search

coralproject / talk

A better commenting experience from Vox Media
https://coralproject.net
Other
1.89k stars 354 forks source link

GDPR - actively clean up rejected comments older than 1 year #4453

Closed ideallical closed 10 months ago

ideallical commented 11 months ago

Search Terms

GDPR, remove, delete comments, clean

Suggestion

I'd like to have a graphQL mutation exposed that cleans up all rejected comments that have been created more than 1 year ago.

Use Cases

To be GDPR compliant we have to cleanup rejected comments of users that are posted > 1 year ago. The percentage of comments that are rejected will be influenced by this, as now less of the total comments of a user are rejected.

Is this something that is on the roadmap? Or perhaps something that is already possible?

losowsky commented 11 months ago

Hi there,

Thanks for the suggestion! Can you clarify what you mean by "To be GDPR compliant we have to cleanup rejected comments of users that are posted > 1 year ago."?

(I'm assuming you're using the GDPR API endpoints/features already in our code: https://docs.coralproject.net/gdpr )

Thanks!

ideallical commented 11 months ago

Yes, we're already using the suggested GDPR API endpoints. This is for when a user decides to act on his right to be forgotten or his right of access. However, the project I work for also requires to actively cleanup private data of inactive users. In our case that woud be to remove rejected comments that are older than 1 year. I'm not entirely sure if it's an European law or just our company policy.

losowsky commented 11 months ago

Got it. As far as we're aware, there's no European law that says you have to remove old rejected comments, and so that's not a feature we're looking to build (let us know if you know differently). It might be the other way around – rejected comments still belong to commenters, so should be included in any GDPR data request as they may contain something broadly included under "personal data". Maybe the situation is that your company doesn't want to deliver older comments to users, so is proposing deleting them so they can't be sent?

We do some archiving to improve performance on our larger SaaS clusters but this sounds like it's something different from that, as we still include archived comments in any GDPR data request output.

If your goal is to clean up inactive users to reduce the size of your DB, I'd suggest simply deleting them. (And if the problem is that many are spammers, GDPR doesn't apply to non-persons.)

Coral will struggle to adjust if you remove individual comments from the DB so you could replace the comment body with "[comment removed]" or similar.

Does that help?

losowsky commented 10 months ago

Since this isn't a GDPR requirement, I'm going to close this ticket.