Store IP and datetime when confirming a double opt-in

[tcurdt]

IANAL but at least for Germany (maybe even the EU) it is required to store the IP and datetime of the double opt-in. This is to have a paper trail the user actually confirmed.

This cannot be done on the frontend. It is the backend that needs store these two attributes on confirmation.
This would also need to be exportable and importable.
Just for comparison: Mailchimp has this implemented.

On the code level I am wondering if SubscriptionCreatedAt is actually the confirmation datetime or just the creation of the entity.

https://github.com/knadh/listmonk/blob/master/models/models.go#L178

I suspect it's also the model that would need to get a field for the IP address.

[albertvisuals]

Yes, basically everyone who has to be GDPR compliant needs to have double opt-in, including proof of IP address and date-time of the second accepting.

[c-seeger]

@knadh this should be prioritized since its law relevant for many users inside EU due to GDPR.

[tcurdt]

With some guidance I am sure there is the possibility for a PR.
But to get some input first would be great.

[knadh]

I'm working on this. A new config option, Privacy -> Record opt-in IP. These details can then be recorded in subscriber meta, maybe, optin_ip and optin_date. Does that make sense?

[tcurdt]

Does that make sense?

I guess that was just a typo but

optin_ip
optin_date

would totally make sense!

[knadh]

The subscriber meta that I'd suggested above was infeasible (duh!). IP has to be recorded per subscription (subscriber -> list). This involved adding a new field to subscriber_lists table and change to the subscription API requests and responses, but it's almost ready to be merged. Introduces a new meta{} JSONB field which records the double opt-in IP address, which can also be used for storing any arbitrary per-subscription meta in the future.

WIP:

Settings -> Privacy

Individual subscriber

[tcurdt]

Looking good. Thanks for that!!