Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Who in the EU has heard of GDPR and will it affect you


14steve14

Recommended Posts

@azpro what is php version?
Strict cookies could be extend in modal template with a foreach function.
What opt-out function is?

@wHiTeHaT
I dont see the installed/non installed on/off modules problem in your code example.
oscTemplate class could handle all modules, not only the ht_ modules. For example google tag manager code implemented under the <body> tag and core be able to use content module with php cookie.

I dont mind that you are extend or edit this code example. This could be a real function of github. I dislike programing in posts.

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

  • Replies 279
  • Created
  • Last Reply
3 minutes ago, tgely said:

what is php version?

PHP Version 5.5.9-1ubuntu4.24

4 minutes ago, tgely said:

Strict cookies could be extend in modal template with a foreach function.

:thumbsup:Off course ... did not think of that!

5 minutes ago, tgely said:

What opt-out function is?

The opt-out build in cookieconsent3 - if you set Compliance type to  "type": "opt-out" 

See https://cookieconsent.insites.com/documentation/disabling-cookies/

Link to comment
Share on other sites

24 minutes ago, tgely said:

I dont see the installed/non installed on/off modules problem in your code example.

Couldn't that be invoked in an update function in the proposed cookie class? Everytime a new module with getCookieStuff is installed it could do a ONE-TIME check and then update database INSTALLED ...

I think i is worth the effort since speed is essential

Link to comment
Share on other sites

I've collected informative personal data sources which sould be managed in data privacy policy document.

Registration
Newsletter (optional)
Orders
Url web log (IP address and behaviour)
Action recorder (IP address and email address)
Contact emails
Returns with bank account numbers

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

3 hours ago, azpro said:

The opt-out build in cookieconsent3 - if you set Compliance type to  "type": "opt-out" 

See https://cookieconsent.insites.com/documentation/disabling-cookies/

I dont understand this function. Why do you use it? If you want to disable all cookies the HTML post method enable it by the new managment mode.

https://github.com/Gergely/oscommerce_ce/blob/a8838c9532dc9227a7f694df935badf2ab8d78ca/includes/classes/osc_template.php#L204-L211

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

@tgely I think important to take this rules. In case you approach does'nt work, It's important for all customer can accept or not the cookies

You said cookies? With the GDPR, it is no longer possible to indicate on a site the following type of message "by visiting our site, 
we consider that you accept the use of cookies". 
You will now have to ask permission for each of the cookies used on your e-commerce site. On our side, we will also
 update our cookies policy on the SendCloud site and ask permission from all our users to store their cookies during 
visits to our site.

 


Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

 

Link to comment
Share on other sites

Remove all not-essential Cookies from osCommerce.  

How many not-essential cookies are there ?

If the shopowner then wants to use other not-essential cookies (eg Analytics), let the Analytics coders take care of it.

Link to comment
Share on other sites

GDPR is clearly causing the UK government a headache! The speaker of the house of commons has this morning made a statement stating that the government accepts that many UK company's will not be compliant by the 25th, This was due to complaints by MP’s that they did not understand what was required. Parliament has apparently appointed a company of consultants to give MP’s training on how to be compliant but it seam's they are still confused.

If the UK government has no a clue how to do it properly what hope has anyone else!

Again another excuse to waste tax payers money implementing a EU regulation that nobody asked for.

 

Link to comment
Share on other sites

5 hours ago, justcatering said:

GDPR is clearly causing the UK government a headache! The speaker of the house of commons has this morning made a statement stating that the government accepts that many UK company's will not be compliant by the 25th, This was due to complaints by MP’s that they did not understand what was required. Parliament has apparently appointed a company of consultants to give MP’s training on how to be compliant but it seam's they are still confused.

If the UK government has no a clue how to do it properly what hope has anyone else!

Again another excuse to waste tax payers money implementing a EU regulation that nobody asked for.

At the end of the day its been on the cards for nearly two years now, so people are leaving it until the last minute as usual. I personally think its a good thing what the EU are trying to achieve with this, and its not often I say something good about them. All an MP , or anyone else for that matter has to do is to read the ICO site in the UK and all will be as clear as its ever going to get. If people dont care about their personal data then thats their choice from now on.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

I’m just not a fan of big government getting involved in business. Never have been never will be. As for clarity I’m not so sure now. Like you I looked at the regulation and thought it was straight forward and said as much before. Having now seen several versions of its interpretation (from correspondence I have received regarding this) its clear not everyone agrees on how it applies!

So I’m revising my view in that if legal experts are not agreeing on how it should be implemented what hope has Jo Blogs.

What would have been nice is if this reg had worked to stop cold calling or unsolicited emails or mail! But no, if you are a marketing company you can keep on doing what you do as its deemed a legitimate use!

