This is my first post here. I am a web designer based in the UK who has just started using OpenCart and so far I absolutely love it.
Today, a client asked me if the new EU Cookie Legislation laws would affect them if they are using OpenCart, and if so,what can they do about it. Can anyone help? I am assuming that OpenCart uses session cookies when a user is logged in. If OpenCart does use cookies, can anyone tell me what data is stored on a user's computer so I can at least advise my client what they can put in their privacy policy?
Thanks in advance!
John
However, if as most opencart users, use a payment gateway such as Paypal, no credit card details are ever stored in the cart database, because those details are entered if needed, in paypals own ssl secure page.
The only info returned to the store is whether the payment was sucessful or not.
If a store owner were to use their own merchant process or accept offline credit card payments, that may fall under an issue or 2 regarding the cookie legislation.
The only information stored by the shop, would be name and address, for shipping purposes.
But you can have the option of a guest checkout, which means nothing is actually stored at all.
The only thing opencart session stores is the product details in the cart and shipping session variables (someone can correct me if im wrong)
SourceFrom 25 May, new European laws will dictate that “explicit consent” must be gathered from web users who are being tracked via cookies. That translates into warnings which will put off consumers from EU sites, while US-based startups will be free to continue as they are. How convenient huh.
OC has an issue there......
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
Anyway, is there a (Free) pop-up Modification available?
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
"The directive demands that users be fully informed about the information being stored in cookies and told why they see particular adverts.
Specifically excluded by the directive are cookies that log what people have put in online shopping baskets."
http://www.bbc.co.uk/news/technology-12668552
...couldn't have put it better myself. EU bureaucrats make a lot of laws they can't possibly enforce, gives them something to do!Qphoria wrote:.. You freakin foreigners have some of the bad-shit stupidest laws.
I read somewhere that we aren't permitted to store data outside the EU? - so all us Dropbox users are breaking some obscure law somewhere. Oh dear!
On the basis that I don't track anyone and only use cookies on my own websites and that they are used only on a particular website to enable the website to function, I'm ignoring the whole thing.
The one thing that I will be doing is to add a 'you need to enable cookies to shop at this website' message as some people may start to turn them off, see comment below!
Thing is, most people barely know how to turn on their computer (I know this is true it used to be my job) so how the hell are you going to explain the ins and outs of cookies to people?
Oh, you've also got another year not to worry about it as it has been deferred for 12 months as the reallity of the stupidity has kicked in and no one in the government has any idea of whats's going on or what to do about or how to interpret the whole thing. Oh, and the regulations do not require user consent where the cookie is "strictly necessary" to allow the website to provide a service - in other words, like the shopping cart type cookie. As far as I am aware, v1.5 of OC is using a cookie to store language, currency, affiliate tracking and the session cookie. All these are required for the website to physically function correctly and I therefore class them as necessary.
Theory goes that the browers will start to incorporate something to deal with this and then your average website owner can probably largely just get on with it.
The ICO website has a silly banner and a ticky box, but the rest of the govenments websites (direct.gov, number 10, parliament, fco etc) are all blatantly ignoring the law so I shall too!!
-
VIEW ALL EXTENSIONS * EXTENSION SUPPORT * WEBSITE * CUSTOM REQUESTS
Yeah, but that's a whole different thing, that be big brother wanting access to stuff.Qphoria wrote:And didn't the french just say that storing customer passwords can't be encrypted. So any hacker can just gain access to an account and save the step of cracking the password hash.
If the password is encrypted and you refuse to hand over the encryption code....
All the snooping rumours are very likey true - some years ago our company was approached with a view to implement a zero packet loss capture system, we never did get the specific details but is was quite obvious what it was for....
-
VIEW ALL EXTENSIONS * EXTENSION SUPPORT * WEBSITE * CUSTOM REQUESTS
grgr, I think you have it right. I've now read 17 pages of gumph from the ICO site. Here are some more details (Brits only):grgr wrote:I think that the whole issue came about with the sharing of data (you know - those ads that mysteriously seem to know what you've been shopping for lately) and other tracking activities, alas, the people that then made the laws [in good faith I think because I a bit fed up with all the tracking cookies) were likely incapable of programming their oven timer let alone understanding the issue that the were creating....
Oh, you've also got another year not to worry about it as it has been deferred for 12 months as the reallity of the stupidity has kicked in and no one in the government has any idea of whats's going on or what to do about or how to interpret the whole thing. Oh, and the regulations do not require user consent where the cookie is "strictly necessary" to allow the website to provide a service - in other words, like the shopping cart type cookie. As far as I am aware, v1.5 of OC is using a cookie to store language, currency, affiliate tracking and the session cookie. All these are required for the website to physically function correctly and I therefore class them as necessary. ..
(2) The requirements are that the .. user …
(a) is provided with clear and comprehensive information about the
purposes of the [cookie]; and
(b) has given his or her consent.
- * As grgr says - you don't have to obtain consent if setting the cookie/s is 'strictly necessary' for a service requested by the user. This has to apply to a shopping cart - and functions such as currency or language choices. But the emphasis is on 'strictly' .
* The new rule is meant to protect users' privacy. The more 'intrusive' the use of cookies, the more the site owner needs to review their use (they say). They discuss an example of using a cookie to log details of browsing activity. Nothing in a standard Opencart installation does anything like this (AFAIK).
* They don't recommend popups - and suggest instead adding a tick box to the site (as OC does now, when the customer agrees to terms and conditions).
