Who in the EU has heard of GDPR and will it affect you

[♥14steve14]

1 hour ago, yahalimu said:

Hi,

We don't send newsletters/unsolicited emails. (as yet) so have sent out no consent emails. If I did I would use mail-chimp as we've had issues before with mass emails from the shop and getting IP blacklisted by gmail and live and other 'learning' or 'intelligent' spam filters due to sheer numbers  of new mail and customers sticking in them their spam folder..

Although many are sending consent emails to everyone in their database, as I read it customers you have a 'relationship' with (ie. order regularly or at all) do not need to consent to the new privacy policy unless you intend to mail them.

I have put a notification on the log-in and added the privacy policy to the MATC tickbox.

I have NULL'd all newsletter entries before 25th May as the newsletter tick box was pre-ticked previously. Since I pre un-ticked the newsletter box the rate has dropped from 80% to 7% of customers requesting it.

I've deleted all inactive accounts with no purchases older than 5 years and email T&C's (inc. privacy policy) on every order confirmation

If and when we do decide to mail out newsletters I will then send all the pre May 25th customers (all 26,000 of them) advising them of the new PP (which apparently needs no permission/opt-in) and they will now have to opt-in to newsletters if they want them, possibly with the bait of a discount code (which is seeming popular) and how to delete their account,no real rush til then I think.

I'm sure someone is going to tell me that's wrong but after reading all the differing interpretations those are mine. I think just wait and see how it all rolls out and react accordingly.

 

 

 

 

 

If you do not legitimately have customers consent which it sounds like you dont, as the box was pre ticked, you wont be able to email your current customer list. You could have done it before 25th but you didnt.

But that is my interpretation of the rules.

[yahalimu]

Hi,

To send them newsletters or anything they need to consent to yes.

But the GDPR also says it is also a requirement to inform all customers of any changes to the privacy policy, whether they are a newsletter subscriber or not and does not need consent.

This obviously can be at any time.

 

 

 

 

 

[♥14steve14]

46 minutes ago, yahalimu said:

Hi,

To send them newsletters or anything they need to consent to yes.

But the GDPR also says it is also a requirement to inform all customers of any changes to the privacy policy, whether they are a newsletter subscriber or not and does not need consent.

This obviously can be at any time.

 

 

 

 

 

As long as you are only emailing those customers about their orders, customer services relating to orders or sales or policy changes thats fine. There is something in the regulations about a line between normal transactional emails and marketing emails.

[MrPhil]

On 5/25/2018 at 7:01 AM, JcMagpie said:

Well everyone had plenty of time to get on with it only your self to blame if the grim EU comes knocking at you door :)

https://www.youtube.com/watch?v=0frHw-7J4Mk

 

[burt]

Here is Gumtrees take on that "positive affirmative action for consent"... 

So, if you click a link, or press "I accept" ... you've accepted.  No way to say "no".

[MrPhil]

I don't see anything wrong with having several links to more detailed information (so long as they don't drop their own cookies, etc.). How can you make an informed decision on such things without information? The objection here is that you MUST accept their terms, simply to proceed. There does not appear to be any way to use the system without having accepted their terms, which IS contrary to GDPR and other laws. I suppose they could add something like "If you do not accept these terms, it is not technically possible for you to use our system (it uses cookies, etc.)", but even that may be problematic.

[♥JcMagpie]

My approach is a little simplistic.

[♥14steve14]

2 hours ago, JcMagpie said:

My approach is a little simplistic.

I see on several sites now something similar to what is on the Lloyds bank site. https://www.lloydsbank.com/personal.asp There is an option to manage cookies.  How that works I have no idea.

[♥JcMagpie]

Na! not worth the effort. Thats just a widget lots of those have been doing the rounds, I've had loads of tel sales bugging me telling me my site needs them , The EU have a help site which gives info on it. Intrestingly they dont require anything that fancy just yes or no.

http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#section_5

Its ironic that on there site to download Documentation Cookie Consent Kit they as for you email!!! 

 

 

 

[burt]

11 hours ago, wHiTeHaT said:

There is already 3 links in THAT cookie message.
So i do not think that this is the legal way.
Assuming before i accept anything i would like to read more about their "brands", "learn more" " manage your privacy settings".

or do i miss the whole thingy here?

100% not legal per the GDPR regulations.

What they say is;

click any link and you have accepted.

But what if I want to view their terms/privacy and then decline.  

[burt]

It's eBay though.  One of those sites that gets away with all sorts of shit because they are big. 

[♥JcMagpie]

13 hours ago, wHiTeHaT said:

your code can be on the market for £25

Nice clean looking website  is it official or private ?

[♥JcMagpie]

On 27/05/2018 at 12:49 PM, MrPhil said:

https://www.youtube.com/watch?v=0frHw-7J4Mk

 

had forgotten how good they were, will have to find a copy and watch again

[♥Dan Cole]

14 hours ago, wHiTeHaT said:

your code can be on the market for £25

Looking good Henry.

Dan

[♥JcMagpie]

Just now, wHiTeHaT said:

It is official unofficial

cool lest see if we can get people to use it. But I have to be carfull dont want to upset anyone. So its only unofficial support.

[CasperC]

We did spend quite some time adapting. We bought a GDPR-software which had several templates. Everything from incoming orders, handling, newsletters and storage of data have been described thoroughly. The software certainly made it quicker to become compliant. 

