January 23, 2019 at 10:45 am #15286
It seems that sometime back eMember started to include a “To address” when sending out the bulk expiry email notifications. Previously all recipients were Bcc’d and no “To” address was used. But after this change, each time a bulk expiry email is sent out, the email address for one of the receiving members is used as the “To” recipient (which means that all other recipients can then see that address).
This seems to be due to the following line of code, which was added at some point in the last year or so, and is from line 82 in the eMember_cronjob_functions.php file:
$to_email = array_pop($email_list);//Take one from the list to use as the main "to address". Others will be used in the BCC field.
This behavior is not ideal because it means that all recipients of the bulk email are then able to see the email address of the account that has been used as the “To” recipient. This is very much not good for security reasons, GDPR, legal reasons, etc.
Again this also was not always the case – it used to be that all recipients were Bcc’d and no recipients were sent as “To” for those bulk emails, so we’re not quite sure why this was changed in this manner.
If it is necessary for some reason to have a “To” recipient, is there a way that we can specify a static/default email address to use as the “To” recipient (such as one of our organizational addresses), so that a member’s email address will no longer be used for that purpose and made public that way?
Otherwise, is there a way that we can just disable this setting all together, so that all recipients will once again be Bcc’d and there will be no “To” recipient?
Either way it is necessary to be able to not have this behavior occur, as it does not meet data security standards to make customer email addresses accessible to others without their consent.
Thank youJanuary 23, 2019 at 12:10 pm #79088
Just as a follow up here –
Our decision makers have decided that this is a clear breach of GDPR legal guidelines to be making customer email addresses available to others without their consent. As such, we have now had to disable the eMember expiry notification emails all together. We cannot have our customer emails shared publicly and be breaching data protection laws that way.
This means that we are either going to have to start sending out expiry notifications manually, or else our members will receive no notification that their account expired.
Please provide a solution if you can, to either be able to specify a global/default/organizational email address as the “To” recipient, or to remove the “To” recipient all together. In either case we must be able to avoid having a member’s email used as the “To” recipient on those bulk emails, it is a data and security issue and puts things in violation of the European data laws.
This is a rather critical issue, please help, thank youJanuary 23, 2019 at 5:38 pm #79089wzpModerator
This issue was addressed 2 months ago:
Please update your plugin:January 24, 2019 at 1:19 am #79090
Wonderful, thank you!!!February 13, 2019 at 10:11 pm #79091
Unfortunately there seems to be an issue on our site that is preventing this from working.
When we enter an address into the “To Email Address for Batch Emails” within the eMember settings, then for some reason none of the bulk expiry emails get sent at all.
We have confirmed this now multiple times: when that field is enabled and an email address is entered into it, none of the expiry emails then get sent. When we remove the email address from the field and leave that field blank, then the emails do get sent.
Since we can’t leave that field blank (due to the data security reasons mentioned previously), we have left that field enabled and so presently none of the expiry emails are being sent and we are having to send out expiry notifications to our members manually.
We also tested on a separate base install with no other plugins or themes and the issue did not occur. So this means that there must be something on our website that is causing this issue and preventing the emails from being sent when the “To Email Address for Batch Emails” field is enabled.
Could we please pay for some custom troubleshooting from the eMember team in order to look into this issue on our site and hopefuly get it resolved?March 1, 2019 at 4:20 am #79092
Just a note that we were contacted directly by another eMember customer who is also having this same issue.
- You must be logged in to reply to this topic.