Post by Daniel » Fri May 25, 2018 3:39 pm

Wow so the first sites that the EU GDPR law targets are news web sites!!

http://www.bbc.com/news/world-europe-44248448

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by marius-ciclistu » Sat May 26, 2018 1:58 am

Suggestion. Make the google analitics cookies load ONLY after the user accepts them. Also, it would be nice for the core to handle this notification among the info about the session cookies.

New member

Posts

Joined
Sat Nov 24, 2012 6:22 am

Post by ADD Creative » Mon May 28, 2018 5:30 am

I would of thought it should be possible to use Google Analytics without consent under the GDPR if you are not using the advance advertising features that require the Google's EU user consent policy. You would need turn on the IP Anonymisation feature and strip out any customer IDs, order IDs, etc. before sending page URL to them. You would still need consent under the ePrivacy directive, but this could be implied in most cases.

I can't see many customers allowing analytics cookies if given a choice.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by OSWorX » Mon May 28, 2018 1:58 pm

ADD Creative wrote:
Mon May 28, 2018 5:30 am
I would of thought it should be possible to use Google Analytics without consent under the GDPR if you are not using the advance advertising features that require the Google's EU user consent policy. You would need turn on the IP Anonymisation feature and strip out any customer IDs, order IDs, etc. before sending page URL to them. You would still need consent under the ePrivacy directive, but this could be implied in most cases.

I can't see many customers allowing analytics cookies if given a choice.
If used correct, GA can be used without a consent.
For ga use
ga('set', 'anonymizeIp', true);
For gat use
_gaq.push(['_gat._anonymizeIp']);
and do not send any customers information like order id, customer id and so on.

Additionally a Google OptOut can be used - or at least should be used.

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member
Online

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by thomash2 » Mon May 28, 2018 7:19 pm

Cookies:

I started removing third party cookies from my OC shop, such as analytics and social media plugins. I probably only have first party cookies like the session ID, language, and currency. I also set the language and currency to expire on session by setting the time variable to 0.

The following site says first party session cookies do not need consent if they expire on close of session, are categorized as user-input (session ID) or user-interface-customization (language, currency after changing the expiration to session). The site mentions the term "Strictly necessary cookies". I see other sites implementing this in their privacy policy by stating their cookies are "strictly necessary" and some mention "session cookies only". There were also others that mention "legal basis is legitimate interest" but I don't know if this last part is necessary?
http://ec.europa.eu/ipg/basics/legal/co ... dex_en.htm

Also, if you don't need consent for the session cookies, do you still need to notify the user with a popup cookie notification window?


Shipping estimator:

Is entering the post code, province, country in the shipping estimator considered processing of personal data? Or not personally identifiable data? Because they are stored temporarily and linked to the session ID and IP address.

Would you then have to disable the shipping estimator until the customer gives explicit consent to the privacy policy, for example by forcing them to log into or create a new account before showing them the estimator? No guest quotes?

FedEx (and UPS) modules send the post code, province, country to their third-party rate request API servers, which are possibly located in the US or foreign countries outside the EU. There might need to be something in the privacy policy stating this third-party sharing of data and transmission out of the EU. This might make it important to disable the shipping estimator if not logged into an account, and also might need to disable guest checkout since OC doesn't ask for policy acceptance for guests until the confirmation step. Registering during checkout asks for policy acceptance before reaching the shipping method section.

New member

Posts

Joined
Tue Jul 30, 2013 12:44 am

Post by ADD Creative » Mon May 28, 2018 10:05 pm

That link you posted relates to the ePrivacy directive, which is different to the GDPR. To make matters more confusing the ePrivacy directive is shortly to be replaced by the ePrivacy Regulation. Which one of it's proposals is to make the cookie rules simpler. https://ec.europa.eu/digital-single-mar ... regulation

My understanding is that under the ePrivacy directive you do not need consent to use cookies if they are essential for the website to work. So that would include the OpenCart session cookies, language, currency, etc. You should probably give information about them in you privacy or cookie notice pages. For other cookies, such as analytics ones, you probably would need consent. Most sites use implied consent so have a pop-up or bar saying by using the site you consent to cookies. That has been the situation for a few years and can have different interpretations in different member states.