[ArtcoInc]

https://www.business2community.com/cybersecurity/gdpr-2-0-comes-to-the-united-states-02092832

GDPR 2.0 Comes to the United States

On June 28 2018, California Governor Jerry Brown signed into law AB 375, the California Consumer Privacy Act (CCPA) of 2018. The statute, seen as one of the toughest privacy laws in the United States, will require companies to tell California residents what information is being collected and how it’s used. You have 18 months to get ready.

 

 

 

 

 

 

 

 

For organizations already actively complying with the requirements of the European Union’s General Data Protection Regulation (GDPR), the CCPA will have little impact. You are already doing what you need to do to comply, as the California statute’s intent is very similar to GDPR. The goal of both of these laws — and the Australian Privacy Principles — is to give consumers ownership and control of their personal data. And it provides the legal bite to ensure compliance.

If your US-based organization, however, has not started or believes that the GDPR will not have an impact on your local business, the new law is more than a wake up call, it’s your fire alarm. And where California goes, many other states will follow.

The new law will more than likely require a thorough review of your data security controls or risk expensive litigation and fines.

Here’s a quick look at the highlights:

• California’s Attorney General’s office will have the authority to enforce the law when it goes into effect in January 2020.
• It has provisions for allowing people to tell companies to delete or stop selling their information.
• The law does not force companies to stop collecting information OR provide provisions for consumers to request companies stop collecting their information.
• Like the GDPR, the California law has a broad definition of PII (IP addresses, geo-location and browsing info [cookies])
• The California law has an exception for personal information “de-identified or in the aggregate consumer information;” however, the law doesn’t give much detail on the identifiers that are not subject to scrutiny.
  • Aggregation of information might also be an alternative way for advertisers to ignore the law.

With 18 months to enforcement, companies need to start today. Most companies focused on security and compliance already maintain formalized incident response, disaster recovery/business continuity plans as well as comply with encryption/data anonymization for sensitive data storage and have gone through at least a rudimentary data-mapping process that should easily surpass the California requirements. If that isn’t the case for your organization, implement the GDPR methodologies and processes to comply with the CCPA and you will be set for any eventuality.

[burt]

Nice!  When I first heard about GDPR I was "bloody EU meddling bas---- bureaucrats".  Since it came into force, I've got my details removed from numerous sites with no questions asked.   

So, good for California - what you guys will see is some resistance from Shopowners to the whole idea, then when it comes these shopowners will realise "hey that was easy".  And when it is in force...most "Joe Average" will find it useful.  And yes, I agree...what one state does...the rest will follow.

[MrPhil]

Well then, applications such as osCommerce should be GDPR/CCPA ready right out of the box, with all the places explaining what the site does with your data ready to be filled in (or customized), and all the tools in place for customers to make requests and manage their data. Not add-ons -- built right in, as it will be needed almost everywhere.

[burt]

Adding stuff in is not the way forward.  The way forward is modular.

[MrPhil]

I don't care what form it takes, so long as it's not something that a store owner has to go looking for and install separately. Turning it on manually is OK, but it has to be built in. Any store software that has it built in is going to have a major advantage over all others where it's an "extra" afterthought, because almost everyone is going to have to use it.

[burt]

I'm 100% sure that things will be removed from Core, in order to make it;

1. easier for "Team" (hahaha) to support
2. easier for coders to code new stuff
3. easier for shopowners to have a choice of what they want

I can't imagine any scenario where osCommerce gets more things added.

As for GDPR things:

• There is already a very good GDPR system available for these (as you put them) "business people who don't want to be computer wizards" .

[♥14steve14]

But where would the legal stuff stop. GDPR, Taxes, VAT and all the different legal rules from every country,  the code would be a nightmare. May be there should be a package available for each country, similar to the concept of a language pack, that would include all the legal stuff for all the countries, all as modules. Each pack could them be maintained by someone with an interest and knowledge of the laws in each countries. Each pack could also contain things like currencies set up, date and address layouts, and so much more, but it will take lots of organising and will soon become a headache,and would get left and then become outdated because only a few people would want it, and others couldnt be bothered to update things as needed. It would become a mess like many other addons. It would also mean more work in altering the core code to allow these things to be added as a package.

The only trouble being this will never happen as no one can access the core code, and without help Gary cant do everything on his own.

[♥JcMagpie]

Politicians flip & flop all the time, It would be a nightmare keeping it up to date with every change! Also giving league advice in the core or as an add-on is not wise as it would open OsC to legal complications. Its best people get advice from own local legal experts so there is no comeback on OsC. People should be getting there T&S and other stuff legally check anyway.

I would definitely keep it out of core.

[ArtcoInc]

* update *

The recently passed law here in California has this provision:

What “Businesses” Are Covered?

The CCPA broadly applies to “businesses” that operate for-profit and (1) have an annual gross revenue of more than $25 million, (2) buy, receive or share for commercial purposes, or sells personal information of 50,000 of more consumers, households, or devices, or (3) derive 50% or more of their annual revenue from selling consumers’ personal information. The CCPA also applies to entities that share common branding with a qualifying “business” and that controls or is controlled by that business.

(fwiw)

PS:

Some more "interesting" reading ...

https://digiday.com/media/wtf-california-consumer-privacy-act/