LRA GDPR Concerns
LRA ( https://console.vanilladev.com/sites/view/overview/6030702/lra.vanillacommunities.com )’s legal team is wondering about the possibility of anonymizing IP addresses.
It looks like in their Privacy Policy they discuss blanking the last 4 digits of their IP address. In today’s call, they were very adamant about finding a way to not allow the IP addresses of their members to be fully visible. I reassured them that only their admins would actually see them, but they feel that anyone having full visibility makes them non-compliant, so they’ve requested more info from us.
Is this something we’re able to do for them in this type of instance? 
Let me know how you see best to proceed please and thanks
Comments
-
Admins have the ability to filter users by IP so even if we "mask" IPs they will still be able to find out what specific IP a user has if they really want to.
Just something to keep in mind.
1 -
This is directly tied to the PersonalInfo permission, which they can revoke from all roles. In that case, only the owner account would have access to that data. Keep in mind anyone with Settings.Manage could restore that permission, however.
Doing something like obscuring the last octet of the IP address I don't like, because it makes the data basically useless and doesn't apply to IPv6 addresses. It could be removed from the theme entirely as a services customization if the permission solution doesn't work for them, but I'd push them towards that.
In the future, I'd be amenable to looking into letting Vanilla disable IP collection entirely, but it's baked in at a fairly deep level right now so that's not a short-term thing we can do.
For the record, we do not believe selectively allowing moderators to view IP addresses for the purposes of moderation is a GDPR violation, either.
0
