Post by jossoway » Fri May 27, 2011 4:56 pm

Hi,

This is my first post here. I am a web designer based in the UK who has just started using OpenCart and so far I absolutely love it.

Today, a client asked me if the new EU Cookie Legislation laws would affect them if they are using OpenCart, and if so,what can they do about it. Can anyone help? I am assuming that OpenCart uses session cookies when a user is logged in. If OpenCart does use cookies, can anyone tell me what data is stored on a user's computer so I can at least advise my client what they can put in their privacy policy?

Thanks in advance!

John

New member

Posts

Joined
Fri May 27, 2011 4:51 pm

Post by SXGuy » Fri May 27, 2011 10:03 pm

As far as im aware, the cookie legislation refers to private data that may be stored on website database, i.e credit card information.

However, if as most opencart users, use a payment gateway such as Paypal, no credit card details are ever stored in the cart database, because those details are entered if needed, in paypals own ssl secure page.
The only info returned to the store is whether the payment was sucessful or not.

If a store owner were to use their own merchant process or accept offline credit card payments, that may fall under an issue or 2 regarding the cookie legislation.

The only information stored by the shop, would be name and address, for shipping purposes.

But you can have the option of a guest checkout, which means nothing is actually stored at all.

The only thing opencart session stores is the product details in the cart and shipping session variables (someone can correct me if im wrong)

Active Member

Posts

Joined
Sun Nov 08, 2009 2:07 am

Post by i2Paq » Fri May 27, 2011 11:30 pm

The EU cookie is NOT about storing Credit Card data.
From 25 May, new European laws will dictate that “explicit consent” must be gathered from web users who are being tracked via cookies. That translates into warnings which will put off consumers from EU sites, while US-based startups will be free to continue as they are. How convenient huh.
Source

OC has an issue there......

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by opencartisalright » Fri May 27, 2011 11:59 pm

Guess if you want to start an online business you might as well just move to the good old US of A to do it. ;)

Active Member

Posts

Joined
Mon Feb 21, 2011 4:09 am

Post by Qphoria » Sat May 28, 2011 12:05 am

OC doesnt track any cookies. It has a cookie for your default language and currency... I think this falls outside the realm of any ruling. If they need explicit content then EU needs to force people to enable the cookie monitor on their browser. This isn't something a website needs to change. You freakin foreigners have some of the bad-shit stupidest laws.

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by i2Paq » Sat May 28, 2011 12:17 am

I agree, it is the most stupid Law ever!

Anyway, is there a (Free) pop-up Modification available?

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by Moggin » Sat May 28, 2011 12:52 am

As much as I can tell - and I'm no lawyer - doesn't this relate mostly to cookies used in advertising:

"The directive demands that users be fully informed about the information being stored in cookies and told why they see particular adverts.

Specifically excluded by the directive are cookies that log what people have put in online shopping baskets."


http://www.bbc.co.uk/news/technology-12668552
Qphoria wrote:.. You freakin foreigners have some of the bad-shit stupidest laws.
...couldn't have put it better myself. EU bureaucrats make a lot of laws they can't possibly enforce, gives them something to do!

I read somewhere that we aren't permitted to store data outside the EU? - so all us Dropbox users are breaking some obscure law somewhere. Oh dear! ::) :joker:

Active Member

Posts

Joined
Wed May 05, 2010 4:56 am

Post by Qphoria » Sat May 28, 2011 1:59 am

And didn't the french just say that storing customer passwords can't be encrypted. So any hacker can just gain access to an account and save the step of cracking the password hash.

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by grgr » Sat May 28, 2011 2:27 am

I think that the whole issue came about with the sharing of data (you know - those ads that mysteriously seem to know what you've been shopping for lately) and other tracking activities, alas, the people that then made the laws [in good faith I think because I a bit fed up with all the tracking cookies) were likely incapable of programming their oven timer let alone understanding the issue that the were creating.

On the basis that I don't track anyone and only use cookies on my own websites and that they are used only on a particular website to enable the website to function, I'm ignoring the whole thing.