* They don't have a clue how to deal with 'third party cookies ' as they call them. That might include 'social/share' buttons: it's the only area of an Opencart site that might come close to setting an 'intrusive' cookie, and then only if you've put a 'share' button in there. But that part of the document is currently a fudge.
*They can fine organisations which don't comply, but they have to show there has been: a) a serious contravention of the new law; and b) that contravention was likely to cause substantial damage/distress.
Sources if interested:
http://www.ico.gov.uk/~/media/documents ... ons_v1.pdf
nice one!!grgr wrote:The ICO website has a silly banner and a ticky box, but the rest of the govenments websites (direct.gov, number 10, parliament, fco etc) are all blatantly ignoring the law so I shall too!!
The IAB are spending a fortune on trying to figure the legislation out properly, with a definitive answer that covers everyone imminent. Although they originally advised that standard browser settings would suffice, the EU has come back and said it's not good enough.grgr wrote:you know - those ads that mysteriously seem to know what you've been shopping for lately
I think we're all probably going to need to change our privacy policies at least, and maybe even put a "by logging in your expressly agree to accept a cookie" under our login boxes. Apart from that, I doubt it'll affect most of us that much. Popups won't be necessary...
Aint that the f**king truth buddy? We don't execute though, and where I come from, you're the freakin foreignerQphoria wrote:You freakin foreigners have some of the bad-shit stupidest laws.
Also, it might become similar to the USA's bad-shit stupid online gambling law, where if a site based anywhere else in the world allows an American to gamble, they can be tried under US law - who knows? Regardless of where in the world you are, if you trade in the EU, I'd be keeping an eye on what happens.
Ronald Laughton is the worst referee in Rugby League
The Brits are still in the EU becuase of the huge number of libiral twat MP's we have in our country who refuse to let us have a referendom because they know we will vote to leave. Poor old Winston must be turning in his grave.
ok Ive said enough, perhaps we should have a vote to leave politics out of oc
A previous contibutor rightly stated that if you have in your terms and conditions and privacy statement
Privacy:
....We log domain names and/or IP addresses, and browser type for our internal site traffic statistics. IP addresses, etc. are not tied to company or individual identifiable information. In some cases we retain the right for further details. We only use cookies to monitor activity on parts of the website and to analyse the popular products. ...
Terma and Conditions:
.....By accessing and browsing this Site you accept, without limitation or qualification, the Terms and Conditions contained below and all applicable laws. We may at any time revise these Terms and Conditions by updating this posting. You agree to be bound by such revisions, and you should periodically revisit this page to review the then current Terms and Conditions....We do not store your credit card information in our internal database. Only authorized staff of an “ecart” payment organisation have access to this information and such data is stored and protected by their security processes, encryption, firewalls and intrusion detection systems to prevent any unauthorised access.
.....Cookies may be used on this site to enable Customers to use the Shopping Cart, process Customer Orders and to store Customer details.... As this forms an importtant part of the process...
This above is a general theme where you tell the customers of the cookie use and that it is part of your cart, statistics etc etc . When they tick the box to agree to the Terms and Conditions, they accpet this as they have been duly informed.
Store customer details?? Not on your life! As a customer, nobody has the right to store my customer details in a cookie on any PC I may happen to sit at momentarily.pbenfield wrote:....Cookies may be used on this site to enable Customers to use the Shopping Cart, process Customer Orders and to store Customer details.... As this forms an importtant part of the process...
Please use proper English at all times, so that all members may understand you.
OpenCart does not violate any of the concerns expressed here because no personally identifying information is stored within any cookies.
The DPA legislation applies to your (EU) website but only as far you are storing the name and address of the user within the database. Your Privacy Policy only needs to state you do not sell, share, rent or otherwise disclose this information to any third parties EXCEPT when you are forwarding that information (as all carts do) to the payment processor.
I have serious privacy concerns with sites that are too lazy to set a reasonable expiration date for cookies, and just set the cookie to expire on some fixed date 30 years in the future. No cookie should ever persist for more than one year without being refreshed. If web site programmers are too lazy or sloppy to conscientiously manage cookies, what else are they too lazy or sloppy to manage properly? Are you listening, Google? Microsoft?
Please use proper English at all times, so that all members may understand you.
You can not exist in a cart business without cookies so perhaps he does not have a cart
Your mobile phone is storing cookies all the time!!!!!!!!
Please explain to me the necessity of setting a cookie that has personally identifiable information ("...store customer details,..." are your words, not mine) that persists for more than the duration of one session. Any cookie with personally identifiable information that is set without the explicit permission of the user is a violation of privacy and is an invitation to identity theft. Agreeing to such vague words on a Terms and Conditions page does not constitute this explicit permission, since the details of what would be stored in such a cookie are not spelled out. Horrible as the wording of the new EU legislation is, this is precisely the sloppiness and carelessness in programming that the EU law is trying to correct.
Please explain to me the necessity of of setting any cookie that persists for more than one year without being refreshed on a subsequent visit. What is the value of any information stored in such a cookie and not revisited in the space of a year?
Please improve my understanding.
Please use proper English at all times, so that all members may understand you.
For the last time, OpenCart does NOT store personally identifying information in cookies!
Don't believe me?
Install the Web Develop plug-in for Firefox https://addons.mozilla.org/en-US/firefo ... developer/
and see for yourself exactly what is stored; the users encrypted session key, language and currency preferences.
Users browsing this forum: No registered users and 17 guests