Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Who in the EU has heard of GDPR and will it affect you


14steve14

Recommended Posts

On 7/18/2018 at 10:01 AM, burt said:

easier for shopowners to have a choice of what they want

There are certain things which any ecommerce package is going to have to support right out of the box, if we hope to attract and retain a lot of users: PHP 7-ready, mobile-friendly (responsive), SEO, etc. They can not be separate add-ons, although an add-on that replaces a simpler and more basic out-of-the-box function would be acceptable. To this list, I think we need to add a pan-GDPR/CCPA/etc. customer data privacy module that doesn't have to be added separately (although it could require turning on and/or configuring). Without these things as selling points, very few people will give osC a second look.

On 7/18/2018 at 11:36 AM, 14steve14 said:

But where would the legal stuff stop. GDPR, Taxes, VAT and all the different legal rules from every country,  the code would be a nightmare. May be there should be a package available for each country, similar to the concept of a language pack, that would include all the legal stuff for all the countries, all as modules.

OK, so I'm going to do business in dozens of countries. I'm certainly not going to install country packages for each one. Perhaps some things like taxes/VAT etc. might be done that way, if I only have to follow the rules for my own country, but for everything else I think you're going to have to build in universal customer data protection, and other such legal requirements -- worldwide a superset of all the state, country, and union rules. I just hope there's nothing that would be contradictory enough to force separate packages!

Quote

The only trouble being this will never happen as no one can access the core code, and without help Gary cant do everything on his own.

That's a general problem with osC. Harald is gone (I'm assuming, for good) and no one else has the Keys to the Kingdom. I wouldn't even be terribly surprised if domain registration and hosting expire at some point! Before long there may not be an oscommerce.com or this forum. A fork of osC is looking better and better.

Link to comment
Share on other sites

  • Replies 279
  • Created
  • Last Reply

Well, we disagree on that and as it's me making decisions and I am saying "the future is modular", it is time to stop with the ethos of "more in core".  

There will be *less* in core, for the reasons already mentioned.  If these people are running a business they will choose the best product that fits their need and not the product that costs nothing.  If they choose a different cart:  good luck to them. 

Link to comment
Share on other sites

2 hours ago, ArtcoInc said:

* update *

The recently passed law here in California has this provision:

What “Businesses” Are Covered?

The CCPA broadly applies to “businesses” that operate for-profit and (1) have an annual gross revenue of more than $25 million, (2) buy, receive or share for commercial purposes, or sells personal information of 50,000 of more consumers, households, or devices, or (3) derive 50% or more of their annual revenue from selling consumers’ personal information. The CCPA also applies to entities that share common branding with a qualifying “business” and that controls or is controlled by that business.

(fwiw)

PS:

Some more "interesting" reading ...

https://digiday.com/media/wtf-california-consumer-privacy-act/

I imagine then that most osCommerce users are exempted as (in my opinion and understanding);

  1. barely any will have Gross > 25m usd
    I personally know of two (osC based) businesses that do this level of business
     
  2. barely any have customers > 50k
    Again, one of those shops (above) is near to that number
     
  3. Sell personal info?
    WTF?  I am certain no ecommerce business owner stoops that low.
Link to comment
Share on other sites

5 hours ago, burt said:

Well, we disagree on that and as it's me making decisions and I am saying "the future is modular", it is time to stop with the ethos of "more in core".  

For the life me I don't understand why everyone insists on things being added to the core.  IMO, less is better...keep the core lean and mean.  Modules can and should be used and developed for anything that is required.    That gives us the best of both worlds.  Why is it so difficult to get that idea across?

Dan

Link to comment
Share on other sites

I NEVER SAID that it had to be somehow baked into the "core", just that it should NOT be an external "extra" (add-on) that a store owner has to decide they need, go hunt down, and install. It should come with osC in some form, and at most require "turning on" and configuration. Other stores will include GDPR/CCPA support in their base, and it will be a great selling point against osC.

