Jump to content
Latest News: (loading..)
14steve14

Who in the EU has heard of GDPR and will it affect you

Recommended Posts

Posted (edited)
Quote

If we use separated class then we have to reopen all installed modules again so this was non-logic step which was skipped.

What about something like:

 

	tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, use_function, set_function, date_added) values (
		'Cookie stuff', 
		'MODULE_HEADER_TAGS_XXXX_COOKIE_STUFF_1', 
		'" . implode(';', $this->cookieStuff()) . "', 
		'cookie stuff', 
		'6', 
		'0', 
		'CookieStuffClass->getCookieStuff', 
		'CookieStuffClass->setCookieStuff', 
		now()
	)");


 

MODULE_HEADER_TAGS_XXXX_COOKIE_STUFF_1

Is available as a configuration value.
For that.... No need to use the oscTemplate Class.(but could like: )
 

    function getCookieContent($group) {
      $result = array();

      foreach ( explode(';', MODULE_COOKIE_STUFF_INSTALLED) as $m ) {
        $module = explode('/', $m, 2);

        if ( $module[0] == $group ) {
          $result[] = $module[1];
        }
      }

      return $result;
    }


It will also shorten the code for the module that uses cookies.

Edited by wHiTeHaT

Share this post


Link to post
Share on other sites

@tgely  @wHiTeHaT   Better aproach in my opinion! I don't like to extend / change the osc_template.php ....  I would really prefer a separate Cookie class

Share this post


Link to post
Share on other sites

@tgely

Quote

[oscommerce]
version = 2.3.4

[system]
date = 2018-05-13 13:10:49 +0200 CEST
os = Linux
kernel = 3.13.0-105-generic
uptime =  13:10:49 up 520 days, 13:21,  0 users,  load average: 0.17, 0.20, 0.16
http_server = Apache

[mysql]
version = 5.5.59-0ubuntu0.14.04.1
date = 2018-05-13 13:10:49


version = 5.5.9-1ubuntu4.24
zend = 2.5.0
sapi = apache2handler
int_size = 8
safe_mode = 0
open_basedir = 0
memory_limit = 256M
error_reporting = 6135
display_errors = 1
allow_url_fopen = 1
allow_url_include = 0
file_uploads = 1
upload_max_filesize = 64M
post_max_size = 64M
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
disable_classes =
enable_dl = 0
magic_quotes_gpc = 0
register_globals = 0
filter.default = unsafe_raw
zend.ze1_compatibility_mode = 0
unicode.semantics = 0
zend_thread_safty = 0
extensions = Core,date,ereg,libxml,openssl,pcre,zlib,bcmath,bz2,calendar,ctype,dba,dom,hash,fileinfo,filter,ftp,gettext,SPL,iconv,mbstring,session,posix,Reflection,standard,shmop,SimpleXML,soap,sockets,Phar,exif,sysvmsg,sysvsem,sysvshm,tokenizer,wddx,xml,xmlreader,xmlwriter,zip,apache2handler,PDO,curl,gd,imap,json,ldap,mcrypt,mysql,mysqli,pdo_mysql,pdo_sqlite,pspell,readline,sqlite3,xmlrpc,xsl,mhash,Zend OPcache

 

 

Share this post


Link to post
Share on other sites

@tgely  Another thing ... the cookie of Cookieconsent  https://cookieconsent.insites.com/download/   which is cookieconsent_status I want to set as strict ... but the code now only differs between Functional and Strict ... I would say this cookie must allways be set by a website visitor (deny/dismiss/allow) but he should not be able to delete - so it must be strict (??).

Furthermore I would like to add the OPT-OUT function ... but I don't understand how to implement. That is to say .. the way it should be handled depends on the full functionality of you app.

Share this post


Link to post
Share on other sites

@azpro what is php version?
Strict cookies could be extend in modal template with a foreach function.
What opt-out function is?

