1

I'm wondering if a deep link in an e-mail that automatically authenticate even though the session is expired is GDPR compliant. For instance if I send an e-mail to a user with links to the internal website, containing content available only after login, and the session is expired, the user has logged out or purged cookies, can I show the content anyway (like when the user is still logged in) or shall I show the login page first and display the content after the user successfully authenticate? In terms of UX it is better but I am not sure about the security concerns it can cause or if it is non-compliant with GDPR regulations.

QuantumSec
  • 88
  • 9
Tizz
  • 11
  • 2
  • 5
    Which section of the GDPR do you believe something like that would be in violation of? (It's probably a bad idea for a variety of *other* reasons to do this, but I fail to see how the GDPR applies specifically to what you're describing.) – user Jul 17 '19 at 19:49

1 Answers1

1

Regarding GDPR compliance, you're not violating the registered persons rights by displaying otherwise restricted content for authenticated users - that is, unless the information you display contains personal identifiable information, like the individuals health information, home address etc. Personal information must be kept secure and not disclosed to someone else beside the individual in question, unless there is explicit consent from the user or you have legal basis to do so.

In regards to security concerns I would personally never allow that on a site containing non-public information. In your example with the e-mail link it might be alright, if:

  1. The user has to register to receive a copy of your e-book
  2. The user receives an email
  3. In the e-mail there is a link which gives the user access to the e-book without authenticating first.

But if you instead:

  1. Let the user register for a health insurance policy
  2. sends an e-mail to the user about their sign up
  3. The e-mail contains a link which leads to your site with their health information

You would not be able to ensure that this health information is not disclosed to someone else which could mean a violation of GDPR. Authentication processes can be made very smooth nowadays, so I don't see a reason not to require login from the user before letting them access restricted content. If you're in doubt I would raise this with someone from the legal department in your company.

QuantumSec
  • 88
  • 9