Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Who in the EU has heard of GDPR and will it affect you


14steve14

Recommended Posts

So far, there is no 100% version of the original osC version that complies with the EU laws, and the add-ons at https://apps.oscommerce.com/ unfortunately do not fulfill this. Kind of sad.

  • The clever one learn from everything and from everybody
  • The normal one learn from his experience
  • The silly one knows everything better

[socrates, 412 before Christ]

Computers help us with the problems we wouldn't have without them!
99.9% of the bugs sit in front of the computer!
My programmed add-ons: WDW EasyTabs 1.0.3, WDW Facebook Like 1.0.0

if(isset($this) || !isset($this)){ // that's the question...

 

Link to comment
Share on other sites

  • Replies 279
  • Created
  • Last Reply

OK, so just what is the problem the EU is trying to solve with these GDPR regulations, and what can be solved with common sense and what is a bureaucratic nightmare? The following seem reasonable, without having to go through five permission popups per page:

  • Let them know (via button or link, not an annoying popup), when signing up or placing an order, what data you keep and for how long (justify keeping something like an IP address)
  • All data is available on their account information page, and (where reasonable and appropriate, such as their current shipping address or email address) can be updated, with confirmation sent to the [old and] new email addresses
  • No automatic signup (e.g., pre-selected checkboxes) for something like a newsletter or targeted ads -- the customer has to take explicit action to sign up
  • No tracking cookies or other saving of invasive personal information without explicit consent
  • Ability to unsubscribe from newsletters, targeted ads, etc. on the account information page, with reminder in the newsletter or ad
  • Can request to be forgotten (erase account) by an action on the account information page
  • "Last chance" notice that payment will be made and order processed if customer clicks a certain button

What else do customers need? Make it clear that some data is necessary for proper operation of the site (e.g., session cookies) and some is necessary for fulfillment of the order and may be retained according to statutory or accounting requirements. The customer will not be asked for permission on these items, but they should be listed somewhere for those who are curious. The customer will not be explicitly asked for permission to keep data when they have implicitly given permission by the act of filling in data fields -- the only time they will be asked is for optional items not absolutely required for the fulfillment of the order, such as signing up for a newsletter.

Anything missing? That may or may not meet the exact letter of the law, but does common sense say that it's sufficient to safeguard customer privacy? I'm leery of having to encrypt some customer data (except passwords), as anyone able to get to my database surely can get to my code and see the encryption key! I'm also leery of having to allow "outside" access (outside of the account information page, which already requires an ID and password), as that opens up a whole Pandora's box of access control issues, as well as "security questions" which are themselves invasive (and if compromised, could be used to gain access to other accounts of the customer).

Link to comment
Share on other sites

@MrPhil

"Let them know (via button or link, not an annoying popup), when signing up or placing an order, what data you keep and for how long (justify keeping something like an IP address)" -> The customer have to confirm this (Privacy) when registering,  this start May 2018.

The content of the Privacy Policy is determined by law and the cookie law applies few years ago.

  • The clever one learn from everything and from everybody
  • The normal one learn from his experience
  • The silly one knows everything better

[socrates, 412 before Christ]

Computers help us with the problems we wouldn't have without them!
99.9% of the bugs sit in front of the computer!
My programmed add-ons: WDW EasyTabs 1.0.3, WDW Facebook Like 1.0.0

if(isset($this) || !isset($this)){ // that's the question...

 

Link to comment
Share on other sites

  • 2 weeks later...

I took part in my webinar on Friday and here are some of the main points that were raised. Apart from what has already been mentioned by some, the main points worthy of getting a mention here are:-

1. You need to keep info about when someone gives consent. Things like the date will suffice, so that if questioned you can show when the consent was given.
2. Apart from usual personal data that everyone considered, there is also things like forum nicknames, facebook and twitter names, which are all considered personal identifiable data.
3. Have to remove data when asked and can no longer charge to give customer all their info when asked under subject data requests. Days given to produce this information have also beed reduced.
4. The most surprising one, and the one that may be the hardest to sort out. Any personal identifying data already collected also has to comply.
5. There was some suggestion that some sites are already using tooltip type features when customers fill out any identity data on web forms. So when filling out say the email address on the account creation page, a tooltip pops us and explains why the information is needed.
6. A rewrite of most terms and conditions, privacy policies and cookie policies are needed to account for the new rules and regulations.
7. Agreement to terms and conditions, and also privacy policy should be given somewhere on the site most suggested when creating an account. If you use a guest checkout you need to do similar.
8. You also have to let people know what information you will keep even if asked to remove all data as some has to be kept for legal reasons like tax, accounting and VAT, but once the time limit is up on these you must delete the data. So deleting something like invoice or VAT records after 6 years if you had been asked to delete all personal data for a customer.
9. Should you find out about a data breach not only do you have to inform the ICO, you also have to inform all of your customers whose data you are keeping. Some large UK companies have already been find in accordance to older legislation after a data breach because they had not immediately informed their customers whose data was affected. Those fines will be increased in the future.