It's possible to carry a fetish for "lean, mean, customizable product" too far. Imagine if wheels were an extra-cost option on your new car! It's an unwritten assumption that wheels come with any car. You can specify more expensive ones when you place your order, but at least the car is usable as-delivered. It's not dropped off in front of your home on four cinder blocks. If everyone doing business with the EU, or California, has to have certain data privacy features (we can certainly argue over what's reasonable), those features will be so widely needed that they should come in the box and not require 1) realization that they're missing, 2) a search for an add-on to implement them, 3) download and installation of this add-on.

That's all I'm saying!

Link to comment
Share on other sites

If all the legal stuff is included somehow with the install package, who checks to make sure each of the packages are compliant. It would be a full time job checking every countries legislation for changes.

At least if it was in a seperare package people from each country would keep it updated if a change was required. It just needs some form of checking so it doesnt end up a mess like lots of the other addons.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

7 hours ago, Dan Cole said:

Why is it so difficult to get that idea across?

I really don't know.  It should be easy, but some people just don't see it.

5 hours ago, MrPhil said:

just that it should NOT be an external "extra" (add-on) that a store owner has to decide they need, go hunt down, and install.

Shopowners will need to decide which version they want to use, hunt it down and install it as it WILL be an external extra.

4 hours ago, 14steve14 said:

If all the legal stuff is included somehow with the install package

It won't be.

Link to comment
Share on other sites

@burt Gary

Fully agree. This is not what the core code is for. If shop owners are too lazy to look to see if there are addons that apply especially to the legal side of their business, then maybe they should think of something else to do.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

On 7/20/2018 at 6:25 AM, burt said:

That sums up my thoughts on it, perfectly.

It's not laziness on the store owners' part if add-ons are required to enable basic functionality that almost everyone is going to need to use. I'm anticipating that legal stuff like GDPR/CCPA are doing to become widely required (or desired), and therefore ought to be built into the basic product rather than being add-ons a new store owner needs to search for. Of course, I still think it's overkill in the first place, but it does have the force of law. Anyway, it appears that Steve and Gary don't mind taking possession of their new cars on concrete blocks, and having to go to a tire store to buy the wheels and tires so the cars can roll. To each his own.

A GDPR/CCPA module could be replaceable by an add-on with something lighter or offering different function, but still ought to come with the kit, so that a working store can be had right out of the box. At the very, very least, offer to download and install it (as an add-on) during installation, so a store owner isn't left wondering why their new store is out of legal compliance (i.e., osC is a piece of crap). There are a bunch of other widely useful add-ons that might be suggested at installation time, so a new store owner at least knows where to find the goodies at a later date.

Link to comment
Share on other sites

Sock OcS can never be fully legally compliant out of box!

Compliance is more that GDPR, It requires complying with tax laws , VAT laws , Company’s house laws and many others.

These all are different depending on whether your a sole trader, a partnership, a limited company or a PLC.

Its down to the businesses owner to ensure they are fully compliant not a piece of software.

I currently have no additional add-on of any sort for GDPR compliance, I simply updated my privacy polices and am fully compliant. The add-ons are a nice to have and will make life simpler for some but they are not a legal requirement.

In the UK one of the most strict trading laws is the requirement for companies above a certain turnover to be VAT registered and display VAT number and company registration on all invoices. That's not in stock!

 

Link to comment
Share on other sites

On 7/22/2018 at 1:34 PM, MrPhil said:

It's not laziness on the store owners' part if add-ons are required to enable basic functionality that almost everyone is going to need to use. I'm anticipating that legal stuff like GDPR/CCPA are doing to become widely required (or desired), and therefore ought to be built into the basic product rather than being add-ons a new store owner needs to search for. Of course, I still think it's overkill in the first place, but it does have the force of law. Anyway, it appears that Steve and Gary don't mind taking possession of their new cars on concrete blocks, and having to go to a tire store to buy the wheels and tires so the cars can roll. To each his own.