For the DGPR you need to have a valid lawful basis in order to process personal data. There are 6 of these and the most common you would be likely to use would be for a contract. The other common one would be would be consent.

As I see it you don't need consent for the OpenCart session cookies as these are needed to process the order and generally allow a customer to do things on your site before placing an order (the contract). The language and currency cookies don't contain personal data so are not covered by the GDRP.

You also would not need consent for the shipping quote as again the customer is asking you to do that before place in an order. So again the basis is contract not consent. The same for the contact form.

I don't think a postcode on its own would be personal data as there will be more than one person at that postcode. So would be safe to send this to a shipping quote service.

I personally don't think a customer should need to agree to the privacy policy for the GDPR. In fact you could argue that it's bad having a checkbox as this could be confused with giving consent to process their data where contract basis would be more appropriate. You just need to tell them some basic information on what you are doing and link to the your privacy notice page.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by thomash2 » Tue May 29, 2018 2:23 am

I'm still not very familiar with the GDPR and am not an expert, but I suppose some countries might require that the privacy policy and TC be delivered to the customer during the sales. Even if what you say about not needing consent if the basis is for the contract, it might be necessary to have a record of the privacy policy and TC being read / presented before being able to submit the order.

There are a couple of very popular GDPR modules on the OC marketplace which record the checkbox along with the email address, copy of the policy or TC at the time, the date, etc. They also have a deletion / anonymize function but most of them are not clear about exactly which tables get affected by the function. I wish they were more descriptive. I noticed in the backend that some of the field for email in their "consent" list were anonymized, probably by using the deletion / anonymize function. But I wonder if a question comes up in the future about whether a past customer had received or consented to the privacy policy or TC, how would you prove that they did if you anonymize your records for the checkmark? I guess the main question is what data has to be anonymized or can remain intact.

New member

Posts

Joined
Tue Jul 30, 2013 12:44 am

Post by OSWorX » Tue May 29, 2018 3:26 am

thomash2 wrote:
Tue May 29, 2018 2:23 am
I'm still not very familiar with the GDPR and am not an expert, but I suppose some countries might require that the privacy policy and TC be delivered to the customer during the sales. Even if what you say about not needing consent if the basis is for the contract, it might be necessary to have a record of the privacy policy and TC being read / presented before being able to submit the order.
One of the biggest Advantage of GDPR (the US will learn their lesson, sooner or later) is, that it is valid in all Countries around the Globe.
No matter if sit in Norway, France, Italy, Austria, South Africa, Nevada, Las Vegas, and so on ..

Why this?
Beause the moment you want to make Business with a customer coming from an European Country, you have to follow the GDPR and the regulations.
And because of that, the GDPR is everywhere the same and valid everywhere!

The Privacy Policy is not a contract, it is a Requirement and an Information you have to show your visitors (but following the Guidelines in the GDPR!).
Nobody has to agree with them - if someone does not like them, you will make no business.

The TC (guess you mean Terms of Contract .. ?) are the basis of the relationship between you and your customer.
In general, all European Countries have very strong Consumer Rights you cannot play against - or overrule!

And if you have only private Customers, forget any TC / TOC etc. - you will violate the already existing Rights.

Another thing is, if you have Business (additional beside B2C or only) Customers.
There you should have TC/TOC - because this the base, a contract between your business and the other business.
Where you can define your own rules (within the existing Lays and Regulations if course).

And if your customer does not read the Pricavy Statement or the TC/TOC - not your fault if they are too lazy.
No need to get consent.
But you have to publish them!
thomash2 wrote:
Tue May 29, 2018 2:23 am
There are a couple of very popular GDPR modules on the OC marketplace which record the checkbox along with the email address, copy of the policy or TC at the time, the date, etc. They also have a deletion / anonymize function but most of them are not clear about exactly which tables get affected by the function.
Maybe popular because of ???
Better to ask: do they fullfill the GDPR?
I would say: no.
thomash2 wrote:
Tue May 29, 2018 2:23 am
I wish they were more descriptive. I noticed in the backend that some of the field for email in their "consent" list were anonymized, probably by using the deletion / anonymize function.

