forum software does not currently email anyone (much to some users’ chagrin – see this summary post linking to multiple such complaints). If this feature of the forum is ever enabled (it is not, currently), there are user settings (click on your icon, select settings, and go to the notifications and sounds settings) which can turn off all email notifications. Emailing the user is currently disabled, and is 100% user-configurable if it is ever enabled, so you can opt out of receiving the emails (that currently are never sent).

2. This is not a support forum. This is, as it’s specifically named, the Notepad++ Community Forum. It is a forum for the community (any Notepad++ users who choose to read and answer this forum) to use to discuss the product; in the midst of that discussion, we do help each other with questions and problems and problem solving, but this is not “ask official support and we guarantee you a response from some official support person”: there are no official support people employed by Don or some mythical Notepad++ Company; Notepad++ is a completely volunteer product, including participation in this forum.

Luke Parkes-Haskell

@PeterJones They’re not factual errors, unless you’re being maliciously pedantic.

That I need an account to access the forums isn’t the issue, this is expected, it’s ‘necessary’ for it to be the case. The software however explicitly asks to process and store your details for use in a mailing list - it doesn’t matter if there is no such list, nor does it matter that the e-mail feature is disabled. The existence of that checkbox, which is mandatory to access these forums, is not GDPR compliant.

That this isn’t an ‘official support forum’ is also totally irrelevant; it’s the ‘official’ community attached directly to the main project’s website, and is where you’re directed if you’re looking for support through the main website.

As far as I can tell, that summary post is completely unrelated to the complaint brought up here.

Ekopalypse

@Luke-Parkes-Haskell said in is Notepad++ compliant with GDPR:

The software however explicitly asks to process and store your details for use in a mailing list

Curious, where does it say that? When I log in with my github account, I can’t see such an indication.

Alan Kilborn

@Ekopalypse said in is Notepad++ compliant with GDPR:

Curious, where does it say that? When I log in with my github account, I can’t see such an indication.

Probably when you are about to create an account for the first time?

Others:

So (probably) Notepad++ makes no claim anywhere to be GDPR compliant.

And (probably) GDPR is a suggestion, not a law.
If it is a law (in your part of the world), perhaps said part of the world should block access to the site?

Otherwise, just like you have a choice to use the free Notepad++ software, you have a choice to not use this Community site.
Choose wisely. :-)

Ekopalypse

@Alan-Kilborn said in is Notepad++ compliant with GDPR:

Probably when you are about to create an account for the first time?

But you don’t create an account on npp community.
I thought you can only use those 4 predefined OAuth solutions.
Facebook, Google, github and I forgot the 4th one.

And (probably) GDPR is a suggestion, not a law.

Oh no, GDPR is NOT a suggestion.

I’m not a laywer but those predefined OAuth solutions are used by
hundreds or thousands or even more other sites for doing authentication so I assume that GDPR regulators should have already know that.

Alan Kilborn

@Ekopalypse said in is Notepad++ compliant with GDPR:

But you don’t create an account on npp community.

I suppose I meant on first login to Community, not “create” account. :-)
It has been a while since I’ve thought of this.

predefined OAuth solutions are used by

hundreds or thousands or even more other sites for doing authentication so I assume that GDPR regulators should have already know that.

So the inference is that there is no problem with how Community site does what it does. Except maybe using the phrase “mailing list” which maybe is an outdated vestige of how things were done in the past?

Ekopalypse

@Alan-Kilborn

As said, not a lawyer … but it would surprise me if this kind of login procedure
hadn’t already been discussed by the regulators … but who knows.

Ekopalypse

So still not a lawyer - just failed the test I did 10 minutes ago :-D

I found this from here.

Q: My community forum uses Facebook Connect to authenticate members, does that create a privacy risk?

A: Facebook has been in the news recently for its handling of user data.
Facebook and other social media logins can make it easy for people to
register to a community. When someone registers for  your community
forum using Facebook, they are allowing Facebook to send over
information about your new member and presumably Facebook is
logging that transaction. From a compliance point of view, we would
think that this is two separate actions and that you as the community
manager are not responsible for someone’s use of Facebook to log in. 
If you offer social logins, we would recommend that you also offer a 
registration form as well to give people the option.

guy038

Hi, @ekopalypse,

The article "Answers to Common Questions About GDPR & Community Forums", that you mentioned in your last post, is really informative.

Thanks you for sharing it with us !

BR

guy038

Ekopalypse

@guy038
my pleasure :-)

plutoisaplanet

@Luke-Parkes-Haskell said in is Notepad++ compliant with GDPR:

@PeterJones They’re not factual errors, unless you’re being maliciously pedantic.

That I need an account to access the forums isn’t the issue, this is expected, it’s ‘necessary’ for it to be the case. The software however explicitly asks to process and store your details for use in a mailing list - it doesn’t matter if there is no such list, nor does it matter that the e-mail feature is disabled. The existence of that checkbox, which is mandatory to access these forums, is not GDPR compliant.

That this isn’t an ‘official support forum’ is also totally irrelevant; it’s the ‘official’ community attached directly to the main project’s website, and is where you’re directed if you’re looking for support through the main website.

As far as I can tell, that summary post is completely unrelated to the complaint brought up here.

Here is a screenshot of the signup page where you create an account for these forums:

So yes,you’re completely right.

1. This page says that you are registering and/or creating an account. It uses both terms.
2. It explicitly requires you to opt into emails as part of signing up. It informs you that it will default to sending you weekly emails, and on the settings page it appears to show the same setting by default:
   

So one or more things should probably change. For those who are concerned about sharing your email, I was too because all the OAuth providers used to sign up use my private email which I did not want to be shared. However when choosing GitHub, even though it says that it will share all your private emails, the forum software defaults to using your [username]@users.noreply.github.com email account. This I’m happy with, and then I changed my username after the fact.