The one thing that I will be doing is to add a 'you need to enable cookies to shop at this website' message as some people may start to turn them off, see comment below!

Thing is, most people barely know how to turn on their computer (I know this is true it used to be my job) so how the hell are you going to explain the ins and outs of cookies to people?

Oh, you've also got another year not to worry about it as it has been deferred for 12 months as the reallity of the stupidity has kicked in and no one in the government has any idea of whats's going on or what to do about or how to interpret the whole thing. Oh, and the regulations do not require user consent where the cookie is "strictly necessary" to allow the website to provide a service - in other words, like the shopping cart type cookie. As far as I am aware, v1.5 of OC is using a cookie to store language, currency, affiliate tracking and the session cookie. All these are required for the website to physically function correctly and I therefore class them as necessary.

Theory goes that the browers will start to incorporate something to deal with this and then your average website owner can probably largely just get on with it.

The ICO website has a silly banner and a ticky box, but the rest of the govenments websites (direct.gov, number 10, parliament, fco etc) are all blatantly ignoring the law so I shall too!!

-
Image Image Image Image
VIEW ALL EXTENSIONS * EXTENSION SUPPORT * WEBSITE * CUSTOM REQUESTS


User avatar
Active Member

Posts

Joined
Mon Mar 28, 2011 4:08 pm
Location - UK

Post by grgr » Sat May 28, 2011 2:31 am

Qphoria wrote:And didn't the french just say that storing customer passwords can't be encrypted. So any hacker can just gain access to an account and save the step of cracking the password hash.
Yeah, but that's a whole different thing, that be big brother wanting access to stuff.

If the password is encrypted and you refuse to hand over the encryption code....

All the snooping rumours are very likey true - some years ago our company was approached with a view to implement a zero packet loss capture system, we never did get the specific details but is was quite obvious what it was for....

-
Image Image Image Image
VIEW ALL EXTENSIONS * EXTENSION SUPPORT * WEBSITE * CUSTOM REQUESTS


User avatar
Active Member

Posts

Joined
Mon Mar 28, 2011 4:08 pm
Location - UK

Post by Moggin » Sat May 28, 2011 10:37 pm

grgr wrote:I think that the whole issue came about with the sharing of data (you know - those ads that mysteriously seem to know what you've been shopping for lately) and other tracking activities, alas, the people that then made the laws [in good faith I think because I a bit fed up with all the tracking cookies) were likely incapable of programming their oven timer let alone understanding the issue that the were creating....

Oh, you've also got another year not to worry about it as it has been deferred for 12 months as the reallity of the stupidity has kicked in and no one in the government has any idea of whats's going on or what to do about or how to interpret the whole thing. Oh, and the regulations do not require user consent where the cookie is "strictly necessary" to allow the website to provide a service - in other words, like the shopping cart type cookie. As far as I am aware, v1.5 of OC is using a cookie to store language, currency, affiliate tracking and the session cookie. All these are required for the website to physically function correctly and I therefore class them as necessary. ..
grgr, I think you have it right. I've now read 17 pages of gumph from the ICO site. Here are some more details (Brits only):

(2) The requirements are that the .. user …

(a) is provided with clear and comprehensive information about the
purposes of the [cookie]; and

(b) has given his or her consent.


  • * As grgr says - you don't have to obtain consent if setting the cookie/s is 'strictly necessary' for a service requested by the user. This has to apply to a shopping cart - and functions such as currency or language choices. But the emphasis is on 'strictly' .

    * The new rule is meant to protect users' privacy. The more 'intrusive' the use of cookies, the more the site owner needs to review their use (they say). They discuss an example of using a cookie to log details of browsing activity. Nothing in a standard Opencart installation does anything like this (AFAIK).

    * They don't recommend popups - and suggest instead adding a tick box to the site (as OC does now, when the customer agrees to terms and conditions).