Why not ask them for?
thomash2 wrote:
Tue May 29, 2018 2:23 am
But I wonder if a question comes up in the future about whether a past customer had received or consented to the privacy policy or TC, how would you prove that they did if you anonymize your records for the checkmark? I guess the main question is what data has to be anonymized or can remain intact.
I guess you have to make each year a tax declaration?
Correct?
So, the question is more: how long do you have to store invoices, credit notes and similiar?
Ask your tax office - each Country has different amount of years you (the buiness owner) have to store such papers/records (everything between 7 and 15 years)
More years for Warranty cases.

This will give you an assumption which records in the tables can be deleted.
And which can be anonymized or pseudomized (not the same!!).
Basically all other than the order table.

May I recommend some to you?
Please read the GDPR in your language - there are not so many pages to read, but each page is necessary for you!
After that, I am sure you will ask better if any questions.

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member
Online

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by ADD Creative » Tue May 29, 2018 7:45 am

thomash2 wrote:
Tue May 29, 2018 2:23 am
I'm still not very familiar with the GDPR and am not an expert, but I suppose some countries might require that the privacy policy and TC be delivered to the customer during the sales. Even if what you say about not needing consent if the basis is for the contract, it might be necessary to have a record of the privacy policy and TC being read / presented before being able to submit the order.

There are a couple of very popular GDPR modules on the OC marketplace which record the checkbox along with the email address, copy of the policy or TC at the time, the date, etc. They also have a deletion / anonymize function but most of them are not clear about exactly which tables get affected by the function. I wish they were more descriptive. I noticed in the backend that some of the field for email in their "consent" list were anonymized, probably by using the deletion / anonymize function. But I wonder if a question comes up in the future about whether a past customer had received or consented to the privacy policy or TC, how would you prove that they did if you anonymize your records for the checkmark? I guess the main question is what data has to be anonymized or can remain intact.
While it's a good idea to keep an archive of your terms for your own records. I can't see the need to record them each time like the GDPR extensions do. What's more, the ones I looked at don't record anything about the newsletter subscription. Something you would need some record to prove consent for.

Again asking for consent when a customer enters their name and address before placing an order could be misleading.

From the ICO guidelines.
The ‘consent’ is a condition of service
If you require someone to agree to processing as a condition of service, consent is unlikely to be the most appropriate lawful basis for the processing. In some circumstances it won’t even count as valid consent.
Instead, if you believe the processing is necessary for the service, the more appropriate lawful basis is likely to be ’necessary for the performance of a contract’ under Article 6(1)(b). You are only likely to need to rely on consent if required to do so under another provision, such as for some electronic marketing under PECR.
So you should not need to gain or record consent to use a customers name and address to process the order. You would however need to gain and record consent to send them a newsletter. It seem clear that the GDPR extensions I've looked at are not doing this correctly.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by OSWorX » Tue May 29, 2018 4:03 pm

ADD Creative wrote:
Tue May 29, 2018 7:45 am
While it's a good idea to keep an archive of your terms for your own records. I can't see the need to record them each time like the GDPR extensions do.
Well. I still see the need to record when the customer gave his consent (Agreement) - when he ticked the checkbox at checkout.
Why?
Because terms are changing, and when you change your terms you have to nofify your customers because these terms are the base of your business.
If something happen, you sould be able to prove the terms the customer has agreed - at the time he did.

This procedure is already inluded in one of my extensions since many years and helped a few customers when the had a legal dispute.

ADD Creative wrote:
Tue May 29, 2018 7:45 am
What's more, the ones I looked at don't record anything about the newsletter subscription. Something you would need some record to prove consent for.
Also some I have already in 2 of my extension since many years.
And the requirement here is not only to store the subscription and timestamp, much more important is that you do not use a simple checkbox for that agreement!

