Is OJS GDPR compliant?

Oh that’s great, thanks for pointing that out - works for me!

great, @jmacgreg the point @mickbale raised here should probably be mentioned in the GDPR guide as well. I think this is something that works in OJS2, OJS3 and OMP. (there is some mixed information whether double opt-in is actually required by GDPR, but it is at least regarded as a good practice)

Yeah, I believe that they don’t consider accepting terms via just a checkbox good enough proof that an individual gave consent as anyone can put someone’s email address in to sign up for something. But validating an email for example is sufficient to show that they are who they say they are, to have had access to that email account.

Yes, I think the discussions regarding the topic has been revolving around the fact that GDPR does not mention double opt-in (Double opt-in: the GDPR myth) but on the other hand “You have to have this double opt-in process because the GDPR states that you must have a proven record that the data subject you contact has given you permission to contact them via their details.” https://www.communigator.co.uk/blog/common-questions-around-gdpr-answered/. So yes, definitely something worth adding to the guide. In the end the admins make the decisions what features they enable in their site…

Hi all,

Thanks for the question @mickbale, and for the response @ajnyga! Good catch. I’ll make sure this is added to the next version of the document, which I’ll aim to post early next week. (I want to see if any other immediate issues pop up.)

Thanks!
James

Since the Custom Header Plugin is not multilanguage how would I manage to display an English cookie consent on our English site while displaying a German cookie consent on our German site?

Thanks in advance!

This is a cookie notification plugin I did for OJS3.1: GitHub - ajnyga/cookiesNotification: Cookies notification plugin for OJS3.1+

Disclaimer:

  • I have not tested it much
  • It is not GDPR compliant, because it allows cookies to be created before consent
  • it is very simple, you need to add new locale files to support other languages, but that should not be too hard.

Just download, rename the folder to “cookiesNotification”, upload to generic/plugins and activate. Feel free to make changes. I made this for our site, but will not probably use it myself.

1 Like

Same problem with the the plugin for OJS 2: it does not prevent OJS from creating a cookie, it just alerts about it. So I guess it is - just like the plugin by ajnyga for OJS3.1 - not GDPR compliant too, because it allows cookies to be created before consent.

Yes, GDPR compliant notification is planned here as a feature, not a plugin: Add cookie consent option · Issue #3624 · pkp/pkp-lib · GitHub

However, with the plugin I created, I realized that you could add session_destroy() right before this line cookiesNotification/CookiesNotificationPlugin.inc.php at master · ajnyga/cookiesNotification · GitHub.

It would mean that although a cookie is created, the session with all the personal data is deleted after the page is loaded. You do not need cookie consent if the cookie does not have personal data or is not connected to personal data, right @jmacgreg?

What I do not know is whether this affects the performane of OJS in some way? Maybe @asmecher could evaluate that?

(edit: this solution would also require the plugin to prevent users from logging in or registering if cookie consent is not made. This could probably be done with a couple of smarty filters to disable the submit buttons in those forms…)

Correct me if I’m wrong, but I think that cookie notice is only required in case of third-party cookies which are not mandatory for the site to function. So the default OJS session cookie is “clear” for GDPR?

I believe cookies themselves are not the problem. But if a cookie contains personal data or can be connected to personal data, then the collection of that data requires user consent. In the case of OJSSID cookie it is connected to the sessions table which has the user IP and the user_agent. The cookie itself does not have personal data.

I guess this is all open for interpretation. I have not found a simple answer.

Hi,
As far as I understand, GDPR requires us to obtain confirmation from already exsiting users, so they accept the new journal policies. If this is so, has anyone come out with some sort of solution?
Thanks in advance for your help.
Regards,
Juan

At the moment I have added consent checkboxes to both the registration and the login form that are required if you want to submit those forms.

Besides that I used the cookieNotification plugin mentioned above to produce a “Please read our now privacy policy” banner for all users that access our site. It also has a “I accept” button.

In June I will probably grab the user emails from the database and use some automation to send users who have logged in recently an email (Before that I will clean up the user database from spam accounts and make sure there are no major changes coming to the policy). I will check if there is some service available to do this. We have around 16 000 registered users and after the obvious spam accounts are removed, probably around 9 000.

I guess you could just use regular email account to send the notifications by dividing the emails to several groups. Maybe using groups of 200 emails and the blind carbon copy field.

The problem is how to record the user consent. I have to look into few questions. Mainly, can the email say that if you do not react, we will continue to process your data. In our privacy policy we have taken a fairly strict stand towards the “right to be forgotten”. The viewpoint is that editorial data is needed also after the submission is published and only in very special circumstances we will remove such data. The data is still needed for the purposes it was collected for.

1 Like

Hi! Are there any news about the GDPR plugin for user subscription?
@ajnyga, is your solution available?
And what about existing users? Should we proceed with notifaction emails, as you have planned?
Thank you!

Hi @jascanio,

as I understand it, we are no longer allowed to send unsolicited emails to users who have not agreed to it.This might be the reason why my email inbox was overflowing with such emails right before May, 25th. I was also thinking on how to handle this with our OJS users (about 3000). We have not been able to reach out to them before the GDPR went into action. I am thinking of a pragmatic solution now. This would be:

  1. Wait for OJS 3.1.1-1 to be released. This should feature all these additional checkboxes, changes in cookie use and so on.
  2. Delete all accounts that have registered as readers-only to make a clean cut. (We publish open access journals and the only benefit of a reader-only account is that they receive a bi-monthly newsletter with newly published content. Access to all journals is possible without registration.)
  3. Remove the reader role from all other accounts (leaving the accounts active when they also registered as author, reviewer or editor)
  4. Make new readers consent by double opt-in to the newsletter upon registration and wait for the feature to send notifications to specific user groups (readers in this case).

It seems a bit radical but the readers do not really lose anything by this. What do you all think? I also do not know yet how to technically do the role-removal.

1 Like

I want an update! The May 25 deadline has passed! When do you plan to release the OJS 3.1.1-1?

Hi all,

OJS 3.1.1-1 should be released tomorrow (May 31st).

Regards,
Alec Smecher
Public Knowledge Project Team

4 Likes

Hi Alec, hi everyone,

I follow up on this in order to ask some further and updated information, hoping also to serve for others to arrive here in the future.
Is this still the final guide to read? https://docs.pkp.sfu.ca/gdpr_pkp_guide.pdf
And then, a very direct question: as per OJS 3.1.4 installation, without any edit to it, is the software already compliant with GDPR or I should consider anyway to add a “privacy&cookie” consent bar, trying to use a free external service for it, for example?
Thank you very much
Leonardo

A post was split to a new topic: Cookies and GDPR