    * They don't have a clue how to deal with 'third party cookies ' as they call them. That might include 'social/share' buttons: it's the only area of an Opencart site that might come close to setting an 'intrusive' cookie, and then only if you've put a 'share' button in there. But that part of the document is currently a fudge.

    *They can fine organisations which don't comply, but they have to show there has been: a) a serious contravention of the new law; and b) that contravention was likely to cause substantial damage/distress.

    Sources if interested:
http://www.ico.gov.uk/~/media/documents ... ations.pdf

http://www.ico.gov.uk/~/media/documents ... ons_v1.pdf
grgr wrote:The ICO website has a silly banner and a ticky box, but the rest of the govenments websites (direct.gov, number 10, parliament, fco etc) are all blatantly ignoring the law so I shall too!!
:laugh: nice one!!

Active Member

Posts

Joined
Wed May 05, 2010 4:56 am

Post by myshadowself » Sun Jun 12, 2011 3:31 am

Its a pain in the arse is this new legislation, but we don't really need to worry too much as it's mainly designed to change those re-targeting ads into Opt In instead of Opt Out.
grgr wrote:you know - those ads that mysteriously seem to know what you've been shopping for lately
The IAB are spending a fortune on trying to figure the legislation out properly, with a definitive answer that covers everyone imminent. Although they originally advised that standard browser settings would suffice, the EU has come back and said it's not good enough.

I think we're all probably going to need to change our privacy policies at least, and maybe even put a "by logging in your expressly agree to accept a cookie" under our login boxes. Apart from that, I doubt it'll affect most of us that much. Popups won't be necessary...
Qphoria wrote:You freakin foreigners have some of the bad-shit stupidest laws.
Aint that the f**king truth buddy? We don't execute though, and where I come from, you're the freakin foreigner ;D

Also, it might become similar to the USA's bad-shit stupid online gambling law, where if a site based anywhere else in the world allows an American to gamble, they can be tried under US law - who knows? Regardless of where in the world you are, if you trade in the EU, I'd be keeping an eye on what happens.

Ronald Laughton is the worst referee in Rugby League


New member

Posts

Joined
Tue Jun 07, 2011 8:59 pm

Post by trader » Mon Jun 13, 2011 9:57 am

This is yet another mad cap policy from Brussels, and the reason why most Brits dont want to know about the frigging EU. We have to put up with laws passed by faceless buracrates that knowbody knows or ever voted for.

The Brits are still in the EU becuase of the huge number of libiral twat MP's we have in our country who refuse to let us have a referendom because they know we will vote to leave. Poor old Winston must be turning in his grave.

ok Ive said enough, perhaps we should have a vote to leave politics out of oc :)

New member

Posts

Joined
Fri Apr 29, 2011 4:12 am

Post by pbenfield » Tue Jun 14, 2011 5:47 pm

I am used to such edicts from Europe and I realise they are making a point but do not fully understand what they have written.

A previous contibutor rightly stated that if you have in your terms and conditions and privacy statement

Privacy:

....We log domain names and/or IP addresses, and browser type for our internal site traffic statistics. IP addresses, etc. are not tied to company or individual identifiable information. In some cases we retain the right for further details. We only use cookies to monitor activity on parts of the website and to analyse the popular products. ...

Terma and Conditions:

.....By accessing and browsing this Site you accept, without limitation or qualification, the Terms and Conditions contained below and all applicable laws. We may at any time revise these Terms and Conditions by updating this posting. You agree to be bound by such revisions, and you should periodically revisit this page to review the then current Terms and Conditions....We do not store your credit card information in our internal database. Only authorized staff of an “ecart” payment organisation have access to this information and such data is stored and protected by their security processes, encryption, firewalls and intrusion detection systems to prevent any unauthorised access.

.....Cookies may be used on this site to enable Customers to use the Shopping Cart, process Customer Orders and to store Customer details.... As this forms an importtant part of the process...


This above is a general theme where you tell the customers of the cookie use and that it is part of your cart, statistics etc etc . When they tick the box to agree to the Terms and Conditions, they accpet this as they have been duly informed.