You need also to define what for this newsletter will be (e.g. only for new products or services, or promotions).
And send the correct newsletter based on this decision by the customer - after he has agreed to recieve Newsletters, because:

>>> you need also a confirmation of the subscription - a so called Double OptIn <<<
Newsletter subscriptions are NO OptOut descisions, only OptIn - which also means no prechecked Checkboxes!

Also some I have already in 2 extensions of mine.

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member
Online

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by JNeuhoff » Tue May 29, 2018 8:26 pm

OK, here is a question:

A customer has ordered items in the past, and the store owner received email copies of submitted online orders. Now the customer wants to make use of his right to be deleted. So the store owner can delete his account, no problem. But what about the order history in the database? Also, there will be plenty of emails in the store owner's email software (Outlook, or whatever email software he uses)? Does the latter need to be cleared as well from Outlook?

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by OSWorX » Wed May 30, 2018 12:07 am

JNeuhoff wrote:
Tue May 29, 2018 8:26 pm
OK, here is a question:

A customer has ordered items in the past, and the store owner received email copies of submitted online orders. Now the customer wants to make use of his right to be deleted. So the store owner can delete his account, no problem. But what about the order history in the database? Also, there will be plenty of emails in the store owner's email software (Outlook, or whatever email software he uses)? Does the latter need to be cleared as well from Outlook?
As written earlier here somewhere: you have to store only related data for your tax office (ask them how long in your country, between 7 and 15 years).

And the only document which es relevant for that is .. the Invoice.

If you have goods with a long(er) Warrantie than these years, you have to store them longer.

What (or where) is this data?
Only on the Invoice.
If you have a case of guaranty (not the same as warranty to not misunderstand them!), you should keep these records (e.g. emails) also.
Guaranty is very rare longer than 2 years.
Warranty could be up to 30 years.

Which Records to keep?
All in digital and paper form > Invoice (and Guaranty), if Warranty gets in effect then this years.

Which Records to delete?
Everything else.

Can I keep the data anyway?
Counter-question: what for?

In general: if you really want to keep the data (e.g. for statistics, etc.) and the records can be anonymized (not pseudomized !) and the final record let you never find how which person is meant, you can.

Taking all this in account, you delete a lot of data.

Btw: the so called Invoices in OpenCart are not valid Invoices!
An Invoice is something you cannot change after it is published.
I know not one customer who works with OpenCart to produce valid Invoices on that base.
And those of me who do, use an Extension of me which produce PDF.

Which means: basically also the order table in OpenCart can be deleted when a customer requests to delete all his data.

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member
Online

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by daniGo » Wed May 30, 2018 3:03 am

Anyone had any more experience / information on how Google reCAPTCHA is dropping cookies and what the best way of disabling them?

http://www.gombac.si


Active Member

Posts

Joined
Wed Mar 20, 2013 4:49 pm
Location - Slovenia

Post by thomash2 » Wed May 30, 2018 3:38 am

The internal captcha probably doesn't have personal data implications. You could switch to that one. Or is it easy to break?

We would also need to consider the use of Gmail account for receiving order notifications, since Google has access to the data and analyze the contents. Google servers might also be outside of the EEA. Also, need to consider what happens if you host OC on a server outside of the EEA. There is a section on the GDPR about transfer of data out of the EEA, the requirements for doing it and informing the users about it.

There also might be implications if you use Google Translate in Chrome to automatically translate your customer emails since Google gets a copy of the contents. Might be safer to disable translate in Chrome, and copy only non-identifiable text from the email and paste it into Translate directly. You might also want to disable Google Translate from reading your backend. And I used to have the Google Translate bar on the top of my website but I took it off.

Other embedded content like Google Maps and Youtube videos add and read cookies. I'm only going to use external links, no more iframes.

New member

Posts

Joined
Tue Jul 30, 2013 12:44 am

Post by daniGo » Wed May 30, 2018 3:59 am

There are also in product page addthis.com cookies.

http://www.gombac.si


Active Member

Posts

Joined
Wed Mar 20, 2013 4:49 pm
Location - Slovenia

Post by thomash2 » Wed May 30, 2018 4:09 am

Yes I already removed addthis from my website. There is probably a way to use it while staying compliant but i won't bother using it at all.