@wHiTeHaT
I dont see the installed/non installed on/off modules problem in your code example.
oscTemplate class could handle all modules, not only the ht_ modules. For example google tag manager code implemented under the <body> tag and core be able to use content module with php cookie.

I dont mind that you are extend or edit this code example. This could be a real function of github. I dislike programing in posts.


:blink:

Share this post


Link to post
Share on other sites
3 minutes ago, tgely said:

what is php version?

PHP Version 5.5.9-1ubuntu4.24

4 minutes ago, tgely said:

Strict cookies could be extend in modal template with a foreach function.

:thumbsup:Off course ... did not think of that!

5 minutes ago, tgely said:

What opt-out function is?

The opt-out build in cookieconsent3 - if you set Compliance type to  "type": "opt-out" 

See https://cookieconsent.insites.com/documentation/disabling-cookies/

Share this post


Link to post
Share on other sites
Posted (edited)
24 minutes ago, tgely said:

I dont see the installed/non installed on/off modules problem in your code example.

Couldn't that be invoked in an update function in the proposed cookie class? Everytime a new module with getCookieStuff is installed it could do a ONE-TIME check and then update database INSTALLED ...

I think i is worth the effort since speed is essential

Edited by azpro
Addition

Share this post


Link to post
Share on other sites
Posted (edited)
58 minutes ago, tgely said:

I dont mind that you are extend or edit this code example. This could be a real function of github. I dislike programing in posts.

@tgely I tried to download the branche itself via GitHub, but i was not able to.

 

Just checked it again and now i can

Edited by wHiTeHaT

Share this post


Link to post
Share on other sites

I've collected informative personal data sources which sould be managed in data privacy policy document.

Registration
Newsletter (optional)
Orders
Url web log (IP address and behaviour)
Action recorder (IP address and email address)
Contact emails
Returns with bank account numbers


:blink:

Share this post


Link to post
Share on other sites
3 hours ago, azpro said:

The opt-out build in cookieconsent3 - if you set Compliance type to  "type": "opt-out" 

See https://cookieconsent.insites.com/documentation/disabling-cookies/

I dont understand this function. Why do you use it? If you want to disable all cookies the HTML post method enable it by the new managment mode.

https://github.com/Gergely/oscommerce_ce/blob/a8838c9532dc9227a7f694df935badf2ab8d78ca/includes/classes/osc_template.php#L204-L211


:blink:

Share this post


Link to post
Share on other sites
Posted (edited)

@tgely I think important to take this rules. In case you approach does'nt work, It's important for all customer can accept or not the cookies

You said cookies? With the GDPR, it is no longer possible to indicate on a site the following type of message "by visiting our site, 
we consider that you accept the use of cookies". 
You will now have to ask permission for each of the cookies used on your e-commerce site. On our side, we will also
 update our cookies policy on the SendCloud site and ask permission from all our users to store their cookies during 
visits to our site.

 

Edited by Gyakutsuki

Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

Tuto for 2.4 :
- How to Display a new page with app
- How to make Header Tags under app APP
- How to make a
boostrap modal with external element

Share this post


Link to post
Share on other sites
Posted (edited)

Remove all not-essential Cookies from osCommerce.  

How many not-essential cookies are there ?

If the shopowner then wants to use other not-essential cookies (eg Analytics), let the Analytics coders take care of it.

Edited by burt

This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest current code (community-supported responsive 2.3.4.1BS Edge) here

 

Share this post


Link to post
Share on other sites
On 5/11/2018 at 12:57 PM, cornishpirate said:

This seems to agree with this. Field Fisher are a large London law firm.

https://privacylawblog.fieldfisher.com/2017/re-consenting-to-marketing-under-gdpr

Are we sure about this as I am receiving 4/5 emails per day from different sites (including those I have opted out of marketing).