I used this

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

From the ico as a guide as they “should” know how to implement it right! Well I’m not so sure now! Have I got the right procedures and documentation in place to demonstrate compliance? Will I pass a compliance audit?


 

Add to this confusion the fact that we are already seeing adverts from company's offering to carry out GDPR audits ( for a nice big fee ) I can only see this becoming another EU mess.

 

 

Link to comment
Share on other sites

OK I think I have done all I need to do??

  • Stopped using Google Analytics and deleted the code (I dont use it much anyway)
  • Revised my privacy statement using the examples shown here: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-in-practice/
  • Added an option in the "My Account" section for customers to delete their account
  • Unsubscibed ALL customers from the mailing list
  • Sent email to all customers explaining about GDPR, Giving them links to our privacy policy, delete account function and telling them how to re-subscribe if they so wish
  • Added a mondial popup to the site informing visitors about our revised privacy policy.

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Heather

Firstly I probably would not have deleted all your newsletter contacts. I would have given them the chance to unsubscribe or update their details in an email. If you have collected their information correctly in the real world you dont really need to ask them to re-subscribe.

If you mention google analytics in your privacy policy you can still use them as google offer an app to allow customers to choose whether or not to be included which apparently is fine. A link is here so just put that in you policy. https://tools.google.com/dlpage/gaoptout?hl=en

The only other thing I am thinking of doing is adding a link and a tick box to the create account page to the privacy policy.

In my view the privacy policy was the hardest bit as it needed to be really changed to comply, but in reality it was nearly there anyway. A few bits needed adding which I got from others policies like you did.

I have also added all of Garys GDPR modules which makes everything so much easier.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

@14steve14 Thanks for the info on the analytics opt-out tool - I have now added a link to the privacy policy to point to this.

I have MATC installed at the checkout confirmation page which I point with links to the Privacy Policy and the Conditions of the website plus I have added text to the create account pages with links to our privacy policy.

I also have the system set up to attach a pdf version of our terms and conditions, shipping terms and privacy policy to all customer order confirmation emails

Many Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

 

another potential option for google analytics is to use _anonymizeIp()

from the page itself

which Tells Google Analytics to anonymize the information sent by the tracker objects by removing the last octet of the IP address prior to its storage. Note that this will slightly reduce the accuracy of geographic reporting.

When using this function to anonymize tracking, you must use the push function and properly associate the function with the tracker object, as illustrated below.

in ht_google_analytics.php

change (from line 39)

        $header = '<script>
  var _gaq = _gaq || [];
  _gaq.push([\'_setAccount\', \'' . tep_output_string(MODULE_HEADER_TAGS_GOOGLE_ANALYTICS_ID) . '\']);
  _gaq.push([\'_trackPageview\']);' . "\n";

 

to

        $header = '<script>
  var _gaq = _gaq || [];
  _gaq.push([\'_setAccount\', \'' . tep_output_string(MODULE_HEADER_TAGS_GOOGLE_ANALYTICS_ID) . '\']);
  _gaq.push ([\'_gat._anonymizeIp\']);
  _gaq.push([\'_trackPageview\']);' . "\n";

 

NOTE UNTESTED

 

if you wanted you could set that bit configurable from the admin

 

source https://developers.google.com/analytics/devguides/collection/gajs/methods/gaJSApi_gat#_gat._anonymizeIp

Phoenix support now at https://phoenixcart.org/forum/
App created for phoenix
TinyMCE editor for admin

 

Link to comment
Share on other sites

I think it's also needed a page where you detail the information you log about customers and give them the right to view all (which can be done at the account page) but also remove everything you have about customers.

Also detail what third parties get the information and what kind of information for example PayPal or the shipping company. Also Google Analytics and Facebook Pixel.

You've to protect your website more specific your database against attacks which can lead your database to be stolen. You've 72 hours to report any attack. 

Also in that page you've to specific all the cookies you have and what they function. Of course website should have SSL and use updated version for TLS and strong encryption for ciphers.

The right also to remove the newsletters at the account page and also in the mail they're sent. (I think SMS/Mail sent normally at the orders doesn't matter as the client want to make a order.)

Backups should be encrypted and secure. Some recommendations is use 2FA or private keys to access sensitive information for example database.

Access to admin should have .htaccess extra protection for example password and limit access by a VPN only.

Password for customers should have +9 and admins +13 (both a-z, A-Z, 0-9 and symbols). Encryption by default in osCommerce is MD5+salt but should SHA-256 (minimum required).

Also running Firewall, IDS (Intrusion Detection System), more stuff to avoid and detect attacks.

Some of those are recommendation others are obligatory. If I missed something or I said anything wrong please also let me know. 

