Update XenForo 1.5.21 & GDPR Compliance

Not open for further replies.


Il Capitano
Sep 29, 2017
United States of America
We have upgraded to the latest version of XenForo (1.5.21) and it entails numerous updates.

A summary of the changes in this release are as follows:
  • Ensure the server side validates the privacy policy/terms and rules acceptance form
  • Ensure certain fields output in the data portability exports are escaped
  • Some small phrase adjustments
  • Attempt to ensure the new cookie notice does not hide the footer links
  • Ensure data portability features are only available to admins with the "Manage users" permission
  • If the geoLocationUrl option is empty, no longer attempt to link a user's location
  • If a user's location is linked, ensure that noreferrer and nofollow values are set
  • Implement the ability to add an unsubscribe link to admin sent emails
  • Fix issues with selecting the new bottom fixer notice type
  • Fix for invalid CSS
  • Fix broken register_twitter template

Per a request from XenForo and Google AdSense, we are going to provide an update on our compliance to GDPR Privacy regulations from the European Union. This directly effects citizens AND/OR residents of the European Union.

Right of Erasure
ICO said:
Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
With this update we will be able to, by request, to delete and erase users and their posts. Under this new regulation, deleted users will have their names erased and replaced by a pseudonym, by request.

Right to data portability
ICO said:
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
Per the EU's GDPR regulation, we will be required to give an XML file containing machine readable data about the user. The file will include conversations, posts, messages, and other pieces of data. This is so that users will be allowed to move between competitors, without needing to restart.

Right to be informed
ICO said:
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • You must provide privacy information to individuals at the time you collect their personal data from them.
  • You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing
We are no able to update our Privacy and Terms. This is more so for allowing sites to better tell their users what their terms are.

ICO said:
  • Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
  • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
  • Keep evidence of consent – who, when, how, and what you told people.
This is an assurance, and supplements the "Right to be informed" part of the regulation.

ICO said:
The rules on cookies are in regulation 6. The basic rule is that you must:
  • tell people the cookies are there;
  • explain what the cookies are doing and why; and
  • get the person’s consent to store a cookie on their device.
A cookie consent regulation, that is quite obviously there. All users may get an alert or they might see a banner that is implemented. It may or may not already be there.

- PWF Staff
Not open for further replies.