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest current code (community-supported responsive 2.3.4.1BS Edge) here

 

Share this post


Link to post
Share on other sites

GDPR is clearly causing the UK government a headache! The speaker of the house of commons has this morning made a statement stating that the government accepts that many UK company's will not be compliant by the 25th, This was due to complaints by MP’s that they did not understand what was required. Parliament has apparently appointed a company of consultants to give MP’s training on how to be compliant but it seam's they are still confused.

If the UK government has no a clue how to do it properly what hope has anyone else!

Again another excuse to waste tax payers money implementing a EU regulation that nobody asked for.

Share this post


Link to post
Share on other sites
5 hours ago, justcatering said:

GDPR is clearly causing the UK government a headache! The speaker of the house of commons has this morning made a statement stating that the government accepts that many UK company's will not be compliant by the 25th, This was due to complaints by MP’s that they did not understand what was required. Parliament has apparently appointed a company of consultants to give MP’s training on how to be compliant but it seam's they are still confused.

If the UK government has no a clue how to do it properly what hope has anyone else!

Again another excuse to waste tax payers money implementing a EU regulation that nobody asked for.

At the end of the day its been on the cards for nearly two years now, so people are leaving it until the last minute as usual. I personally think its a good thing what the EU are trying to achieve with this, and its not often I say something good about them. All an MP , or anyone else for that matter has to do is to read the ICO site in the UK and all will be as clear as its ever going to get. If people dont care about their personal data then thats their choice from now on.


REMEMBER BACKUP, BACKUP AND BACKUP

 

Find information about the bootstrap community version here

 

Make it idiot proof and someone will make a better idiot.

Share this post


Link to post
Share on other sites

I’m just not a fan of big government getting involved in business. Never have been never will be. As for clarity I’m not so sure now. Like you I looked at the regulation and thought it was straight forward and said as much before. Having now seen several versions of its interpretation (from correspondence I have received regarding this) its clear not everyone agrees on how it applies!

So I’m revising my view in that if legal experts are not agreeing on how it should be implemented what hope has Jo Blogs.

What would have been nice is if this reg had worked to stop cold calling or unsolicited emails or mail! But no, if you are a marketing company you can keep on doing what you do as its deemed a legitimate use!

I used this

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

From the ico as a guide as they “should” know how to implement it right! Well I’m not so sure now! Have I got the right procedures and documentation in place to demonstrate compliance? Will I pass a compliance audit?


 

Add to this confusion the fact that we are already seeing adverts from company's offering to carry out GDPR audits ( for a nice big fee ) I can only see this becoming another EU mess.

 

Share this post


Link to post
Share on other sites

OK I think I have done all I need to do??

  • Stopped using Google Analytics and deleted the code (I dont use it much anyway)
  • Revised my privacy statement using the examples shown here: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-in-practice/
  • Added an option in the "My Account" section for customers to delete their account
  • Unsubscibed ALL customers from the mailing list
  • Sent email to all customers explaining about GDPR, Giving them links to our privacy policy, delete account function and telling them how to re-subscribe if they so wish
  • Added a mondial popup to the site informing visitors about our revised privacy policy.

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Heather

Firstly I probably would not have deleted all your newsletter contacts. I would have given them the chance to unsubscribe or update their details in an email. If you have collected their information correctly in the real world you dont really need to ask them to re-subscribe.

If you mention google analytics in your privacy policy you can still use them as google offer an app to allow customers to choose whether or not to be included which apparently is fine. A link is here so just put that in you policy. https://tools.google.com/dlpage/gaoptout?hl=en

The only other thing I am thinking of doing is adding a link and a tick box to the create account page to the privacy policy.

In my view the privacy policy was the hardest bit as it needed to be really changed to comply, but in reality it was nearly there anyway. A few bits needed adding which I got from others policies like you did.

I have also added all of Garys GDPR modules which makes everything so much easier.


REMEMBER BACKUP, BACKUP AND BACKUP

 

Find information about the bootstrap community version here

 

Make it idiot proof and someone will make a better idiot.