Most of this has been in British law for a while now, but everyone has until 25th May to fully comply.

There are loads of good videos on youtube to watch if people want to.

This apparently is only the beginning of a set of major changes that will take place over the next year or so, but some may be changed due to Brexit. Its being done to bring the same features, rules and regulation to all EU countries and anyone that collects any data about any EU citizen.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

On 3/16/2017 at 10:09 AM, burt said:

Never heard of it. No doubt more EU-Bulldust dreamed up by men in suits who have nothing better to do.

 

Not in the EU...the answer for many small businesses; don't sell to EU citizens. That takes away a whole layer of Bulldust.

 

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

When I wrote this, the above was true.  I had never heard of it, and I thought it was dreamed up by someone in an office with nothing better to do.

Now, I do know about it.  And while I still believe it was dreamed up by someone in an office with nothing better to do, I can also see that it might be useful for people to know what data is known about them.  After all, it is your data, not the property of the shopowner...

Link to comment
Share on other sites

GDPR is more about what you do with peoples personal data. You have to tell people why you need their data and what you will do with the data. As I see it a guest checkout can be used as long as you let people know what of their data you will keep and why. If you dont keep and store any of their data just let them know that you will only keep info for invoicing and tax reasons.

Saying that I may be totally wrong but may be it should be looked into. I would 

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

There is an EU site all about these regulations here https://www.eugdpr.org/eugdpr.org.html.

Have a read, there is a lot to take in. GDPR has actually been in place for almost 2 years now, its only now that the final time limit to implement it that its come to people attention. Remember that its up to everyone as a business to find out about law changes that apply to their business.

The hardest part I think to comply with will be to make sure that the person that is asking to have their data removed, is actually the person the data is about. I have been told that one form of photo ID and a utility bill to prove the address should be enough. I cant see many people that will like sending that to businesses. Which is why I believe that gary's idea of a page to see what data peoplea re keeping is a good idea. Let people delete their own data as they should be the only person that should know the password required to get to the data.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

13 hours ago, Stephan Gebbers said:

If you need some external services like Maxmind or Fraudlabs, what do you need to take care for external services in regards of GDPR?

It would be really cool if you emailed these two companies, asking for their advice...
When/if you get a reply post it back to this thread...

I *guess* you will need to have extra tickboxes asking for customers permission to send some details to maxmind/fraudlabs.
What customer details are sent?  I have never used either of these, so I don't know...

Link to comment
Share on other sites

19 hours ago, ArtcoInc said:

What does the GDPR say about Guest Checkouts?

I'd guess exact the same as @14steve14 reply.   

You would still need a permission tickbox to store their data (for your orders).
If the customer, then in the future wants to know what data you hold...

I *guess* you would not have an account to search for, so how would you get the order data ?
Search by name?  Email?  Order ID (if they have it)?

Link to comment
Share on other sites

3 hours ago, 14steve14 said:

Which is why I believe that gary's idea of a page to see what data peoplea re keeping is a good idea. Let people delete their own data as they should be the only person that should know the password required to get to the data.

I'm thinking the page might not be 100% perfect, but it might be enough to make the customer happy
and then not have to email shopowner, forcing shopowner to take an hour out of their day sorting it out.   

That's the aim, anyway.

Link to comment
Share on other sites

15 hours ago, Stephan Gebbers said:

If you need some external services like Maxmind or Fraudlabs, what do you need to take care for external services in regards of GDPR?

 

You need to let your customers know that you pass on their information to outside sources and need their permission to do so. So not only should it be in your privacy policy, you will also need a tickbox to confirm that you can share it. On the create account page you will also need a tickboc to say that a customers has read and understood not only your t&cs but also the privacy policy.

Or thats how I read the regulations.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

1 hour ago, 14steve14 said:

You need to let your customers know that you pass on their information to outside sources and need their permission to do so. So not only should it be in your privacy policy, you will also need a tickbox to confirm that you can share it. On the create account page you will also need a tickboc to say that a customers has read and understood not only your t&cs but also the privacy policy.

Or thats how I read the regulations.

When you print a shipping label (through the Post Office, or UPS, or FedEx, or ...), you have to enter your customer's name and address. Is that considered 'sharing' their information?

