elkarte / Elkarte

ElkArte Forum. A free, open source, modern discussion forum / BB
https://elkarte.github.io/Elkarte/
BSD 3-Clause "New" or "Revised" License
175 stars 61 forks source link

Birthdate on signup #2395

Open Vekseid opened 8 years ago

Vekseid commented 8 years ago

Yeah I know, maybe a bit niche, but it's required for more than just sites like mine. : /

Spuds commented 8 years ago

I know you are right in the middle of this code, but can't you do that with a required on registration custom profile field?

Vekseid commented 8 years ago

Not what legally needs to be done - block people under 13/17/18 from registering.

Spuds commented 8 years ago

So more flexibility then what you can get the age restriction setting? That does allow you to reject of require a guardian approval .. of course that is just to protect you not prevent anything as you have no real way of knowing.

Vekseid commented 8 years ago

What tends to happen is, user signs up, clicks the "I am over 13/18" button.

Later, they fill out their birthday with their real age.

If not on signup, the software should react to this, without manual searching or a script.

emanuele45 commented 8 years ago

What would require to show? At the moment I don't remember the registration code so well.

As far as I remember, the custom profile fields are not yet flexible enough to accommodate the birthdate, so this is not an option. It should be a "special case".

Vekseid commented 8 years ago

Not sure I get your question there?

Birthdate is in general a very important field and should never be moved to the generic/custom list, even after we move website and custom title over.

emanuele45 commented 8 years ago

On the "very important" I have some doubts, for once I personally have never set up a forum where age was requested, let alone the birthdate. And when I'm asked my birthdate on any website (unless is something "official") I usually pick the 1st of January of a random year from 1930 to (year() - 18), and I feel I'm not the only one (but being that just how I react to a birthdate field it's not really that relevant).

Anyway, I still feel the custom fields is the way to go for most of the "stuff" in the members table, including the birthdate: giving more flexibility to custom fields would make much easier to expand them and use for many kind of things, not just the usual link to facebook or github. IMO, and of course it's very likely I'm wrong. nods :smile_cat:

Vekseid commented 8 years ago

You're not from a country where COPPA is law, though >_>

emanuele45 commented 8 years ago

Vekseid wrote on 16/04/16 00:54:

You're not from a country where COPPA is law, though >_>

I guess so, we have just an idiotic one about cookies that nobody really understands. xD

Frenzie commented 8 years ago

Succinctly, functional cookies are fine while tracking cookies require consent. Roughly (but of course imperfectly) analogous to the first party/third party distinction better browsers have made for decades. I think any confusion stems wholly from people purposefully misunderstanding because they just love to hate on the EU or from being misinformed by the former crowd. Luckily there are also opponents who don't misinform, but argue that the real problem is that it's putting the onus in the wrong place, i.e. on (small) websites instead of on (large) ad networks. I'm inclined to agree with them.

/rant

Um, right, the topic. It's probably not exactly related, but it annoys me (and not just me) that you can't just fill out a year. Which, incidentally, it seems to me that if a year is unequivocally over 13/17/18 it shouldn't matter for that COPPA thing either?

Vekseid commented 8 years ago

A common recommendation is to ask for year and month. Some jurisdictions require you be over 21. There's all sorts of ranges from 13 to 25 that can matter in odd cases.

That said, I hate DATETIME. Timestamps all the way. To go a different direction, astrologers are also interested in hour of birth. Not that I care for that at all, personally, but to each their own.

emanuele45 commented 8 years ago

Frans de Jonge wrote on 16/04/16 10:59:

Succinctly, functional cookies are fine while tracking cookies require consent. Roughly (but of course imperfectly) analogous to the first party/third party distinction better browsers have made for decades. I think any confusion stems wholly from people purposefully misunderstanding because they just love to hate on the EU or from being misinformed by the former crowd. Luckily there are also opponents who don't misinform, but argue that the real problem is that it's putting the onus in the wrong place, i.e. on (small) websites instead of on (large) ad networks. I'm inclined to agree with them.

I'm not one that would trust the judgement of the first post on the internet. I read the EU directive, I read the Italian law and I understand the idea behind the EU directive, but the Italian implementation is utterly foggy and not clear at all (and I'm not an EU hater, on the contrary). It is not clear at all if 1st party cookies are really allowed or you have to gain consent for them as well. By the wording it seems you have to gain consent in any case (tracking or technical) before set any cookie, but on the other hand, even just "read" a notice that the site uses cookies seems to be enough to be considered "informed consent".

It's a complete and confused mess...

Frenzie commented 8 years ago

Well, of course one shouldn't. =D Luckily the Internet makes it easy to link to the original documents, which is why I think it's so obnoxious if an Internet news item about some research paper doesn't link to the original paper — in my defense, I just wrote a quick offhand comment, not an article. ;) The specifics for exempt cookies are laid out here unless there's been an update I'm not aware of. They're things like user input (preference for a style or language, shopping cart stuff, authentication) and in principle even cookies for junk like Facebook provided the user is logged in there (i.e. not Facebook tracking users who aren't logged in to Facebook).

Also of interest is the definition of third party, which just like many things about the whole directive is quite sensible:

In the context of European data protection, the Directive 95/46/EC defines a third party as “any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.” A “third party cookie” would thus refer to a cookie set by a data controller that is distinct from the one that operates the website visited by the user (as defined by the current URL displayed in the address bar of the browser).

Obviously I can't speak for the Italian implementation, but this whole exemption stuff is reasonably cut and dry. Essential, functional cookies (e.g. for logging in) are exempt. Harmless cookies may be harder to classify but most recommend to err on the side of caution. Anything intrusive (from fairly harmless analytics to anything worse) definitely is not. What I get riled up about, and I don't know how it is in Italy, is that around here it's often presented as if you need consent to set a cookie for something like having voted in a poll, even though that is obvious nonsense (or should be, cf. confused Italian implementation).

But I apologize for derailing the thread. I'm basically on board with everything @Vekseid said. ;)