GDPR Requests: Deleting usernames and @mentions
I've gotten a request from an Enterprise client to mass remove @mentions of specific usernames. These requests are being submitted as "GDPR Requests to be forgotten"
Currently, there's no way to remove @mentions, other than to manually edit each discussion or comment that may might find in Search.
What is our stance on this? Are @mentions PII info that need to be deleted? Is this something we need to address?
The customer has been handling these requests manually for a few months, they've just reached out to see if there was a better way.
Thoughts?
Comments
-
As Lincoln explained in Team Awesome - usernames are not considered PII information and @mentions do not need to be removed.
0 -
I've read that anything that can be used to identify someone is PII. So a username, if it is a person's real name or if it can be combined with other information to identify someone, could be considered PII.
I agree that for Vanilla, in most cases, a username won't be PII.
Also, there are a few exceptions to the right to erasure. One of them is that erasure can be denied if it's in the public interest. That exception might be applicable to some Vanilla customers but I don't think customer forums was what they had in mind when they created that exception.
0 -
if I were to mention a user, I wouldn’t not expect my post to retroactively censored. It’s my speech not theirs.
0 -
The concern here is mainly that the end user created a username using their first and last names so they feel it's PII info to have their names mentioned by others.
0 -
Once again you'd really have to take a look at the law here, but how can it be within one user's rights to force the deletion of another user's post content?
0 -
FYI, there's another Alexandre Chouinard that applied to work at vanilla so even full name alone is a questionable PII. You'd need date of birth or email or something else.
0 -
Personally I would not frequent a forum that would strip out content like that.
- How far does it extend?
- If I quote someone, and they request to have it deleted do you delete all quoted parts of my post?
- Do you block people from mentioning that username again?
From a business point of view if a client or clients want this feature whether or not it's legally required its worth considering. It's a potentially very computationally expensive operation though to parse every comment/discussion for some/quote mention of a user, then update all of them.
This would 100% require sphinx and message queue to be active I think, particularly for larger sites. I'm imagining a case of a particularly active user, mentioned thousands of times having this occur. It would be a pretty long running operation.
1