Skip to:

Opened 4 years ago

Last modified 3 years ago

#7867 new defect (bug)

Privacy: Default email notification preferences

Reported by: boonebgorges Owned by:
Milestone: Awaiting Contributions Priority: normal
Severity: normal Version:
Component: Core Keywords: 2nd-opinion needs-patch


Parent ticket: #7698

By default, a user's email notification preferences - "email me if I get a private message", etc - are set to 'On'. This could run afoul of various GDPR provisions, including the "informed and unambiguous consent" item.

At a minimum, language about default email notification preferences should be added to the suggested Privacy Policy text. #7855

We could change the behavior so that these preferences are turned off by default. However, I think this would be highly disruptive for the vast majority of communities. So any such change would have to be accompanied by a new workflow for forcing these preferences to be set: either at registration, or a persistent nudge after registration is complete.

Thoughts and ideas would be welcome her.

Change History (3)

#1 @DJPaul
3 years ago

I believe it's better to opt-in rather than opt-out. I think we should have a user opt-in to emails (belonging to active components). If another component is activated, then users should not be automatically subscribed to the new emails, either.

I'm currently leaning towards turning off email notifications by default. As alluded to in #7866, I like the idea of a checkbox for "I've read the privacy policy" -- so if a BP site wanted to opt users in to emails by default, they'd be able to filter those back on, and that checkbox will get the user's consent.

#2 @boonebgorges
3 years ago

@DJPaul Thanks very much for the thoughts. I'm philosophically sympathetic to the idea that the preferences ought to be opt-in. That being said, I'm unsure whether we're required to make this change as part of GDPR and other regulations, as notification emails are structurally different ("transactional") from marketing emails.

In any case, I feel very strongly that turning email notifications off by default is liable to have a very bad effect on organizations that use BuddyPress for internal communication (as opposed to more open, social-networky uses). We should not make this change without introducing some other built-in mechanism for sites to prompt for users to opt in. Some ideas:

  1. Introduce these preferences into the registration process
  2. Show a (persistent but dismissable?) notice to new users that they should visit their preferences
  3. Redirect users to their Settings page on the first login

#3 @boonebgorges
3 years ago

  • Milestone changed from 4.0 to Awaiting Contributions

I want to address this but it's too large a task for this release.

Note: See TracTickets for help on using tickets.