New General Data Protection Regulation 2018-05-25

[zimmer-media]

At the moment, I have not fully addressed this, but is there any TB-related preparation to the new General Data Protection Regulation?

for example: http://ec.europa.eu/justice/data-protection/reform/index_en.htm

and PS-newsletter: https://www.prestashop.com/de/blog/neue-datenschutz-grundverordnung-was-andert-sich?utmsource=newsletter&utmmedium=e-mail&utmcampaign=newsletter-DE&utmcontent=Datenschutz&spMailingID=12466951&spUserID=MTc2NDI0NzAyNjMyS0&spJobID=1282747793&spReportId=MTI4Mjc0Nzc5MwS2

[lesley]

I did a quick skim, do we have to change anything? It looks like most of the requirements are on the merchants for letting people know what they do with the data.

As a site note, why does Germany hate e-commerce?

[zimmer-media]

It does not only affect Germany, it comes from the European Union. As I said, I have not yet fully dealt with this topic. Only if I overlook something and other TB shop users from the EU can contribute something if necessary, that would be positive in my view.

[lesley]

Let me know if you see any changes we need to make. I am sure we can either get them added to the core or the AEUC module.

[zimmer-media]

For this case, I opened the topic as a precaution. there are only a few months left until the deadline. From my point of view in Germany (and EU) online selling is becoming more and more a burden for traders. Laws as if every buyer has an IQ of 20.

[lesley]

Its a plan to over regulate making it hard for small businesses to compete and pushing everything to big business.

[nickon]

@lesley . Why do you think so?

[30knees]

The GDPR is not a plan to over-regulate and make it hard for small businesses. It actually makes things much more difficult for larger businesses with complex processing activities. It's quite straightforward for shops like ours. Though I do agree that it's not the most brilliant piece of legislation out there. It definitely has its flaws.

Some things that should be implemented off the top of my head and without going into the specifics:

Google Analytics AnonymizeIP Delete orders Edit orders Not keep guest customers indefinitely Not keep indefinitely guest visits who didn't finalise their oder but where we captured their email address Allow nicknames/anonymous name for reviews

[lesley]

What you have listed is over complicating and not possible in some levels in thirty bees, or most other platforms for that matter.

[30knees]

Would you mind providing some substance to your opinion on:

1. Over complicating
2. Not possible in some levels in thirty bees or most other platforms. (My last platform was able to do everything.)

[lesley]

Sure.

1. Deleting orders. This is against the simple premise of ecommerce. When an order is deleted, stock should be returned. Deleting orders will put stock in your shop that is not actually there.

2. Guest customer data is goo historic data. It has no named tied to it, so no one can claim ownership of it.

3. Keeping guest customers should not be an issue. When they are deleted, it will break orders. This is a major rewrite, nothing that can be put into a 1.0.x version.

4. Anonymous / nicknames for reviews do not build trust. That is why most review systems use the name tied to the account, not an alias. This also could be a breaking change, because on some level internally the review is going to be tied to a name, or it will not be a verified review.

[lesley]

I think one thing that people in the EU miss when talking about these laws is they are front facing laws. Disabling an account should bring you in compliance. Data does not have to be deleted.

Here is a great scenario. Would it be possible for me to commit a bunch of fraud and before I got caught send my bank a right to be forgotten letter asking them to delete my data? Every crook would do this.

Another example is what if I buy a product with a lifetime warranty? Do I give up my warranty when I ask to be deleted?

How far do you actually take this information? When I want to be deleted I want to be removed from your old paper records. I want to be removed from your tax filings, I want my name no longer associated with a purchase in your shipping carriers records. I don't want to show the payment in your bank account from 2 years ago. I want you to physically forget you ever talked to me. Deleting the data is not realistic and is actually illegal in the US under a lot of circumstances.

[30knees]

@lesley said in New General Data Protection Regulation 2018-05-25:

Sure.

1. Deleting orders. This is against the simple premise of ecommerce. When an order is deleted, stock should be returned. Deleting orders will put stock in your shop that is not actually there.

2. Guest customer data is goo historic data. It has no named tied to it, so no one can claim ownership of it.

3. Keeping guest customers should not be an issue. When they are deleted, it will break orders. This is a major rewrite, nothing that can be put into a 1.0.x version.

4. Anonymous / nicknames for reviews do not build trust. That is why most review systems use the name tied to the account, not an alias. This also could be a breaking change, because on some level internally the review is going to be tied to a name, or it will not be a verified review.

Thanks for the details. I think all of these points can be addressed/fixed with a proper discussion (we'd need to phone, quicker). But:

1. When you delete an order, there should be a check box: Restock (y/n)? You might want to do this because there are spam orders/test orders/whatever. Give the freedom to the merchant to decide.

