What is GDPR?

GDPR stands for General Data Protection Regulation. GDPR went into effect on May 25, 2018 and is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen data protection for all individuals in the European Union.

What is CCPA?

CCPA stands for the California Consumer Privacy Act of 2018. The CCPA went into effect on January 1, 2020 and grants California consumers certain rights over their personal information.

Who has to comply with the GDPR and CCPA?

Under GDPR, data controllers and Data Processors who are based in the EU and/or collect or process personal data of EU residents (regardless of where the Data Controller or Data Processor is located).

Under CCPA, companies doing business in California, which such entity is defined under the act as a legal entity that collects personal information from consumers and it determines the means for processing that information. The CCPA also applies to service providers, which are defined under the CCPA as a company handling PII on behalf of a business for a business purpose.

How do I get GDPR/CCPA enabled for my Aurora community?

GDPR/CCPA is enabled by default for all Khoros Communities.

Who's who under GDPR and CCPA?

Under GDPR, a Data Controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the Data Processor is an entity which processes personal data on behalf of the controller (Learn more). A Data Subject is an individual person who is an EU resident.

Under CCPA, a Business is the entity that determines the purposes, conditions, and means of the processing of personal data, while the Service Provider is an entity which processes personal data on behalf of the business. A consumer is an individual person who is a California resident.

In the context of “Online Communities”, the business or brand running the Community is the Data Controller under GDPR or "business" under CCPA, and Khoros is the Data Processor under GDPR and "service provider" under CCPA. The Community end-user is the Data Subject under GDPR and "consumer" under CCPA.

What constitutes PII in Online Communities?

The list of PII fields are email, login, first name, last name, title, URL home page, biography, notes, location, signature, browsing history, search history, avatars, cover image, language, IP address, and device ID.

What does Khoros do to provide GDPR/CCPA support?

Khoros provides support for GDPR/CCPA compliance by offering ways to view, edit, obtain a machine-readable copy of, and delete members’ Personally Identifiable Information (PII).

Enhancements will cover three areas:

• PII retrieval
• PII deletion
• Demonstrating Compliance

PII deletion, when exercised, will permanently anonymize the PII of the members and attribute the content to an “Anonymous User”. The “Anonymous User” will have a standard username and a default avatar to distinguish it from other members.

As a Data Processor/service provider, Khoros is only permitted to follow the instructions of the Data Controller/business. So, availability of a feature to the end-user will be dependent on the Data Controller/business (brand) enabling it.

Note: The data that is deleted will only be the PII of the member, while the member's contributions (posts, comments, likes, etc.) will be maintained as and associated with an anonymous user. The delete triggers a downstream handling to purge PII data from Khoros Community Analytics as well.

What happens to PII data when deleted?

Member PII data is permanently anonymized and attributed to “Anonymous User”. The “Anonymous User” has a standard username and a default avatar to distinguish it from other users.

Can the user see the PII data in Community? If yes, where?

Yes, members can view, edit, obtain a machine-readable copy of, and delete the PII relevant to themselves, as described in Manage your community content and personal information.

Will the member delete action also remove posts, replies, likes, etc.?

No. A member's contribution (posts, comments) and engagement (likes, accepted solutions) is retained. They are disassociated from the original member account.

Will PII data in posts, replies, etc., be removed?

No. Members are advised not to share any personal data in posts or attachments, and the Community moderation policy is expected to enforce this. The member delete option does not systematically auto-clean any personal data inadvertently included in posts, attachments, messages, etc. This falls under the purview of Community moderation.

What is the SLA for User deletes?

The SLA for User Delete is 30 days.

Can the user recover the Community account if he/she changes the decision later on?

No, the deletion is permanent. If someone wants to rejoin the Community, they need to sign up again.

What if the person wants to use the same user name again?

If available, the people might be able to use the same user name in the Community. However, it will be treated as a new account with no association to the previous member.

Where is a user's PII stored?

PII data is not stored in user databases, caches, and file storage. As part of any delete operation, Khoros purges all these stores of the PII data.

For more information on geographic data locations, see the Khoros Data Location and Sub Processor Guide or the summary located here.

How will backups and logs be handled?

According to the standard rotation policy, backups are rotated every 90 days, and all member deletes will flow through the system for a maximum of 90 days. The same time period is associated with Application logs. They are rotated in 90 days according to the retention policy and all user deletes will flow through the system in that time period. PII will be removed from Event Logs. Also, a one-time rewrite will be performed to remove all PII information stored historically. Our backups are encrypted and access-controlled.

In the rare event of a restore from backup, any PII that was previously removed will be deleted again to ensure continued compliance.

Will community metrics reflect the deleted user?

Yes, Community Analytics remove the PII of the user from its systems. However, it does not modify the metrics retrospectively. In other words, after anonymizing a member, we do not show the member’s name or any other PII information in any of the reports. However, the member's anonymous statistics continue to be counted in historical aggregate metrics, for the relevant periods.

It was mentioned that Khoros will support export of PII-related data; what about a user’s posts? Can a user's posts be exported as well?

Yes, it will be possible to export a member's posts.

How are PII-fields from the customizations handled?

Contact Khoros Support and provide the list of custom, personal fields to be marked as PII. We flag them as PII. Once flagged, these fields are handled in the same way as any of the out-of-the-box PII fields with respect to viewing, deleting, and exporting.

What is the level of support for demonstrating compliance?

As part of GDPR/CCPA support, Khoros publishes a standard operating procedures. In these procedures, Khoros documents the processes and PII-related data handling by capturing where all PII is stored or processed; where it comes from, where it goes, and who has access to it. Khoros plans to document all the processes and steps taken to ensure GDPR/CCPA compliance. These are available to auditors to assess our processes with regard to GDPR/CCPA compliance.

The Audit log does not contain any PII data that can be associated with the Data Subject.

An Auditor can also validate a data subject’s controls and rights by mimicking member actions and exercising the ‘right to be forgotten’.

What’s Khoros recommendation on cookie banners?

We recommend that brands (the data collector) address site cookies (both Khoros' and your own) via a single, customizable pop-up banner to avoid the need for multiple cookie banners (one from the Khoros platform, the other from customer-specific cookies). Providing your own banner enables you to customize it for your brand's look and feel and any specific, legal content.

Khoros Communities provide an out-of-the-box cookie banner solution. Learn how to enable the cookie banner for your community.

LEGAL DISCLAIMER – NO LEGAL ADVICE

The above content is provided for informational purposes only and does not constitute legal advice. You should seek the advice of your legal counsel regarding your GDPR compliance efforts.

LEGAL DISCLAIMER ABOUT ROADMAP VOLATILITY

This represents Khoros’ current view of its product roadmap. Khoros releases software monthly and adjusts its roadmap based on market conditions and updated requirements between releases. This document is intended for informational purposes only, and because of potential volatility, it should not be used to develop contractual commitments, make assumptions about product pricing or packaging, nor used for planning purposes.

Khoros makes no warranties, express or implied, in this document.