<p>OK, so as I currently understand it:</p>
<ul>
<li>We need to show everyone the new privacy policy one-time on signin, but with no agreement tickbox</li>
<li>We therefore need to store if they've seen the privacy policy, so we don't show it on every login</li>
<li>We need to show everyone the new ToU on signin, with an agreement tickbox</li>
<li>We therefore need to store if they've agreed to the ToU</li>
<li>We need to block API access, both read and write, until both documents have been viewed/agreed</li>
<li>We need to amend the signup form, so that it shows the new privacy policy, and we store that they have seen it (so they aren't affected by the implementation of the first task in this list)</li>
<li>We need to amend the signup form, so that they agree to the ToU (with a tickbox, again stored).</li>
<li>For the above agreements, storing a boolean is fine. If we need to get a fresh agreement in future, we can null out the columns for all users and that will re-trigger the blocks/signin displays</li>
</ul>
<p>I think we should start by implementing the signup flow changes, and then we can phase in the rest (e.g. showing things on signin to the website, then eventually adding the api block unless already seen/agreed at signup or signin).</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/issues/1854#issuecomment-389102714">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABWnLXXlCHaoTunCp778E9XmH-MKF8Upks5typ7_gaJpZM4T57BD">mute the thread</a>.<img src="https://github.com/notifications/beacon/ABWnLW1W95Fr2TnANp4Hx1ND0BLXrQQFks5typ7_gaJpZM4T57BD.gif" height="1" width="1" alt="" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/openstreetmap/openstreetmap-website/issues/1854#issuecomment-389102714"></link>
  <meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/openstreetmap/openstreetmap-website","title":"openstreetmap/openstreetmap-website","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/openstreetmap/openstreetmap-website"}},"updates":{"snippets":[{"icon":"PERSON","message":"@gravitystorm in #1854: OK, so as I currently understand it:\r\n\r\n* We need to show everyone the new privacy policy one-time on signin, but with no agreement tickbox\r\n* We therefore need to store if they've seen the privacy policy, so we don't show it on every login\r\n* We need to show everyone the new ToU on signin, with an agreement tickbox\r\n* We therefore need to store if they've agreed to the ToU\r\n* We need to block API access, both read and write, until both documents have been viewed/agreed\r\n* We need to amend the signup form, so that it shows the new privacy policy, and we store that they have seen it (so they aren't affected by the implementation of the first task in this list)\r\n* We need to amend the signup form, so that they agree to the ToU (with a tickbox, again stored).\r\n* For the above agreements, storing a boolean is fine. If we need to get a fresh agreement in future, we can null out the columns for all users and that will re-trigger the blocks/signin displays\r\n\r\nI think we should start by implementing the signup flow changes, and then we can phase in the rest (e.g. showing things on signin to the website, then eventually adding the api block unless already seen/agreed at signup or signin)."}],"action":{"name":"View Issue","url":"https://github.com/openstreetmap/openstreetmap-website/issues/1854#issuecomment-389102714"}}}</script>
<script type="application/ld+json">{"@type":"MessageCard","@context":"http://schema.org/extensions","hideOriginalBody":"false","originator":"37567f93-e2a7-4e2a-ad37-a9160fc62647","title":"Re: [openstreetmap/openstreetmap-website] GDPR related sign-up changes (#1854)","sections":[{"text":"","activityTitle":"**Andy Allan**","activityImage":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","activitySubtitle":"@gravitystorm","facts":[]}],"potentialAction":[{"name":"Add a comment","@type":"ActionCard","inputs":[{"isMultiLine":true,"@type":"TextInput","id":"IssueComment","isRequired":false}],"actions":[{"name":"Comment","@type":"HttpPOST","target":"https://api.github.com","body":"{\"commandName\":\"IssueComment\",\"repositoryFullName\":\"openstreetmap/openstreetmap-website\",\"issueId\":1854,\"IssueComment\":\"{{IssueComment.value}}\"}"}]},{"name":"Close issue","@type":"HttpPOST","target":"https://api.github.com","body":"{\"commandName\":\"IssueClose\",\"repositoryFullName\":\"openstreetmap/openstreetmap-website\",\"issueId\":1854}"},{"targets":[{"os":"default","uri":"https://github.com/openstreetmap/openstreetmap-website/issues/1854#issuecomment-389102714"}],"@type":"OpenUri","name":"View on GitHub"},{"name":"Unsubscribe","@type":"HttpPOST","target":"https://api.github.com","body":"{\"commandName\":\"MuteNotification\",\"threadId\":333951043}"}],"themeColor":"26292E"}</script>