Share this post


Link to post
Share on other sites

@14steve14 Thanks for the info on the analytics opt-out tool - I have now added a link to the privacy policy to point to this.

I have MATC installed at the checkout confirmation page which I point with links to the Privacy Policy and the Conditions of the website plus I have added text to the create account pages with links to our privacy policy.

I also have the system set up to attach a pdf version of our terms and conditions, shipping terms and privacy policy to all customer order confirmation emails

Many Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

 

another potential option for google analytics is to use _anonymizeIp()

from the page itself

which Tells Google Analytics to anonymize the information sent by the tracker objects by removing the last octet of the IP address prior to its storage. Note that this will slightly reduce the accuracy of geographic reporting.

When using this function to anonymize tracking, you must use the push function and properly associate the function with the tracker object, as illustrated below.

in ht_google_analytics.php

change (from line 39)

        $header = '<script>
  var _gaq = _gaq || [];
  _gaq.push([\'_setAccount\', \'' . tep_output_string(MODULE_HEADER_TAGS_GOOGLE_ANALYTICS_ID) . '\']);
  _gaq.push([\'_trackPageview\']);' . "\n";

 

to

        $header = '<script>
  var _gaq = _gaq || [];
  _gaq.push([\'_setAccount\', \'' . tep_output_string(MODULE_HEADER_TAGS_GOOGLE_ANALYTICS_ID) . '\']);
  _gaq.push ([\'_gat._anonymizeIp\']);
  _gaq.push([\'_trackPageview\']);' . "\n";

 

NOTE UNTESTED

 

if you wanted you could set that bit configurable from the admin

 

source https://developers.google.com/analytics/devguides/collection/gajs/methods/gaJSApi_gat#_gat._anonymizeIp

Share this post


Link to post
Share on other sites

I think it's also needed a page where you detail the information you log about customers and give them the right to view all (which can be done at the account page) but also remove everything you have about customers.

Also detail what third parties get the information and what kind of information for example PayPal or the shipping company. Also Google Analytics and Facebook Pixel.

You've to protect your website more specific your database against attacks which can lead your database to be stolen. You've 72 hours to report any attack. 

Also in that page you've to specific all the cookies you have and what they function. Of course website should have SSL and use updated version for TLS and strong encryption for ciphers.

The right also to remove the newsletters at the account page and also in the mail they're sent. (I think SMS/Mail sent normally at the orders doesn't matter as the client want to make a order.)

Backups should be encrypted and secure. Some recommendations is use 2FA or private keys to access sensitive information for example database.

Access to admin should have .htaccess extra protection for example password and limit access by a VPN only.

Password for customers should have +9 and admins +13 (both a-z, A-Z, 0-9 and symbols). Encryption by default in osCommerce is MD5+salt but should SHA-256 (minimum required).

Also running Firewall, IDS (Intrusion Detection System), more stuff to avoid and detect attacks.

Some of those are recommendation others are obligatory. If I missed something or I said anything wrong please also let me know. 

Share this post


Link to post
Share on other sites

Also cookies can't be stored into visitor until he agree with the cookie consent. So that's a bit issue in osCommerce as it creates cookie_test and osCid. If you use Google/Facebook will create for those also.

Share this post


Link to post
Share on other sites

@sinopia Its been like that with cookie consent for years now. If people updated their cookie consent code and their privacy policy then most of the privacy policy should already have all the required information.

All of Garys @burt GDPR modules cover most of the rest of your comments above apart from the server ones which most good hosts would be doing any way.


REMEMBER BACKUP, BACKUP AND BACKUP

 

Find information about the bootstrap community version here

 

Make it idiot proof and someone will make a better idiot.

Share this post


Link to post
Share on other sites

Yes I've check them. But even creating a account should be only name and email. Then (I suppose) making the checkout should be when more personal details should be added (payment/shipping/delivery/vat) but that isn't how osCommerce works.

But correct me if I'm wrong.. I'm still reading all of this.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×