scambra / devise_invitable

An invitation strategy for devise
MIT License
2.66k stars 553 forks source link

General Data Protection Regulation #777

Open nikolai-b opened 5 years ago

nikolai-b commented 5 years ago

Devise inevitable asks one user to invite another (invitee). Given the invitee hasn't consented to giving their email (or name) I wounded if you or anyone else has an opinion on if storing the users email is in breach of General Data Protection Regulation (GDPR) use of Personal Data. If yes (or even maybe) then it might make sense to add something to the Readme warning others about this.

scambra commented 5 years ago

I think email shouldn't be saved as invitee hasn't consented, so probably email may be used to send invitation but it should be cleared from db once email is sent. Then, accept invitation should ask for email again, or email could be added to accept invitation link, so user can accept without entering email again.

Probably, it would be better done saving data into new invitations table, as requested in #228

Willardgmoore commented 5 years ago

I like the idea of having the email be a parameter in the invitation link. It would allow you to delete it from the database. I think with gdpr having a separate table is going to help people feel more comfortable with it. Personally I would just create a chron job for deleting emails. I haven't read anything that says how long you can store it for. I plan to store the invitation email for a while so I can send out follow ups automatically in the event that they haven't responded in a week. I still plan to delete the email after a month which sounds like it would still be complying with the "rule".

nikolai-b commented 5 years ago

@Willardgmoore I'm far from an expert but I think if the user hasn't consented to their email being stored (which given someone else is inviting them is almost certainly the case) then it would be breaking GDPR.

Consent cannot be implied and must always be given through an opt-in, a declaration or an active motion, so that there is no misunderstanding that the data subject has consented to the particular processing.