A GDPR/CCPA module could be replaceable by an add-on with something lighter or offering different function, but still ought to come with the kit, so that a working store can be had right out of the box. At the very, very least, offer to download and install it (as an add-on) during installation, so a store owner isn't left wondering why their new store is out of legal compliance (i.e., osC is a piece of crap). There are a bunch of other widely useful add-ons that might be suggested at installation time, so a new store owner at least knows where to find the goodies at a later date.

I've given up trying to get through to you.  You have a really closed, narrow-minded outlook on a lot of things.

This is business 101:  business owners use the best tool at their disposal.  They want something, they go and source it.

That is the end of this part of this thread, thank you.  Any more replies about what should or should not be in the core of osCommerce will be removed and posters will get one warning of "off topic crap".

Link to comment
Share on other sites

2 hours ago, JcMagpie said:

Sock OcS can never be fully legally compliant out of box!

Compliance is more that GDPR, It requires complying with tax laws , VAT laws , Company’s house laws and many others.

These all are different depending on whether your a sole trader, a partnership, a limited company or a PLC.

Its down to the businesses owner to ensure they are fully compliant not a piece of software.

I currently have no additional add-on of any sort for GDPR compliance, I simply updated my privacy polices and am fully compliant. The add-ons are a nice to have and will make life simpler for some but they are not a legal requirement.

In the UK one of the most strict trading laws is the requirement for companies above a certain turnover to be VAT registered and display VAT number and company registration on all invoices. That's not in stock!

Its also possible to voluntarily register for VAT in the UK. I personally think, that as long as the required code for the store is available to allow the customer to comply, then that is fine. Others have to comply with the different legislation in their own countries, and in the spirit of open source should update the package accordingly. Thats how it should be kept up to date as laws and regulations change in each country.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

  • 3 weeks later...

Posted this elsewhere, but makes sense to have in this thread;

At what point does a Potential customer become a Customer?

  • after they create an account?
  • after they actually buy something?
  • when they sign up to a mailing list?
  • something else

That's an interesting question.  Maybe shopowners should have something in their T&C explaining at what point a person becomes a customer, that wouldn't harm anything to add it in, and maybe helpful in the future should you have to prove anything to anyone.

Remember also that GDPR does not apply only to customers.  It applies to ANYONE who interacts with your site, it is just that most shopowners direct people to agree to GDPR T&C etc at some point after the potential customer has browsed products etc.

Whichever point you determine a potential becomes a Customer... you MUST STORE the exact T&C to which a Customer signed up, why;

  1. In the future, the customer can examine the precise T&C to which he/she
    signed up and if necessary withdraw his consent.
  2. To show the GDPR authority in your country the exact T&C to which the
    customer signed up, if the customer complains to that authority.

Another thing to think about is "Guest Checkout" - how do you solve the problem of the buyer giving consent per GDPR?  How do you record the data?  What happens if a customer says "no, I won't give Consent" - how do you record it?  You can't use their email address...you don't have a customer ID.  What do you do?

Link to comment
Share on other sites

1 hour ago, burt said:

Another thing to think about is "Guest Checkout" - how do you solve the problem of the buyer giving consent per GDPR?  How do you record the data?  What happens if a customer says "no, I won't give Consent" - how do you record it?  You can't use their email address...you don't have a customer ID.  What do you do?

@burt

If a customer won't agree to the T&C of the shop (ie: 'give consent'), does the shop have an obligation to fulfill the order?

Just asking .... it's not like I'd choose to turn down an order ...

M

Link to comment
Share on other sites

I have thought again about guest checkout and other GDPR stuff what with thinking about updating my site.