New member

Posts

Joined
Tue Jul 30, 2013 12:44 am

Post by ADD Creative » Wed May 30, 2018 5:17 am

OSWorX wrote:
Wed May 30, 2018 12:07 am
JNeuhoff wrote:
Tue May 29, 2018 8:26 pm
OK, here is a question:

A customer has ordered items in the past, and the store owner received email copies of submitted online orders. Now the customer wants to make use of his right to be deleted. So the store owner can delete his account, no problem. But what about the order history in the database? Also, there will be plenty of emails in the store owner's email software (Outlook, or whatever email software he uses)? Does the latter need to be cleared as well from Outlook?
As written earlier here somewhere: you have to store only related data for your tax office (ask them how long in your country, between 7 and 15 years).

And the only document which es relevant for that is .. the Invoice.
Which means: basically also the order table in OpenCart can be deleted when a customer requests to delete all his data.
That is not true in the United Kingdom. Under UK VAT law (see HMRC rules under section 2.3 at the link below) you need to keep all manner of records for at least 6 years from the end of the last company financial year they relate to. Including orders and relevant business correspondence, which would mean the order history stored in the database.

https://www.gov.uk/government/publicati ... at-records

If your are zero-rating VAT for sales outside the EU you will also have to keep other evidence, such as despatch or export. If you make digital sales and use the VAT MOSS service you have to keep some records 10 years.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by thomash2 » Wed May 30, 2018 5:39 am

What happens for example, if you store the OC site on an EEA server, then you go travelling outside the EEA and access your backend and look up order information from overseas on your mobile phone or laptop? Are you then making an international transfer of personal data? And if you save your email through IMAP/POP3 on your mobile phone that may contain order information and take the mobile phone with you overseas? How would you word this in the privacy policy? What about all the data from past customers from previous years that had a policy without the new text?

Similarly, if you make waybills with FedEx and UPS, their systems are international and personal data are most probably being exported. How would you word the privacy policy?

And suppose you relocate your business out of the EEA? How do you legally take the data with you out of the EEA?

New member

Posts

Joined
Tue Jul 30, 2013 12:44 am

Post by OSWorX » Wed May 30, 2018 5:53 am

ADD Creative wrote:
Wed May 30, 2018 5:17 am
That is not true in the United Kingdom.
As written, every shopowner has to know his business and the Laws in his country by himself.
Asking here questions how long to keep records, is a bit late ..

He has also to know which specific regulations he has to look for.

Fact is, that an Invoice has to be a non-editable document and is non-revokeable - it is an official document.

All OpenCart is not and has not per default.
It is then the question how your local tax office will trust the data(tables) in OpenCart/Database - I guess not (as it was at my last company audit!) because they can be edited at any time in any way.

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member
Online

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by ADD Creative » Wed May 30, 2018 5:58 am

thomash2 wrote:
Wed May 30, 2018 3:38 am
The internal captcha probably doesn't have personal data implications. You could switch to that one. Or is it easy to break?

We would also need to consider the use of Gmail account for receiving order notifications, since Google has access to the data and analyze the contents. Google servers might also be outside of the EEA. Also, need to consider what happens if you host OC on a server outside of the EEA. There is a section on the GDPR about transfer of data out of the EEA, the requirements for doing it and informing the users about it.

There also might be implications if you use Google Translate in Chrome to automatically translate your customer emails since Google gets a copy of the contents. Might be safer to disable translate in Chrome, and copy only non-identifiable text from the email and paste it into Translate directly. You might also want to disable Google Translate from reading your backend. And I used to have the Google Translate bar on the top of my website but I took it off.

Other embedded content like Google Maps and Youtube videos add and read cookies. I'm only going to use external links, no more iframes.
There is lots of information on using Google's services at this link. https://cloud.google.com/security/gdpr/

They do seem to meet all the standards required. However this only seems to apply to the paid for business G Suite version of Gmail. Using the free personal version of Gmail would probably not be compatible with the GDPR. There is no way to agree a processing contract for one. There is in G Suite I believe.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: No registered users and 43 guests