84 replies to this topic

[andy_1984]

The way websites track visitors and tailor ads to their behaviour is about to undergo a big shake-up.

full article here: http://www.bbc.co.uk/news/technology-12668552

[burt]

What is your idea on how osCommerce shopkeepers should handle this?

Edited by burt, 09 March 2011 - 02:35 PM.

[andy_1984]

burt, on 09 March 2011 - 02:35 PM, said:

What is your idea on how osCommerce shopkeepers should handle this?

ive been thinking about a less painless way since hearing about it last night.

removing the need for cookies completely and using sessions instead is one option

the other (for people who need to use cookies) will need to ask the European users permission when first accessing the website. rough example:

this website requires the use of cookies but due to new European law we must ask for your permission to store cookies on your computer. do you wish to enable cookies. selecting no will prevent you from using the site properly and may effect your shopping etc etc. (yes / no button here)

obviously there would need to be a rewrite of the cookie functions to accommodate this permission request but i havnt got that far yet

Edited by andy_1984, 09 March 2011 - 03:19 PM.

[web-project]

the law been created by person without any knowledge of web or PC...

[GwilliamP]

As this is now coming into effect, does anyone have any ideas on how to actually deal with this STUPID situation?

According to the EU we have only 3 weeks to deal with this! Here in the UK it seems that we might have a 12 month grace period due to the fact that the responsible minister appreciates that we need time to come up with solutions.

I have  v2.2 RC2a sites so a suitable solution would be appreciated

Paul.

[burt]

Cookies for site functionality are fine.  Are there any un-needed cookies in your site?

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/cookie_rules_prepare.aspx (PDF file)

[GwilliamP]

burt, on 26 May 2011 - 11:35 AM, said:

Cookies for site functionality are fine.  Are there any un-needed cookies in your site?

http://www.ico.gov.u...es_prepare.aspx (PDF file)

Thank you for the quick response.

I have d/l and read the PDF. As a 'layman' most of it is gobledygook to me. I have absolutely no idea what cookies osC uses and, if it does, whether or not they fall foul of this nonsense.

I suspect I am not alone in that I managed to sort out a domain and hosting, spent months 'tweaking' osC with add-ons but only because of the instructions that came with them and the help of this forum. 'Coding PHP/HTML' is a foreign art that I do not have. Consequently, adding add-ons is a challenge. As far as understanding cookies - ????.

If it is not too much to ask, could someone help me, and others like me, by suggesting what we need to do to comply with this nonsense?

[burt]

In my opinion every cookie set by osCommerce is critical to the function of osCommerce, hence you need do nothing to comply.

[toyicebear]

It seems its more aimed at sites setting 3 party cookies

[GwilliamP]

toyicebear, on 27 May 2011 - 01:10 AM, said:

It seems its more aimed at sites setting 3 party cookies

burt said:

In my opinion every cookie set by osCommerce is critical to the function of osCommerce, hence you need do nothing to comply.

So a simple statement in Privacy stating that "no 3rd party cookies are used and any cookies created are for the sole purpose of, and essential to, the function of the site" should suffice?

If that is the case then I am even more impressed by osC

[Xpajun]

This wonderful line is in your cookie_usage.php (it shows when customers have their browser set not to accept cookies and your store is set to force cookie use)

Quote

"Cookies must be enabled to purchase online on this store to embrace privacy and security related issues regarding your visit to this site.

By enabling cookie support on your browser, the communication between you and this site is strengthened to be certain it is you who are making transactions on your own behalf, and to prevent leakage of your privacy information."

osC cookies are not the tracking cookies that the EU are getting concerned about

[14steve14]

I have just received an email from the ICO office with a link to the PDF that is already listed in this forum.  After having read this forum and the email, di i take it that oscommerc does not use cookies apart from those needed to complete a service requested by a customer ie  to complete an order and send it.

If that is the case, it looks as if nothing need to be done.  I am not too hot on programming, so dont fully understand what oscommerce does with cookies.

[GwilliamP]

14steve14, on 08 June 2011 - 08:41 AM, said:

I have just received an email from the ICO office with a link to the PDF that is already listed in this forum.  After having read this forum and the email, di i take it that oscommerc does not use cookies apart from those needed to complete a service requested by a customer ie  to complete an order and send it.

