Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Make Social Login GDPR Compliant

While it is easy to add consent fields to Vanilla's generic registration form, I've no idea how to make Facebook and Google login GDPR compliant. The problem boils down to two issues:
1. How do I redirect back from Facebook/Google app to a consent form?
2. How to make a consent form in Vanilla that would include pre-fetched Facebook/Google registration details and consent buttons for the user to click and continue?
The consent form should appear after signing in to Facebook/Google to make sure it is filled by the real Facebook/Google user.
I hope somebody is willing to share.


  • Options

    you need to do the consent form before not after

    grep is your friend.

  • Options

    @x00 said:
    you need to do the consent form before not after

    I thought so initially, but have done a little research, which proves otherwise. Here you go a quote from a WordPress plugin author:

    From a technical perspective, before we do the oauth authentication, we are unable to tell if the user already gave consent or not, so I think the consent screen should appear after the oauth authorization to prevent consent-nag at the login flow. (There is no way to know who is the user if she/he does not authorize at Facebook.)

    I have also looked how others are doing this and additional consents always come after Facebook/Google registration:

  • Options

    I would still do before. However whichever method, you will have to force a redirect to a consent page for a full proof method (rather then rely on javascript based popups) conditional on whether consent was already give.

    I also suggest that you record the date consent was given, and provide a method where if the term change they have to reconfirm against the updated term on login.

    Implementation is very individual, rarely a one size fits all.

    I'm afraid thsi sort of legislation is not walk in the park for site owners, for one many site own have no really iea what third party service are doing with user data.

    grep is your friend.

  • Options

    Only a site can be GDPR complaint. Not a framework or addon or third party solution. They can make it easier, but they can't do it for you.

    grep is your friend.

  • Options

    Thank @x00 for your comments. There is no way I can make my forum strictly GDPR compliant. How am I supposed to develop a feature-set like this:

    • Consent management
    • Privacy Preference management for Cookies with front-end preference UI & banner notifications
    • Privacy Policy page configurations with version control and re-consent management
    • Rights to erasure & deletion of website data with a double opt-in confirmation email
    • Re-assignment of user data on erasure requests & pseudonymization of user website data
    • Data Processor settings and publishing of contact information
    • Right to access data by admin dashboard with email look up and export
    • Right to access data by Data Subject with front-end requests button & double opt-in confirmation email
    • Right to portability & export of data by Admin or Data Subject in XML or JSON formats
    • Encrypted audit logs for the lifetime of Data Subject compliance activity
    • Data Subject Secret Token for two-factor decryption and recovery of data
    • Data breach notification logs and batch email notifications to Data Subjects
    • Telemetry Tracker for visualizing plugins and website data

    All I can do is offer some sham solution and hope for the best. If courts started to enforce legislation to the letter, probably most of European small business and independent sites would be washed out.

    Anyway, if somebody knows how to redirect from a Facebook / Google app to a complementary form like the one I pasted underneath, please come forward:

    "Year of birth" and "Country" are not required for my purposes — it is just an example form (this one from Irish Observer.
    Or another form following Facebook login (this one from, a Polish portal:

Sign In or Register to comment.