Cannot delete OmniChannel Contacts or disable 'Add to Contacts' #35399
Comments
|
As per https://rocket.chat
|
|
I’d like to work on this issue. GDPR compliance is super important, and it’s critical users can delete their data properly. Let me know if there’s anything specific I should keep in mind or if you have any suggestions. |
|
This is a very complex issue and is with the team. I have added this as a reference. Please do not work on it. |
|
ok sir |
|
Hey everyone, Thanks for reporting your findings - and concerns as well - Let's make sure we're all aware of existing features and potencial gaps for further discussions. That said, let's go through the "red-flags" shared above:
Actually you can. There is a REST API endpoint for that action: https://github.com/RocketChat/Rocket.Chat/blob/develop/apps/meteor/app/livechat/server/api/v1/visitor.ts#L154
Our Livechat widget solution provides GDRP-compliance mechanisms to handle data privacy and protection needs.
Actually you can. You just need to disable the corresponding permissions in order to get the product to behave accordingly. What the product doesn't yet provide is the ability to remove contacts from the UI, which is something we have intentions to deliver as soon as we go through design phase and manage to get engineering capacity to address the use case. We're open to getting insights about how to meet compliance standards under different privacy and data protection standards. |
Irrelevant to the issue. This is about data removal, not addition.
So first, many times people close the chat by closing a tab or going to a different site and do not delete their data. So then we have their data but we can't delete it, and the onus is on us to do so if requested. The "Forget/Remove my data" isn't good enough because under GDPR (and I believe probably Brazilian law too) they can agree to the data processing, and subsequently ask for the data to be removed. That is 'removal of consent' and is legally binding except in a few very specific cases, and none of which would apply to us.
We HAVE to be able to delete them, and we should NOT have to do it via an API. I don't have the time for that. It also assumes you are set up for API work, and I am not. Never use it. If a contact is that easy to add it, it should be that easy to remove. And there should be a simple facility in Omnichannel settings to disable it, permanently. ON/Off. So, lets try looking for how to disable it and delete a contact with the API. Should be simple........ After a lengthy search I managed to find:
Register or Update Omnichannel Contact
Search perms for view-l-room. Nada.
Joy. Lets try a link.
Search for Find OK, so I presume that is disabled. That was simple then. Obligatory Douglas Adams reference Finding the plans So how do I delete? I can Create, and I can Update and Search and get History, but I want to delete them entirely. Nothing I can see in the API for that? So where is it exactly (and don't tell me I just have to empty the data - I want them gone completely with a simple delete _id) I presume it isn't there for the same reason there is no simple Delete function in the manager. Quite simply we can't because the code does not exist.
As above, I'm not sure you can even do it via the API. But this should have been done at the outset, and I understand that it will not be simple, which means it will take a long time, during which I can get sued. As can anyone else in the EU. It only takes ONE complaint.
This is not the first time I have raised issues with GDPR. It is well known. Rocket claim to be compliant, but clearly not. Knowing that it should have been implemented in initial design phase (I believe it was considered, but I understand it was too difficult ?), not as some after thought. Right now we'll probably have to disable our LiveChat because it no longer compliant as I cannot delete the Contact record, which is the reason I started using RocketChat in the first place. That will cost us money, though not as much as if we got sued. Note I am not the only one. And I suspect that there will be more in time as they realise what has gone on - as an admin I don't usually see this sort of thing and I only stumbled over it because of this: https://open.rocket.chat/channel/support?msg=w4s2d7qLNL7DSN6xW So ultimately, how long until this is fixed and my legal liability relieved? |
Description:
Cannot delete OmniChannel Contacts.
This is illegal under GDPR.
Cannot remove/disable the 'Add to Contacts' prompt when commencing a chat.
Steps to reproduce:
Go to OmniChannel Contacts.
omnichannel-directory/contacts
Try to delete a Contact.
Expected behavior:
You should be able to delete a Contact and their PI as per GDPR.
Actual behavior:
Cannot remove the Contact.
No way to disable 'Add to Contacts'.
Server Setup Information:
The text was updated successfully, but these errors were encountered: