Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Who in the EU has heard of GDPR and will it affect you


14steve14

Recommended Posts

I have been thinking about customers data that is stored in the database. If I have no reason to keep that data I should delete it, or at least that is how I interpret the rules. So looking at my customer database I have customers details that have never bought anything. Should I delete that data. I think I should. 

To delete this data I have found the following code that Gary @burt posted ages ago I think it was. I have tried it on my databsase and it produces a list of  500+ customers. Is there a way to modify the query that I am using to also check to see whether the customer is on my mailing list. 

SELECT customers_id, customers_firstname, customers_lastname, customers_email_address
FROM customers
WHERE customers_id 
NOT IN (
SELECT customers_id
FROM orders
)

If not I will have to go through each individual one to see.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

  • Replies 279
  • Created
  • Last Reply

 @wHiTeHaT  This isnt going to be so easy then. It may be easier to manually check the data and then remove the customers if they are not on the mailing list using the built in delete tool.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

@14steve14

Obviously with a backup done first!!  This first query is the "Master Blaster"...

delete from customers where customers_id not in (select customers_id from orders) and customers_newsletter = 0

that will remove all customers that have never made an order AND are not a subscriber.

You then need to clean out other tables, and we know that any ID that does not exist in the customers table, should not exist anywhere else;

delete from action_recorder where user_id NOT IN (select customers_id from customers);
delete from address_book where customers_id NOT IN (select customers_id from customers);
delete from customers_basket where customers_id NOT IN (select customers_id from customers);
delete from customers_basket_attributes where customers_id NOT IN (select customers_id from customers);
delete from customers_info where customers_info_id NOT IN (select customers_id from customers);
delete from products_notifications where customers_id NOT IN (select customers_id from customers);
delete from whos_online where customer_id NOT IN (select customers_id from customers);
delete from reviews where customer_id NOT IN (select customers_id from customers);
delete from reviews_description where reviews_id NOT IN (select reviews_id from reviews);

 

And that should do it. But all of this is UNTESTED...

Link to comment
Share on other sites

A nice layman's view article: https://www.scotsman.com/news/politics/insight-the-gdpr-revolution-we-can-t-opt-out-of-1-4742104

There are apparently some unresolved data issues, which will need to be settled by the courts, such as a beauty salon owner required by her insurance company to hold on to customer medical data for 6 years, even if the customer requests that it be deleted. Which takes precedence? If the customer demands that her data be deleted, does she forfeit any claim that could have been refuted by the salon had it kept the data? Or is the salon in trouble for keeping that data after being told to delete it? What if the data is simply taken offline -- short of a search warrant, how would a customer know what has been kept, short of suing for malpractice and seeing what's there?

I like the joke in the "letters" section:

  • "I've found a really good GDPR consultant".
  • "Can you give me their email address?".
  • "No"
Link to comment
Share on other sites

It all depends which side you view this from, the consumer or the businesses. Here is another point of view about how some businesses abuse customers data and force silly agreements.

https://boingboing.net/2018/04/21/read-carefully.html

Data protection is not bad in itself, its just the stupid way the EU is implementing it.

Are you GDPR accredited? Yes its true consultants are offering GDPR accreditation now. Looks like this is just the start of all kinds of shady mis-selling that is going to happen in the coming weeks.

Small business already have a mine filed of legislation to contend with. About 40%-50% of small businesses fail within the first 3 years less that 30% survive into there 10th year of trading. Why is it that big government keep kicking businesses in the nether regions every opportunity it gets. MSE’s account for:-

SMEs and the Economy:

  • Small businesses accounted for 99.3% of all private sector businesses at the start of 2017 and 99.9% were small or medium-sized (SMEs).

  • Total employment in SMEs was 16.1 million; 60% of all private sector employment in the UK.

  • The combined annual turnover of SMEs was £1.9 trillion, 51% of all private sector turnover in the UK.

 

Why don't they just let us get on with doing business. A good start would be to abolish the unelected EU.

 

Link to comment
Share on other sites

27 minutes ago, JcMagpie said:

Data protection is not bad in itself, its just the stupid way the EU is implementing it.

I agree 100%. Being outside the EU, I am not going to fully implement GDPR, just the parts that are common sense and are justifiable, and should be followed by anyone holding private information.

Link to comment
Share on other sites

In

there was a request to back up "contact us" emails in the database (due to host constantly losing emails in-transit). This brings up an interesting question: does GDPR say anything about emails and whether they are subject to deletion upon customer request? It would be ridiculous to have to delete emails, but I wouldn't put anything past the EU bureaucrats. I could even imagine a store owner being required to delete the database copy of the message, but not the email copy!

Link to comment
Share on other sites

Your right Phil and its gets worse the more you look into it, What do I do about all my backups and archives? They all have customer data on them, as do backups made by hosts. In the UK we are legally required to keep all business transactions for a 7 year period, I think it is by tax law in the UK. Every invoice and order acknowledgment has customers details! Its like opening a can of worms. :laugh:

 

Link to comment
Share on other sites

This subject has got us all racing round (again) making changes to our websites to comply (or at least what we understand as complying). I seem to remember us all doing this with the cookie law.....

This makes some interesting reading: http://barker.co.uk/cookielaw

So lets do all we can but not get too paranoid........

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

i'm the IT guy for the local pizza delivery and we have not made a change at all
 

  • tax law makes it illegal to delete the orders, they have to stay there for 5 years. But i have a script that deletes those that are 5 years or older and i run that at new years day
  • other than that we only have customers:
  1. Customer name
  2. Address
  3. email
  4. phone number

ie we only have the absolute minimum to deiver a pizza. and we do keep track on when a customer has last placed an order, if they have not ordered within a year we assume they have moved outside our delivery area and we delete them arround new year day too

no need to make a big deal out of a fart in a glass of water

Link to comment
Share on other sites

7 hours ago, boelle said:

no need to make a big deal out of a fart in a glass of water

Oh great, I'll never get that image out of my mind now! :(

You sure know how to party on New Years!

Link to comment
Share on other sites

I can deal with most of the other implications but the cookie thing is an issue.

I use Europe Confidentialities Cookie law contribution on a 2.3 heavily modded version and only use Google analytics so if I could make it Opt-IN rather than Opt-OUT it would suit my purpose.

Any Ideas?

Link to comment
Share on other sites

I'm not familiar with the add-on in question, but I'm surprised to hear that it's "Opt-Out" rather than "Opt-In". Just to recap and make sure we're on the same page, there are three ways to ask permission to do something like drop a cookie. Two of them are illegal now:

  1. Opt-OUT where you have to take an explicit action to check a box to NOT have the cookie ("we're going to drop cookies unless you make the effort to tell us not to")
  2. Prechecked Opt-IN where the checkbox giving permission for cookies is pre-checked, saving you the time and effort of checking it ("tough luck if you overlook it")
  3. Opt-IN where you have to take an explicit action to check a box to ALLOW the cookie(s). This is the only legal way.

If the current code is actually Opt-OUT, you would have to modify it to

  1. change the label/prompt to reverse the meaning
  2. flip the yes/no meaning of the selection that comes back (this could be as simple as
    $choice = !$choice;
    where you handle the form data)

It should be quite possible to do this.

Link to comment
Share on other sites

Hi,

This is the URL.

https://apps.oscommerce.com/FbzeO&europe-confidentialities-cookie-law

Originally written by a contributor of this forum I believe.

Only works for Google Analytics, works by deleting the GA cookie when a button is pressed. (so Opt-out).

I could run the code to delete on entry but re-instating it is an issue, possible a simple re-name may work rather than a delete, then name it back on opting-in.

Other than that I'm still looking for some simple cookie opt-in code for GDPR that will work on 2.3.3 or 2.3.4

mo

 

 

 

Link to comment
Share on other sites

I guess you could change the code to delete the cookie if the user fails to explicitly Opt-IN. Whether simply renaming a cookie (that already contains sensitive information) will meet the letter of the law, I don't know.

Link to comment
Share on other sites

15 hours ago, JcMagpie said:

Well everyone had plenty of time to get on with it only your self to blame if the grim EU comes knocking at you door :)

There are news reports that dozens of major US news sites are blocking EU access b/c they're not GDPR compatible. I find it rather amusing.

Link to comment
Share on other sites

Well it just goes to show how farcical the whole situation is. I have had scores of emails from company's I have never used or heard of. All asking me to confirm that they can keep contacting me or I will no longer be able to use their services. They offer the option of removing my self of their database! How? By emailing my details to them!! Why would I give all my details to a company I have never used! By doing so I’m giving them what they probably never had. Many of these company's have probably only got my name and email from doggy databases that are sold to marketing company's.

So if your not careful you could end up providing the requesting company even more data than they originally ever had.

 

Link to comment
Share on other sites

4 hours ago, JcMagpie said:

Well it just goes to show how farcical the whole situation is. I have had scores of emails from company's I have never used or heard of. All asking me to confirm that they can keep contacting me or I will no longer be able to use their services. They offer the option of removing my self of their database! How? By emailing my details to them!! Why would I give all my details to a company I have never used! By doing so I’m giving them what they probably never had. Many of these company's have probably only got my name and email from doggy databases that are sold to marketing company's.

So if your not careful you could end up providing the requesting company even more data than they originally ever had.

Seeing as though you have to opt in now, technically you just do nothing and get deleted from their lists. I have saved  the few emails that I have had from unknown companies and if I receive another email from them, then I will start the asking for data routine and see what they do.

Businesses have had ages to get ready for this, so why today I am still receiving emails, past the introduction date, I have no idea.

I had one customer, who over the years has been a PITA email me asking for the information that I had on him. I just used his email address, used @burtGarys modules and converted them to a PDF and emailed him back straight away. I could have waited the maximum 30 days before sending it too him, but I would have forgotten. I bet he didnt expect something back in less than 15 minutes.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

5 hours ago, JcMagpie said:

So if [you're] not careful you could end up providing the requesting company even more data than they originally ever had.

Good point. I would suggest ignoring any request that does not come from a registered user or customer (i.e., you don't have their email on file). Don't reply to them "we have no record of you", as all they want is confirmation that you are spammable a live address. If they are on file, and you fear the wrath of the EU if you don't properly respond, go ahead and reply.

Just curious... is there any way to make a spammer's email bounce after you've read it? It would be good to make it look like you're a dead address.

Link to comment
Share on other sites

Hi,

We don't send newsletters/unsolicited emails. (as yet) so have sent out no consent emails. If I did I would use mail-chimp as we've had issues before with mass emails from the shop and getting IP blacklisted by gmail and live and other 'learning' or 'intelligent' spam filters due to sheer numbers  of new mail and customers sticking in them their spam folder..

Although many are sending consent emails to everyone in their database, as I read it customers you have a 'relationship' with (ie. order regularly or at all) do not need to consent to the new privacy policy unless you intend to mail them.

I have put a notification on the log-in and added the privacy policy to the MATC tickbox.

I have NULL'd all newsletter entries before 25th May as the newsletter tick box was pre-ticked previously. Since I pre un-ticked the newsletter box the rate has dropped from 80% to 7% of customers requesting it.

I've deleted all inactive accounts with no purchases older than 5 years and email T&C's (inc. privacy policy) on every order confirmation

If and when we do decide to mail out newsletters I will then send all the pre May 25th customers (all 26,000 of them) advising them of the new PP (which apparently needs no permission/opt-in) and they will now have to opt-in to newsletters if they want them, possibly with the bait of a discount code (which is seeming popular) and how to delete their account,no real rush til then I think.

I'm sure someone is going to tell me that's wrong but after reading all the differing interpretations those are mine. I think just wait and see how it all rolls out and react accordingly.

 

 

 

 

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...