Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
YaBB (Yet Another Bulletin Board) is an open source forum software written in Perl that stores its data in flat files rather than in a relational database. The default installation only writes a session cookie and an optional remember me cookie, which fall under the strictly necessary exemption of the ePrivacy Directive. The privacy posture mainly depends on the forum operator hosting choice and on the optional plugins activated.
YaBB stands for Yet Another Bulletin Board. It is one of the longest running open source forum software projects, written in Perl and licensed under the YaBB license. Unlike phpBB, vBulletin or Discourse, it does not require a relational database and stores boards, threads and member information in flat files. The application runs on top of any web server with Perl CGI support and is operated entirely on the publisher infrastructure. There is no SaaS edition, so the publisher remains the data controller for every personal data processing activity.
By default YaBB writes a session cookie called YaBBSessionID, an authentication cookie called YabbUserName when the visitor checks the remember me option, and a CSRF token cookie. The session cookie expires when the browser is closed. The remember me cookie holds a salted hash of the username with a configurable lifetime, typically a few weeks. The application stores the username, the email address, the avatar, the IP address of every post, the post content and the moderation log in flat files on the server.
The session, authentication and CSRF cookies are strictly necessary under Article 5(3) of the ePrivacy Directive and recital 66, since they are required to deliver the forum service explicitly requested by the user. They can be loaded without consent. Account registration, login and posting rely on contract performance under Article 6(1)(b) GDPR. Articles 13 and 14 GDPR still require a transparent privacy notice that lists the categories of data, the retention period and the moderation workflow, especially because the IP address of every post is stored.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
YaBB does not transfer data on its own because it is fully self hosted. The publisher decides the hosting region. Hosting on EU infrastructure (OVH, Hetzner, Scaleway) keeps every processing activity within the European Economic Area. Hosting outside the EEA requires a Transfer Impact Assessment and Standard Contractual Clauses with the hosting provider. Avatars from third party services, embedded videos and outbound mailers may also create transfers that the publisher must document.
Configure the YaBB cookies with Secure and HttpOnly with SameSite=Lax, host the application in the EEA, document the IP retention period for posts (six months is a common benchmark), set up a clear privacy notice, provide an easy account deletion mechanism, list the moderation policy and block any optional plugin (advertising, embedded videos, social sharing) behind a Consent Management Platform such as FlowConsent.
Websites using YaBB must obtain user consent under GDPR regulations.
DPIA considerations
A standard YaBB forum used for community discussions is generally low risk. A DPIA becomes appropriate when the forum hosts members directories at large scale, processes special category data such as health discussions, or when the operator hosts the application outside the EEA. Document the categories of data, the moderation workflow, the retention rules and the legal basis of every processing activity.
Sample consent text
This forum runs on YaBB, a self hosted Perl bulletin board. Only strictly necessary cookies are written to keep your session active, to authenticate you when you log in and to protect against cross site request forgery. Additional cookies (analytics, embedded media) are loaded only after you have accepted the corresponding category in the cookie preferences.
Third-party domains contacted
yabbforum.comyabb.infosourceforge.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| YaBBSessionID | first_party | Session | Stores the active session identifier required to maintain forum state, login status and language preference across page loads. |
| YabbUserName | first_party | 2 weeks | Stores a salted hash of the user name used by the remember me feature so that returning visitors are recognised on their next visit. |
| yabb_csrf_token | first_party | Session | Stores the per session token used to validate form submissions and protect against Cross Site Request Forgery attacks. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
By default YaBB writes the YaBBSessionID session cookie, an optional YabbUserName cookie when the visitor activates remember me, and a CSRF token cookie. Session and CSRF cookies expire when the browser is closed. The remember me cookie has a configurable lifetime, typically a few weeks.
No. The session, authentication and CSRF cookies fall under the strictly necessary exemption of Article 5(3) of the ePrivacy Directive, since they are required to deliver the forum service explicitly requested by the user. Optional plugins (analytics, advertising, embedded media) require consent.
Account registration, login, posting and moderation rely on contract performance under Article 6(1)(b) GDPR. The IP address attached to every post is processed under legitimate interest (Article 6(1)(f)) for security and abuse prevention, with a balanced retention period (six months is a common benchmark).
YaBB is fully self hosted, so the operator chooses the region. Hosting in the EEA keeps every processing activity within Europe. Hosting outside the EEA requires a Transfer Impact Assessment and Standard Contractual Clauses with the hosting provider. Avatars or external mailers may also create transfers.
For a small to medium community a DPIA is rarely mandatory. A DPIA becomes appropriate when the forum hosts large scale members directories, processes special category data such as health discussions, or when the operator hosts the application outside the EEA. Document the categories of data, the moderation workflow and the retention rules.
Configure the cookies with Secure, HttpOnly and SameSite=Lax, host in the EEA, document the IP retention period, publish a clear privacy notice, provide an easy account deletion mechanism, document the moderation rules and block optional plugins behind a Consent Management Platform such as FlowConsent.
Common alternatives include phpBB, FluxBB, MyBB, Discourse (open source), NodeBB, vBulletin, XenForo and Vanilla Forums. Discourse and Flarum are particularly popular for modern communities. Each has different cookie behaviour and an additional database requirement, except for the few flat file engines.
List the YaBBSessionID session cookie and the optional YabbUserName authentication cookie as strictly necessary, document the CSRF token cookie, the IP retention rule for posts, the hosting region and any optional plugin that writes additional cookies. Provide a clear consent management link if optional cookies are activated.