MNHQ here: Mumsnet’s approach to data protection and GDPR

[KateMumsnet]

As lots of you will know, May 25 sees the introduction of the General Data Protection Regulation (GDPR) - a new law covering data protection and privacy. As with any company that works with data, we’ve done some work to ensure that we’re fully compliant with GDPR. If you’d like to know more about what we’ve done, read on.

We have reviewed and updated our Privacy Policy and provided a page of Frequently Asked Questions.

We’ve made it easier to edit or delete the information you give us when you join Mumsnet -- your registration data. This might be no more than a username and an email address; you can have a functioning Mumsnet account with just those two things. However if you also told us your name, age, sex, how many children you have, and/or your postcode, it’s now easier to see how to edit or delete that information in your ‘My Account’ page.

The ‘My Account’ page is also where you can delete your Mumsnet account (although we would prefer you not to, obviously). Deleting your account will not delete your posts on Mumsnet but it will delete all the registration data associated with your account.

By popular request, we will not be deleting Private Message archives as originally planned.

If you receive any Mumsnet newsletters, you can unsubscribe using the link at the bottom of the email. If you have a Mumsnet account you can also subscribe and unsubscribe to any or all of them here.

As you use Mumsnet you might see a new notice that tells you when cookies are being used.
You can find details about how we use cookies in our Privacy Policy and FAQs. But in a nutshell, we use cookies to:

• improve your experience by, for example, remembering that you have logged in and that you like reading threads top-to-bottom;
• show you more relevant content and ads; and
• gather aggregate information about how many people visit Mumsnet, how often, and what they look at while on the site (aka analytics).

Long-standing Mumsnet users may remember the Profile Page functionality that we rolled out to users many years ago. For now we have decided to default all existing public Profile Pages to ‘private’, so that MN users who have put personal information on their profiles have a chance to review and delete it if they want to. You can check whether you have a Profile Page, and edit or delete it over here.

If you’re looking for the My Photos page: we’ve suspended this for now - it wasn’t working well and needs a complete revamp. Any photos you had previously uploaded have been deleted from our systems.

In terms of MNHQ’s internal processes, we have put further restrictions in place around which staff members have access to Mumsnet users’ personal information.

We're emailing all our members to let them know about these changes. As ever, we really welcome your feedback. Do add comments below or email [email protected] if you have any thoughts, questions or concerns.

If you receive any Mumsnet newsletters, you can unsubscribe using the link at the bottom of the email. If you have a Mumsnet account you can also subscribe and unsubscribe to any or all of them here.

^In regards to this surely you need to get all existing and new member to opt in to recovering these types of emails rather than emailing members then giving the option to unsubscribe. I realise this maybe will be something you have planned when you send out this info by email but that is not clear here.

All non necessary email communications should work on a basis of opt in not opt out according to GDPR with a positive action needed before you can email members with non necessary emails, which would count newsletters and the like , as per ^Recital 32:
“Silence, pre-ticked boxes or inactivity should not constitute consent.”^

😁 I've been having GDPR fun at work too!

You won't be getting mumsnet emails unless you have already consented. We don't need to consent again. So having the opt out option is perfectly fine.

Hi LoudBatPerson - thanks for your thoughts.

We aren’t asking for re-consent at this stage because, as AngentHannah says, the people we email have already given unambiguous consent (and can unsubscribe or change which newsletters they get at any time). Our emails are mainly useful, rather than marketing or products, so we're taking the view that there’s a 'legitimate interest' in processing that data - and that it would be a pretty dreadful user experience for most people to have to sign up for everything again. It's a similar approach to services like Twitter, Money Saving Expert, eBay and EE - but we're planning regularly to review this, so thanks very much for your feedback.

So I presume you have records of when each and every user has opted into receive these mailings then? Remembering that for GDPR purposes it must be an active opt in not leaving a predicted box or not taking any action.

I would dispute many of the emails I receive from Mumsnet as being legitimate interest, due to the amount of offers and promotion of products.

I am fairly certain I have never opted into (as opposed to not opted out of) many of the emails I receive from Mumsnet which contain adverts or promotions.

LoudBatPerson under GDPR you can use legitimate interest even for marketing though. Obvs you have to comply with pecr too so consent is an 'easier' basis if starting from scratch.

Yes I understand you can use legitimate interest for marketing however this cannot be used in place of consent. Many people have different interpretations of the rules as is to be expected, I just feel that this particular pathway isn't really in the spirit of the act and leaves any organisation more open to potential issues down the line, as most databases haven't been created to record consent in a way that would satisfy the new regulations.

As with all new legislation the interpretation with regards to enforcement is yet to be seen.

So there is still no way to delete forum posts?

The cookie message is driving me nuts. Once when I log in is enough.

That's an interesting stance. I have received an email from an organisation I definitely did subscribe to, entitled "Is this your last newsletter from ?" It goes on to explain that under GDPR rules, it must have express consent for email communications and my email address was flagged as one that it wasn't sure about, so unless I expressly opted in by completing the form contained in the email (a simple "Please continue sending me newsletters" form), I would nolonger receive newsletters after May 25th.

That strikes me to be the correct approach.

Lots of practical and sensible changes there.

However, you can't use legitimate interest as a basis to send emails as they have to be consented under PECR. Consent also doesn't last indefinitely, I for example signed up to mumsnet around 10 years ago - most companies are looking at 2 years for how long consent lasts for. You would struggle to justify 10 to the ICO...

I think there should be an option to delete all your posts.

As far as I understand it, you do need to expressly ask existing subscribers/customers to opt-in to receiving emails and not just assume consent because 10yrs ago they didn’t tick the box to opt-out.

Tesco have annoyed me - massive firm yet they’ve done the opt out thing.
“If you want to keep receiving emails, do nothing! If you don’t, click this link” it’s explicitly breaking the GDPR guidelines.

Sorry MN, but I agree with PP, my understanding of GDPR is that you need to roll out an email to all existing users asking if they still wish to receive emails from you. It needs to be opt-in, not opt-out.

You see I think lots of posts contain sensitive personal data eg sexual orientation, medical info?