If that is the case, it looks as if nothing need to be done.  I am not too hot on programming, so dont fully understand what oscommerce does with cookies.

We are in the same boat. I also read the document but had trouble making sense of it. From all the comments above I ended up adding the following paragraph to the Privacy page.

On  26 May 2011, the rules about cookies on websites changed. This site  uses cookies. One of the cookies we use is essential for
parts of the  site to operate and has already been set. You may delete and block all  cookies from this site, but parts of the site will not work.
We do not  use 3rd party tracking cookies. For further information look at [url="http://www.allaboutcookies.org/"]allaboutcookies.org[/url]

Edited by GwilliamP, 08 June 2011 - 10:36 AM.

[NielsVanDelt]

I have just received an email from the ICO office with a link to the PDF that is already listed in this forum.[img]http://forums.oscommerce.com//public/style_emoticons/default/mellow.png[/img]

Edited by NielsVanDelt, 15 September 2011 - 11:48 AM.

[14steve14]

Go to the ICO website and see what they have done on their front page.  There is a large box at the top of the page explaining about cookies.  Its the first time i have seen something like this.

[graith]

To be absolutely pedantic for a minute, a cookie is stored to maintain a session and having it stops the need for URLs to have oscsid=aabbccdd112233 in the URL. If you were to say why not do that, I'd say that it is indeed a security risk. Where a site is misconfigured and they maintain this, past the first page click, those links sometimes get posted on Google and clicking on the link can restart a session. That session is then shared with anyone else who clicks on the link. That means the second customer can go to the account details page and see your address and your past orders.

However
The session is only needed to store your cart, a non-default language, a non-default currency, so if a customer is just looking around, comparing prices, seeing what you've got to sell, there's really no need to have that information stored so a session doesn't need to be started. Also, that tends to be what web robots and spiders do - they don't need sessions.

The trick then becomes, can we start the session when a "Buy Now" button is pressed.

The other aspect is Google Analytics. That surely is not necessary to the customer experience but very useful for store owners.

The final piece is  $_SERVER variable called $_SERVER['HTTP_DNT'] which is set to 1 in Firefox if the customer has configured "Tell websites I do not want to be tracked". Other browsers don't support it yet, but surely it's only a matter of time.

Graith

[MrPhil]

That's an interesting proposition -- to not start a session (by either sessionID or cookie) until it's necessary to pass information between pages. I'm sure that normal session maintenance cookies certainly don't violate the spirit of the law, although who knows if some computer-illiterate bureaucrat or judge would interpret it as violating the letter of the law. If I were in the E.U., I would go ahead and use session cookies, and if someone wanted to prosecute me for it, make a huge public stink about how stupid the law is and the E.U. should simply go out of business!

An aside: I wonder how the Dutch feel about limiting cookies? After all, the word descends from a Dutch term for "little cakes" and spread from New Amsterdam (now New York) into American English. I understand that the British still call them "biscuits".

[BarryEbenezer]

Does that mean they will disallow cookies completely? What would the implications be for forums and sites that use them at the moment?

[WallaceNetworks.co.uk]

I believe the main issues is if you have Google Analytics on your eCommerce site, as that uses cookies, and they are 3rd party tracking cookies.
On the bright side, in the UK even the Information Commissioner's Office Website does not technically comply with the cookie law, but you have to wonder how likely it is that having cookies (even google analytics cookies) would result in legal action.

Personally, i believe it is arguable that even the Google Analytics cookies are essential to the operation of your website, in order to make it function better for the visitors to it.

This is of course merely my personal opinion and not legal advice, but for comparison, has any website owner ever been prosecuted under the disability discrimination act?

[MrPhil]

This is a well-intentioned law (forbid the invasion of privacy by tracking cookies) implemented in a brain-dead manner. My non-legal advice would be to

• Make sure you don't install any add-ons (e.g., Google Analytics) which do add what could reasonably be called tracking cookies.
  
• If you really want to add tracking cookies (where they're legal), look into disabling that feature for EU users (both IP address geo-location and registered user's countries).
  
• Add some highlighted text to the Terms of Service notifying users that you do use session-maintenance cookies, that are deleted when the browser closes (check if that's true...).

If the authorities come after you, raise a public stink about how government sites (e.g., ICO) use illegal tracking cookies, and how they should be prosecuted first! Maybe you can gain fame as the straw that broke the EU camel's back!