2. I have guest data of customers who never placed an order with an email address. I can follow up on the customer if I want to, but I should also have eg a 14 day auto delete possibility. Again, enable the merchant.

3. Agree with customers who placed an order. But I have guest customers (different customer ids, but same email) who "signed up" multiple times but who only who placed an order for one of these. Let's only keep the customer id where there's an order.

4. We can have verified reviews and non-verified reviews. Again, let the merchant decide. Don't force something on the merchant. Different cultures, different approaches to ratings, etc. You can have only the initials of a customer, for example. The MAJORITY of my customers only gave a review when we enabled (in my old system) reviews with initials. Again: Let the merchant decide.

[30knees]

@lesley said in New General Data Protection Regulation 2018-05-25:

I think one thing that people in the EU miss when talking about these laws is they are front facing laws. Disabling an account should bring you in compliance. Data does not have to be deleted.

Here is a great scenario. Would it be possible for me to commit a bunch of fraud and before I got caught send my bank a right to be forgotten letter asking them to delete my data? Every crook would do this.

Another example is what if I buy a product with a lifetime warranty? Do I give up my warranty when I ask to be deleted?

How far do you actually take this information? When I want to be deleted I want to be removed from your old paper records. I want to be removed from your tax filings, I want my name no longer associated with a purchase in your shipping carriers records. I don't want to show the payment in your bank account from 2 years ago. I want you to physically forget you ever talked to me. Deleting the data is not realistic and is actually illegal in the US under a lot of circumstances.

That is not how the law works.

It's not about deleting all types of data. This is a common misunderstanding. It's about deleting data that is a) no longer subject to a legal obligation to be kept or b) no longer required for the purposes for which it was originally collected. Those are the cases I gave above.

Simply disabling an account MAY bring you in compliance, but it MAY NOT in other cases. It depends on the data processing.

Taking your fraud case: No, you could not make your bank to do this. There are a bunch of other requirements that oblige the bank to keep the law.

Taking the lifetime warranty: No, you do not. You may keep a record of the warranty yourself.

The other cases you all mention are mostly not subject to a random deletion request by the customer. All of these cases are subject to certain retention periods.

About deleting data not being legal in the US in certain circumstances: It's the same in the EU.

I think we need to decide: Should tb be guided mainly by a US understanding or would you like to also let the EU influence its development?

When I posted on my old EU shop platform's forum about tb, a lot of the (annoying) replies were: Ah, it's a US company, they'll not really have our (EU) interests in sight. I hope that was wrong.

Also, if we take a look at Shopify from Canada, which is also very popular in the US: They actively recruit privacy engineers and they also have a sizeable privacy department. That isn't only because of the EU, but because of legislation around the world, including the US.

Finally, the laws are not only front facing. The regulators do actually audit companies for their data retention plans and data clean up processes. They check what data is collected for which reason. The regulators are becoming increasingly tech savvy and also inspect eg data flows from the merchant's shop to third parties such as payment providers.

[lesley]

One thing I have noticed, you can even notice it with this thread, is the regulations are only problems for the Germans. These are German changes, not EU changes. 70% of thirty bees shops are EU companies, the Germans are the only people that seem to be having these issues.

We want to be compatible for every localization that it makes sense for us to be compatible with. That being said, we cannot break the software as a whole for a small fraction of our users. Let me be clear on this, if it was the US that wanted to institute some of these policies I would tell them to screw off as well. A great example is taxes. thirty bees cannot and will not be able to handle some of the taxing in the US. Its something we are not going to build into the system, it would be too time consuming.

This is what I am seeing you are needing, correct me if I am wrong.

Ability to delete orders. This is something we can add, the functionality is actually halfway there and hidden.

The ability to remove old carts from a certain date back that do not have an order affiliated with them. This can be made into a module rather easily, it is a text field, a button, and two queries.

The ability to leave reviews with aliases and not real names. This is going to be a little bit tougher. We will have to add the functionality to the product comments module. We can't do like wordpress does and use a core alias currently. It would break just about everything doing that. So we would have to limit it to the product comments module for the time being. This module is due for a big rewrite at the start of the year. We can add that in with the other features we want to add. The alias would not be able to be used across the shop though, just for commenting on products.

As far as I know, Shopify is currently under investigation in the EU for being a get rich quick scheme.

I want thirty bees to be compliant everywhere, but some things we are not going to add into the core and will be done as modules, because of their specific limited use. Internally we have kicked around the idea of actually having a setup after the installation. So it would ask merchants questions about their company and set setting for them, like taxes, EU components, and other things.

