social login and GDPR – my opinion after GDPR update release

Hi there,
as my previous topic ( https://xtemos.com/forums/topic/social-login-and-gdpr/ ) seems to be closed I start a new one.
I looked into last woodmart upgrade looking for gdpr compliace solutions and I’m not satisfied: the social login module of your theme has been ignored. Am I right?
Generally speaking you say that GDPR is a WP and WC problem and doesn’t invest directly Woodmart code. True, but I think it is not true for social login module of Woodmart. That module in fact – even if considered as a “login” module – creates new users in db, grabbing their emails and writing them in DB. You can’t do it without users consent, according to GDPR. How to take that consent? There are many ways (just google “social login gdpr” and you’ll find some stuff). For sure your module doesn’t provide any solution. As is, out of the box, I believe Woodmart social login is not GDPR compliant and needs customization to add a consent management. It is not a coincidence that the most used/famous WP social login plugin added in last realease (the GDPR compliance release) a specific consent checkbox to the social login button.
This is my opinion, I’m not a lawyer and maybe I’m wrong. Anyway, in doubt, I’ve disabled woodmart social login option and started using a specific social login plugin.

Thank you

Hi,

creates new users in db, grabbing their emails and writing them in DB
All this job is handled by WooCommerce and WordPress. In fact, all our module do is get email from Facebook (it is the same as user enter this email into the WooCommerce field) and forward this data to the WooCommerce login/register functionality. So our theme DOESN’T store any private data. It is just the same WooCommerce login but it takes data not from user’s input but from their Facebook profile. So it is one and the same functionality. Again, there is no any custom functionality from our theme side that may violate GDPR law.

Regards

Hi,
thank you for your reply.
I undertand that Woodmart simply “passes” data to WC, but the problem is still there. I think – I read a lot about it in last weeks – that a site that uses your social login as is, without asking consent to write personal data in DB, is violating GDPR. So, the real question is: who must do the job to add a consent? You say: not us, you have to code it by yourself or ask WC or I don’t know. Ok, this is an answer and I respect it. Maybe you should add a warning in theme’s docs about it. Woodmart is a so accurate theme and you have such a good support that I’m a little surprised that adding a simple checkbox option to social login could be a problem.
Best regards

Thank you for your opinion.
But if the social login is turned off, users are still able to register and the personal data is still stored in your DB. So our question now is what is the difference? The plugin’s functionality stores users data no matter if our social function is enabled or disabled.

WooCommerce added a text warning about this fact to their registration page. So logically, it is applied to our social login as well. Did you add this message to your website?

The position and the validation?
If I’m not wrong your social login is implemented in LOGIN part, that is outside every GDPR WC and WP updates, and not in the registration part. But it does – or better, it allows to do – something more than simply loggin’ in. Super Socializer plugin (that wisely added in last realease the specific consent checkbox to the social login button, even if their plugin does not store any private data, but it simply makes possible to obtain them), puts the social login button in REGISTER part. But maybe there was problems with WC VALIDATION and they created a specific validation checkbox: no checkbox flagged? -> No social login allowed. Wow.
And they have a smart option: you can force that only already registered users can login with social profiles.
I know, your theme does a lot of stuff and does it in a excellent way. SSocializer plugin does only that thing (or few) and it’s easier to go deeper ( I suggest to have a look at this page http://support.heateor.com/gdpr-and-our-plugins/ ).

Moreover, your message: “Your personal data will be used to support your experience throughout this website, to manage access to your account, and for other purposes described in our…”. IMHO, if it is absolutely forbidden by GDPR to use checkbox already checked – a simple warning message is like a pre-checked checkbox? Maybe could – and GDPR requires explicit consents and to track the given consents, I can’t really understand the utility of you registration addon message.

“So logically, it is applied to our social login as well”. I distrust logic when law is in battlefield. And technically the WC checkboxes do not validate your social login button.

Everybody accepts varying degrees of risk and maybe I’m absolutely wrong. In doubt, I disable your social login and enable a different one. Everybody happy. 🙂

Thank you for your attention,
regards

So do you mean that if the WooCommerce doesn’t have a checkbox but simply put a message that they store your data they are not GDPR compliant? If you are not using any extra plugins and themes except WooCommerce it will be not compliant with this law?

So do you mean that if the WooCommerce doesn’t have a checkbox but simply put a message that they store your data they are not GDPR compliant?
You say it is enough? I don’t know.
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
How can you demonstrate that a guy read your message if there is not a validation?
A checkbox is required now for every email form, do you think is not required for a registration form where users put more personal data?
The law is clear
https://gdpr-info.eu/art-6-gdpr/
https://gdpr-info.eu/art-7-gdpr/
A good guide
https://businessbloomer.com/how-to-make-a-woocommerce-website-gdpr-compliant-12-steps/

If you are not using any extra plugins and themes except WooCommerce it will be not compliant with this law?
I don’t know, can you demonstrate that the data subject has consented to processing of his or her personal data?

That is why we are confused as well. We were waiting for WooCommerce update since they have to add some checkbox to their registration form. But maybe they will do this in their future updates. Anyway, we will still hear from our customers’ feedbacks and see what WooCommerce developers will do. If we will have to add this checkbox from our side, we will definitely do this.

Thank you for your time.
Kind Regards

Ok, I understand.
I hope in that case you will adopt a kind of “super socializer” solution for your theme. It is the only one that fits your theme’s accuracy and quality.

Have a nice day.
G

Thank you! Have a nice day too.

[Author]

Posts