[SOLVED] GDPR and phpList

Using phpList and I would like to comply with the European regulations on privacy (GDPR).

I can see that mailchimp seems to be adapting the ruleset, but I would like to continue using phpList. Any roadmap on this?

One thing that would be nice to have is the abillity to track a users consent. That is extract a given users privacy acceptance on a given time.

There are other things to comply to… but here I am just trying to throw the dice on this (very large) subject (-;

Regards, Lars.

Thanks for raising this Lars. I came here, rather later than you, because I was also trying to see how to meet the requirements of GDPR.
An earlier version of phpList had a feature where you could email everybody who had started the sign-up process but had not confirmed their subscription, giving them a link [CONFIRMATIONURL] to click and confirm. So it’s rather drastic, but I was thinking I could make every subscriber unconfirmed, then email them with a tailored message and that link, then they would confirm they still wanted to be a subscriber by clicking the link. However, this feature does not seem to be in the current release.


You are welcome… I am glad someone else than me cares about it… (-:

Well according to GDPR, you will need to document what the subscribers has been accepting (exact phrases) and when. So a simple checkpoint in the UI is not enough…

phpList needs to adapt to this in order to be valid for EU citizens…

Regards, Lars.

@Cornwell This plugin should do what you describe: https://resources.phplist.com/plugin/invite

@bonne A meta ticket tracking GDPR related issues is here: https://mantis.phplist.org/view.php?id=19032

Regarding storing explicit consent, it is already possible to achieve this using a mandatory attribute field on the subscribe page, using a workaround documented by @duncanc (see this thread).

It would be good to expand this into a specific kind of attribute however for mandatory subscribe page fields, and an issue outlining that is here: https://mantis.phplist.org/view.php?id=19033

For other aspects of GDPR compliance you can create mantis issue and set them as children of the meta issue linked above in order to track them. Others will be doing the same over the coming weeks.

Hi, I am a newbee here, and I am uncertain about the status of PHP List regarding GDPR.
I have read many comments, but is there a standard solution withing PHPList now available?

Look forward to hearing from you guys.

Can you provide an authoritative citation for this? There is a lot of confusion about what the GDPR requires (as I commented in another thread). I’ve been doing a lot of reading about it, including guidance from the European Commission, and I’ve never seen a reference to needing exact phrases until I saw this thread today.

@bonne You can edit the contents of the automated message which subscribers receive asking them to confirm their subscription. That message is a good place to state what their data will be used for.

Separately you can also customise your subscribe pages to both state data being collected and its purpose, and / or require a checkbox consenting to legal policies be ticked.

Using either of those mechanisms correctly can meet the criteria as it is commonly understood.

@justus GDPR is complex and far reaching. Some aspects are obvious and can be handled technically by phpList, and others are more to do with what policies you have as an administrator (or ‘Data Controller’). There is no simple yes or no answer to whether an application like phpList is compliant or not because it always depends how it is used. That being said, developers have been working for the last five months on making phpList’s technical operations “complaint by default”, and adding features that make it easy to take actions which make technical aspects of compliance easier. You can track those changes here via the Mantis ticket linked above.
No set of technical features will alone be sufficient for a multi-use-case application like phpList to be used in a GDPR-compliant way however. Ultimately it is the server administrator’s responsibility (the ‘Data Controller’) to handle data correctly, and to do that you must understand the requirements of the law and act appropriately. Suggestions for changes and (especially) pull requests introducing improvements are easy to contribute and very welcome. You can also make a targeted donation via PayPal if you wish.
If you want to be sure about your specific use-case, seek advice from a lawyer (which obviously I am not).