[zimmer-media]

I hope not to write anything wrong now. It would be nice if more people participate in such topics. On the so-called dealer alliances, I have neither confidence nor reliance that they take care of it, the main thing is to get their monthly contribution. Dealers to the government to represent their opinions seems to be absolutely useless. The only thing the more or less useful offer are acute General Terms and Conditions etc. Win does the online buyer or the black sheep (fake seller).

If I go a stationary business, where is the huge notice with the AGB or the right of withdrawal ??? (i know - bad example, but who is it, overnight disappeared on stationary stores)

As a trained accountant, I try to keep an eye on things. Since my way with my own business about 5 years ago, it is made more difficult for small businesses in Germany and the "EU".

I do not know how it is in the US, but is there a packaging ordinance and other such things?

[zimmer-media]

hmmm, you have to submit the receipt for the guarantee. After 5 months, um, how long was the warranty for the toaster? The receipt is bleached after 3 months. and so on and so on

[lesley]

There are no real packaging laws here, basically if it fits it ships.

[30knees]

@lesley said in New General Data Protection Regulation 2018-05-25:

One thing I have noticed, you can even notice it with this thread, is the regulations are only problems for the Germans. These are German changes, not EU changes. 70% of thirty bees shops are EU companies, the Germans are the only people that seem to be having these issues.

How do you come to this opinion? :-)

The UK's ICO is one of the most active in this area, the Dutch are super strict, same as the Spanish and French. Poland and Italy are crazy strict, too, and have in many areas of data protection requirements that go beyond other member states.

Please don't confuse a vocal merchant community and an active media for how things are behind the scenes.

[lesley]

I think I might try a redirect. I have used most platforms under the sun, can you name one that will actually comply with those laws? I know for a fact that Shopify doesnt.

[30knees]

@mdekker said in New General Data Protection Regulation 2018-05-25:

Can you name a few examples?

Most small merchant cases don't get reported. My statements come from professionals in this area working in these countries.

But:

France: https://www.cnil.fr/en/facebook-sanctioned-several-breaches-french-data-protection-act Italy: https://www.insideprivacy.com/international/european-union/italian-dpa-issues-record-data-privacy-fine/ Netherlands and France: https://www.theverge.com/2017/5/17/15651740/facebook-privacy-violation-france-netherlands-fine and https://www.lexology.com/library/detail.aspx?g=ad2e6ff6-3f68-4b74-bddf-ddffce701466

etc.

[30knees]

@lesley said in New General Data Protection Regulation 2018-05-25:

I think I might try a redirect. I have used most platforms under the sun, can you name one that will actually comply with those laws? I know for a fact that Shopify doesnt.

I think most os commerce derivatives should be able to comply, such as xt commerce or modified commerce.

[lesley]

As an american that is not multilingual you don't know how much I appreciate you posting links in english.

Lets go over them though.

France and Facebook. This is a cookie consent issue and a privacy policy issue.

Italy and that case. They were laundering money using a term we call structuring in the US to avoid detection, but they were using other people's names to do it.

Netherlands and France, this is pretty much the same as the first France article talking about privacy policies and informing users what you are doing with data.

Netherlands and France #2, this article is about what you need to disclose when your site has a data breach.

None of the articles you posted have anything to do with storing data. They all have one thing in common is letting users know what you are doing with it. Two distinctly different things.

Re: Os Commerce, so dead e-commerce platforms?

[30knees]

The articles were about data protection authorities in general. Not specifically about deleting data.

Authorities conduct regular data protection audits of companies, both on a random and a targeted basis (eg due to customer complaints). Mostly, the outcome of these audits are not made public. That one is unaware of them does not mean they aren't there.

It's like with criminal cases: The OJ Simpson case hit the headlines worldwide, the small-time shop lifting case doesn't even make it into the news.

You seem to be very skeptical. I'll tell you what, @lesley. I'll contact the country data protection authorities of your choice and give them the questions you want to know.

About OS commerce derivatives: There are a lot of them still active. And regardless: dead or not, they can deal with the all of the above. Maybe their architecture is smart, after all. Shouldn't systems empower the owners and not restrict them? I think we can all agree on that.

Take a look at Shopware, which has come to dominate the German market. It's also fully compliant. I can't comment on the other systems - you're the expert. I find it hard to imagine that most can't deal with the very simple requirements I stated.

[lesley]

Its not that I am skeptical, there is a stark difference in my mind in data protection and data deletion. We are very security minded here and try to make it impossible to leak data, so I feel like the protection part is handled.

See we are back to it being a German issue again.

I would like to get some other input on this, because the requirements you stated, I said how we could meet them.