I believe that a website browser/looker or what ever you like to call them, will become a customer when they create an account, even if they dont buy anything and not complete a checkout. It does mean that they have given consent by understanding the GDPR policies, but may not have signed up to receive newsletters. Now, how long you can keep the data they give is something else. As you have no real need to store the data, when should you delete it. If they signed up for a newsletter, you can keep it as you need it to fulfill their request.

There seems to be some difference of opinion on guest checkouts. Some say use them, others say dont. There does not seem to be much information one way or the other.

I recently changed my T&Cs as there were a few mistakes in there, and a solicitor suggested a few alterations. I have kept a copy of the old terms and added a note to the page, when they were altered. There is also a note on the new files when they were uploaded to the site. Its just a way of keeping a record of any changes. Technically it should be possible to check when the customer created an account, and be able to match a set of Terms for that date. It may not be the best way, but it sort of works.

Love to know what others are doing.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

16 hours ago, ArtcoInc said:

@burt

If a customer won't agree to the T&C of the shop (ie: 'give consent'), does the shop have an obligation to fulfill the order?

Just asking .... it's not like I'd choose to turn down an order ...

M

Personally, I would not allow a "potential" to become a customer unless they specifically accepted my T&C's.

This then at least gives me a level of security both the day of the sale and into the future;

Quote

I bought this from you and you passed my details to Paypal! 
Not only that you passed my details to UPS.  Blah blah blah

 

Link to comment
Share on other sites

16 hours ago, 14steve14 said:

There seems to be some difference of opinion on guest checkouts. 

I prefer not to use them, the only major difference is a "password" and "DOB".  DOB is easy to turn off and if remove password from the discussion, what is left? 

Name, email, address <-- all needed for posting the bought goods to the buyer.

Shopowner could then use some type of system to allow customers to login even if they don't have a password.  Password-less login...possible?  

Link to comment
Share on other sites

I have this in an email from a customer last night funnily, replying to an email I sent about him not completing a sale. He had what looked to me to have tried several times to buy something but kept abandoning his cart. After about 15 attempts, I sent him an email asking whether he was having problems on the site, to which I got this in a reply, complete with spelling mistake..

I could not check out without agreeing to your web terms, in the present environment surley we should have a choice for you to keep and possibly sell my information?
Sorry will have to shop elsewhere.

Now, I have yet to figure out what to reply to this, without really annoying him. The way I see it is that any business that is complying to GDPR will require his information. I need to keep a minimum for 7 years anyway for tax and accounting purposes. I only collect names, address, phone and email. The basic minimum that I think i need. It also does say in the privacy policy that he would have to agree to, that we don't share any information bla bla bla. But what really got me, is that somewhere he gets the opinion that I cant be trusted with his information and I would do something against GDPR with it.

I would love to know where he eventually gets his items from, as some of them I cant find anywhere else on the internet as I make them here.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

Interesting!  Sounds like he misread the whole idea which is all about placing limits on what can be done with his data.  

Depending on whether you'd like his custom, I'd send back an email outlining;

  • what GDPR is
  • that all companies are bound by it and that anyone who does not can do anything that they want with his data including selling it.
  • Whereas you specifically state what you will do with his data, and anything not mentioned is what you won't do.  

But in clearer english than what I just wrote.

Link to comment
Share on other sites

I think I will just let it slide, but if one person thinks that it makes you wonder whether others do as well. I have had some interesting conversations about GDPR with other businesses and its surprising, even on these forums, how some dont care about the regulations and are just carrying on as they would have before. I suppose it will take one huge fine to make people take notice.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

Just now, 14steve14 said:

I think I will just let it slide, but if one person thinks that it makes you wonder whether others do as well. I have had some interesting conversations about GDPR with other businesses and its surprising, even on these forums, how some dont care about the regulations and are just carrying on as they would have before. I suppose it will take one huge fine to make people take notice.

I agree.  I've seen some things done and said here and elsewhere which make me raise my eyebrow. 
I really hope some people are saying things "for effect" rather than for real.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...