Link to comment
Share on other sites

Also cookies can't be stored into visitor until he agree with the cookie consent. So that's a bit issue in osCommerce as it creates cookie_test and osCid. If you use Google/Facebook will create for those also.

Link to comment
Share on other sites

@sinopia Its been like that with cookie consent for years now. If people updated their cookie consent code and their privacy policy then most of the privacy policy should already have all the required information.

All of Garys @burt GDPR modules cover most of the rest of your comments above apart from the server ones which most good hosts would be doing any way.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

Yes I've check them. But even creating a account should be only name and email. Then (I suppose) making the checkout should be when more personal details should be added (payment/shipping/delivery/vat) but that isn't how osCommerce works.

But correct me if I'm wrong.. I'm still reading all of this.

Link to comment
Share on other sites

OK I think I am almost there, apart from one little thing that does not seem to have been covered.

Scenario is that a customer places an order by phone and we then enter his order on our website (manual order maker and order editor) this allows us to produce the invoice and process his order as a normal web order - problem is that he will not have seen our privacy policy or any of our GDPR statements.

The only way I can see round this is to read each customer a rather long and boring statement such as

Quote

GDPR Statement

 

On 25 May 2018 a new EU Regulation came into force, the General Data Protection Regulation (GDPR), which affects how Customer data is stored and used.

 

By placing a telephone order with us you are giving your permission for your data to be held on our website database which will be used to fulfil your order and uphold any warranties.


The data we store is limited to:
  • Name
  • Address
  • Email address
  • Telephone number

 

These details will not be shared with any other parties other than:
  • Our Payment Processing Company (Barclays)
  • Our Couriers
  • Certain manufacturers who ship items on our behalf

 

We will not send you any unsolicited emails, other than emails regarding the progression of your order, unless you expressly give permission by visiting our website and selecting the option to receive newsletters.

 

You may request the deletion of your data at any time – However, certain data cannot be deleted for orders made, due to financial reporting and warranty requirements.

 

We encourage you to visit our website www.  To view our full privacy policy.

 

Are you now happy to proceed with your order ?

Any comments or alternative solutions would be welcome....

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

39 minutes ago, Mort-lemur said:

OK I think I am almost there, apart from one little thing that does not seem to have been covered.

Scenario is that a customer places an order by phone and we then enter his order on our website (manual order maker and order editor) this allows us to produce the invoice and process his order as a normal web order - problem is that he will not have seen our privacy policy or any of our GDPR statements.

The only way I can see round this is to read each customer a rather long and boring statement such as

Any comments or alternative solutions would be welcome....

Could you include the information in the email either as text or in a pdf.

and tell the customer on the phone that they would have to reply back saying that they accept the t&c's /  privacy policy before you can go ahead with completing the order. and that the details you have are correct

don't know if you have read this

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/how-should-we-obtain-record-and-manage-consent/

Phoenix support now at https://phoenixcart.org/forum/
App created for phoenix
TinyMCE editor for admin

 

Link to comment
Share on other sites

@puddlec Thanks for the link.

A lot of my customers are old farmers who do not use the internet - so email etc is out of the question.

The link ou provided gives details on recording verbal consent - which I will do in the order comments box when compiling their order.

Anyone got any further comments?

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

19 hours ago, sinopia said:

Also cookies can't be stored into visitor until he agree with the cookie consent. So that's a bit issue in osCommerce as it creates cookie_test and osCid. If you use Google/Facebook will create for those also.

http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

EU Legislation On Cookies (I have highlighted the relevant parts for osCommerce, by *my* understanding);

BLAH BLAH ... some cookies are exempt from this requirement. Consent is not required if the cookie is:

  • used for the sole purpose of carrying out the transmission of a communication, and
  • strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.

Cookies clearly exempt from consent according to the EU advisory body on data protection include;

  • user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
  • user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
  • load‑balancing cookies, for the duration of session
  • user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
  • third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

So, we can clearly (by *my* understanding) not have to do anything about cookie acceptance for;

  • please_accept_for_session aka "cookie test"
  • oscSid

As both of these Cookies;

  1. do not include any personal data
  2. are absolutely required by the software for the software to function

Anyone else like to add more thoughts?  

Other NOT ESSENTIAL Cookies

If shopowner has other cookies on board....that DO have personal info (eg Analytics passing IP Address) or ARE not required by the software to perform its function (sell stuff)...then shopowner must get permission for these cookies.  There is ONE cookie in Edge that shopowner MUST get permission for as it is a Cookie that is useless to the softwares primary function:  the cookie in the ht_grid_list module.  If I can get rid of that Cookie, we are good to go (in my opinion).

Link to comment
Share on other sites

20 hours ago, wHiTeHaT said:

is that cookie not fall under:
 

 

Good catch, yes I think it does.  I'm still going to remove it though, one less thing to load each page.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...