New member

Posts

Joined
Wed Apr 20, 2011 3:43 pm

Post by mberlant » Tue Jun 14, 2011 8:01 pm

pbenfield wrote:....Cookies may be used on this site to enable Customers to use the Shopping Cart, process Customer Orders and to store Customer details.... As this forms an importtant part of the process...
Store customer details?? Not on your life! As a customer, nobody has the right to store my customer details in a cookie on any PC I may happen to sit at momentarily.

Please use proper English at all times, so that all members may understand you.


User avatar
Active Member

Posts

Joined
Sun Mar 13, 2011 8:33 pm

Post by Guardian » Wed Jun 15, 2011 5:23 am

This is an off-shoot legislation derived from the Data Protection Act 1998 [DPA] (which I actually consulted on).
OpenCart does not violate any of the concerns expressed here because no personally identifying information is stored within any cookies.

The DPA legislation applies to your (EU) website but only as far you are storing the name and address of the user within the database. Your Privacy Policy only needs to state you do not sell, share, rent or otherwise disclose this information to any third parties EXCEPT when you are forwarding that information (as all carts do) to the payment processor.

New member

Posts

Joined
Fri Jun 10, 2011 5:34 pm

Post by mberlant » Wed Jun 15, 2011 9:43 am

And even more comforting is the fact that, to my observation, OpenCart cookies are set to persist for only one month. If a customer does not revisit the same site from the same computer within a month, that information is too stale to use, anyway.

I have serious privacy concerns with sites that are too lazy to set a reasonable expiration date for cookies, and just set the cookie to expire on some fixed date 30 years in the future. No cookie should ever persist for more than one year without being refreshed. If web site programmers are too lazy or sloppy to conscientiously manage cookies, what else are they too lazy or sloppy to manage properly? Are you listening, Google? Microsoft?

Please use proper English at all times, so that all members may understand you.


User avatar
Active Member

Posts

Joined
Sun Mar 13, 2011 8:33 pm

Post by pbenfield » Fri Jun 17, 2011 6:28 am

I think that " mberlant " does not quite understand what a cookie is and how they are used and the difference between such that are used to verify an account, check an IP address , give statistics on a webssite and when you log into a website, email and your store this information where they recognise you when you log in. That is a cookie

You can not exist in a cart business without cookies so perhaps he does not have a cart

Your mobile phone is storing cookies all the time!!!!!!!!

New member

Posts

Joined
Wed Apr 20, 2011 3:43 pm

Post by mberlant » Fri Jun 17, 2011 9:10 am

I am sorry that my understanding is not up to your standard.

Please explain to me the necessity of setting a cookie that has personally identifiable information ("...store customer details,..." are your words, not mine) that persists for more than the duration of one session. Any cookie with personally identifiable information that is set without the explicit permission of the user is a violation of privacy and is an invitation to identity theft. Agreeing to such vague words on a Terms and Conditions page does not constitute this explicit permission, since the details of what would be stored in such a cookie are not spelled out. Horrible as the wording of the new EU legislation is, this is precisely the sloppiness and carelessness in programming that the EU law is trying to correct.

Please explain to me the necessity of of setting any cookie that persists for more than one year without being refreshed on a subsequent visit. What is the value of any information stored in such a cookie and not revisited in the space of a year?

Please improve my understanding.

Please use proper English at all times, so that all members may understand you.


User avatar
Active Member

Posts

Joined
Sun Mar 13, 2011 8:33 pm

Post by Guardian » Fri Jun 17, 2011 8:59 pm

Can a moderator please lock this?
For the last time, OpenCart does NOT store personally identifying information in cookies!
Don't believe me?
Install the Web Develop plug-in for Firefox https://addons.mozilla.org/en-US/firefo ... developer/
and see for yourself exactly what is stored; the users encrypted session key, language and currency preferences.

New member

Posts

Joined
Fri Jun 10, 2011 5:34 pm
Who is online

Users browsing this forum: No registered users and 36 guests