Link to comment
Share on other sites

10 minutes ago, ArtcoInc said:

When you print a shipping label (through the Post Office, or UPS, or FedEx, or ...), you have to enter your customer's name and address. Is that considered 'sharing' their information?

Yes.

Link to comment
Share on other sites

And you have to get explicit permission to share that address with the shipping company? This is going beyond merely stupid...

Just implement common-sense data privacy and security measures, and ignore the rest of it. As part of your Privacy policy, state that entering such information implies consent to use it in such a manner. If The Man harasses you about it, make a big public stink about how absurd the rules are and how every online business in the EU is going to have to close up shop or move to the UK or US.

Link to comment
Share on other sites

6 minutes ago, MrPhil said:

...and how every online business in the EU is going to have to close up shop or move to the UK or US.

Phil you may be missing the point, maybe?

These rules apply to you, if you run a shop located *anywhere*...if you serve or have served just one EU citizen.

Saying this;  "well, I just won't sell to any EU citizens" is great, but....

Example
Let us say your shop is located in USA. 
And some random french guy is in the US for 6 months working, so you sell to him at his US address...

Outcome
You are now bound to apply GDPR rules from that point forwards.  You have served an EU Citizen.

Link to comment
Share on other sites

@MrPhil its not a case of just moving to the US or somewhere else. It affects everyone that sells to customers in the EU. Moving to the states means you would still need to comply, though how it will be policed and enforced I have no idea. Gary beat me to it.

Its another EU fudge up if you ask me. I can see what they are meaning to do, but in true EU fashion they make it too complicated. Just including data that has already been collected made it almost unworkable. If I have to get confirmation from all my customers before I can once again store their data, I will be spending so much time deleting stuff, that nothing else will be done.

@ArtcoInc As Gary says that will need to be mentioned in the privacy policy for the site.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

3 minutes ago, 14steve14 said:

Its another EU fudge up if you ask me. I can see what they are meaning to do, but in true EU fashion they make it too complicated. 

Agreed.

It's going to be a very problematic system I think. 
I can foresee 1000s of people (those with tin foil hats on) contacting every site they ever signed up to.  

 

Link to comment
Share on other sites

(setting aside the stupidity of all of this ...)

Can one, as @MrPhil suggested, include in the privacy policy that using the store IMPLIES consent? Or, must the customer expressly consent? If so, would a check box during checkout (with a link back to the privacy policy) be sufficient?

And, does this mean that we must go back to all of our past customers and explicitly get their consent for what has already happened?

Link to comment
Share on other sites

Can you imagine if even a small percentage of people in the EU suddenly demand that all their forum/blog posts, reviews, endorsements, tweets, etc. be immediately deleted? It will be chaos, but the GDPR says they can. Can you imagine having to ask people for permission to pass their shipping address on to the Post Office or shipping company? The intent (to protect privacy) is noble, but the execution is seriously flawed. It's one thing to implement reasonable data protection and privacy rules, but the GDPR goes beyond the Pale.

If someone in the EU buys from me, and the bureaucrats get their panties tied in a knot because I'm not following the GDPR to the letter, tough shit. I'll implement reasonable practices and guidelines, but nothing beyond that. What are they going to do, request that the US government arrest me and send me to Brussels to be hanged? Maybe that much howling, derisive laughter will do us good on this side of the Pond.

Link to comment
Share on other sites

53 minutes ago, burt said:

These rules apply to you, if you run a shop located *anywhere*...if you serve or have served just one EU citizen.

I'm no lawyer but I'm not sure this is true.   As I understand it, the EU or any country for that matter only has the ability to write laws governing their own people...they can't impose laws or rules on the citizens of other countries nor could they enforce them. 

Dan 

Link to comment
Share on other sites

5 minutes ago, MrPhil said:

Can you imagine if even a small percentage of people in the EU suddenly demand that all their forum/blog posts, reviews, endorsements, tweets, etc. be immediately deleted? It will be chaos, but the GDPR says they can. Can you imagine having to ask people for permission to pass their shipping address on to the Post Office or shipping company? The intent (to protect privacy) is noble, but the execution is seriously flawed. It's one thing to implement reasonable data protection and privacy rules, but the GDPR goes beyond the Pale.

If someone in the EU buys from me, and the bureaucrats get their panties tied in a knot because I'm not following the GDPR to the letter, tough shit. I'll implement reasonable practices and guidelines, but nothing beyond that. What are they going to do, request that the US government arrest me and send me to Brussels to be hanged? Maybe that much howling, derisive laughter will do us good on this side of the Pond.

Hot damn, you're my new Hero :)

As we in the UK have found out...the majority want nothing to do with Brussels.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...