PGRD Compliancy Module

[toplakd]

Session cookie with 0 value expires when browser closes and does not need any consent or blocking, and no need for converting the main tb/ps cookie as option is there in back office. But mostly preset to 20 days :) I don't need to convert it as I have it set to for long time already.

[datakick]

@toplakd said in PGRD Compliancy Module:

Session cookie with 0 value expires when browser closes and does not need any consent or blocking

Yes, but it will also log out your customers. Your anonymous visitors won't be able to access their cart once they close the browser,... It's too drastic. Why do it, if it's not necessary?

[toplakd]

I don't have anything from anonymous custumers. Most browsers support remeber login credentials, and when customer logs in than it has his cart available. Once visitor decides to register, than his cart will also be saved :)

[Beeta]

@datakick said in PGRD Compliancy Module:

So, the first thing you’ll wanna do is to disable module Data mining for statistics – that will fix this problem. We will lose statistics, though. While we are talking about this, you’ll also need to modify your apache/nginx logging settings, and omit/obfuscate IP addresses from your access/error logs, as this is also a GDPR violation.

What?! And what evidences can we have in case of abuse?

[toplakd]

@datakick said in PGRD Compliancy Module:

Your anonymous visitors won't be able to access their cart once they close the browser,... It's too drastic. Why do it, if it's not necessary?

I think this below is more drastic :) than guests loosing their carts

[Eolia]

@datakick The cart has already saved item selections, associated with an ip and has a default address. In addition, Prestashop never destroys cookies, only the object customer in this, so it is an additional security. 2 lawyers approved my choice.

[Traumflug]

Not to upset your lawyers, but not every lawyer understands how cookies work. Persistent cookies are considered to be personal data for their sheer existence. It doesn't matter what's inside.

Solution: either make it a session cookie, so the browser deletes it after the session, or ask the user for permission to store this cookie. Maybe you do this already, which is why your lawyers agree.

[Traumflug]

What?! And what evidences can we have in case of abuse [without recorder IP addresses] ?

Regarding Apache/Nginx logs and such stuff, recording them for a "limited persistent duration" is explicitly allowed. See http://ec.europa.eu/ipg/basics/legal/cookies/indexen.htm#section2 , 5th bullet point. Which means, just rotating logs fast enough should bring compliance. If IP addresses disappear from logs after a week it should be compliant with GDPR. And to be honest, one doesn't really need logs older than a week for fighting abuse, right?

[Eolia]

Personally rotations logs are done over 3 weeks, no more

[datakick]

@traumflug said in PGRD Compliancy Module:

Persistent cookies are considered to be personal data for their sheer existence. It doesn’t matter what’s inside.

This is nonsense. Show me where, in the GDPR text, is this written.

As a specific example: when I create persistent cookie that contains theme=light(and I obfuscate/omit IP addresses from nginx/apache logs), how can this be considered personal information? Show me how this cookie could be used to identify natural person. If you can't, it's not subject to GDPR, even though it's persistent cookie.

Another example: when I create session cookie that contains [email protected], then every request to my server will contain this cookie. If I collect/process this information on server side in any way, then I've breached GDPR law. It doesn't matter at all that this information was stored in session cookie.

Everyone, please stop with this session/persistent cookies nonsense. Although it's important in cookie law context, it doesn't matter for GDPR.

For GDPR, only cookie content is important. If cookie can be used to identify natural person, either directly or indirectly, it's subject to this law. Otherwise it's not.

[lesley]

Honestly, the truth is until the law is litigated we will not know what is actually required. I know for a point of contention that a ton of people can be identified without one piece of information given, just by machine footprint. I have been following this project for a while, https://amiunique.org/fp

[datakick]

@lesley I agree with you.

Basically, any collected information that can be used to identify natural person is subject to GDPR.

In this case I'm not sure -- machine footprint can (to some extent) identify anonymous visitor, but is it the same as identifying natural person? I agree that we will need to wait for a court decision. And it will be really interesting, as it will impact all analytics solutions that exists.

But that doesn't change the fact that cookie lifespan/persistence is not a factor in GDPR. I just wanted to point it out, so you guys don't implement something that's not really necessary into the official GDPR module. There's no need to change tb cookie to session, as it doesn't change anything. It definitely won't make thirtybees more GDPR compliant.

[Traumflug]

@datakick said in PGRD Compliancy Module:

@traumflug said in PGRD Compliancy Module:

Persistent cookies are considered to be personal data for their sheer existence. It doesn’t matter what’s inside.

This is nonsense. Show me where, in the GDPR text, is this written.

It's written here: http://ec.europa.eu/ipg/basics/legal/cookies/indexen.htm#section2

The ePrivacy directive [...] requires prior informed consent for storage or for access to information stored on a user's terminal equipment. In other words, you must ask users if they agree to most cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts to use them.

And then a couple of exemptions are noted. Common to all those exemptions: they're not persistent.

The reason why a persistent cookie is personal information regardless of its content is simple: it's stored on the user's PC and sent on subsequent visits. In your example this means, if the server finds a cookie which sets the theme, it sees "Hey, this user was here earlier".

If your theme doesn't use such cookies maliciously its entirely fine, still you have to ask for consent. Or use session cookies.

[Traumflug]

@datakick said in PGRD Compliancy Module:

Basically, any collected information that can be used to identify natural person is subject to GDPR.

That's true, and that's exactly the reason why any such collection needs user consent.

Simple message: don't collect.

[datakick]

@traumflug said in PGRD Compliancy Module:

It’s written here: http://ec.europa.eu/ipg/basics/legal/cookies/indexen.htm#section2

That link is not GDPR law. I don't care about that. The text of GDPR - Regulation (EU) 2016/679 is here. Now, where in this text is any mention about cookie persistence, etc?

[Traumflug]

I don’t care about that.

Obviously. If you don't trust EC lawyers you probably trust my word much less, so its moot to continue this discussion.

[datakick]

The link you have provided describes requirements for content published on Europa website. I'm sure these requirements meet all the European laws (cookie law, gdpr law, etc...). But that does not mean these requirements are the law. It's basically just a 'company policy', a policy that is more tough than necessary.

When we are talking about GDPR, we should stick to the text of GDPR law. So once again, where in the actual law is written that "Persistent cookies are considered to be personal data"?

It's really a rhetorical question. We clearly don't see eye to eye on this matter, so it's indeed moot to continue this conversation. I'm very frightened, though. I really hope you guys don't strip all the important features from the tb platform, and render it unusable for merchants

[Beeta]

@datakick said in PGRD Compliancy Module:

The link you have provided describes requirements for content published on Europa website. I'm sure these requirements meet all the European laws (cookie law, gdpr law, etc...). But that does not mean these requirements are the law. It's basically just a 'company policy', a policy that is more tough than necessary.

When we are talking about GDPR, we should stick to the text of GDPR law. So once again, where in the actual law is written that "Persistent cookies are considered to be personal data"?

It's really a rhetorical question. We clearly don't see eye to eye on this matter, so it's indeed moot to continue this conversation. I'm very frightened, though. I really hope you guys don't strip all the important features from the tb platform, and render it unusable for merchants

I think you're right, on the same page I can see: "EUROPA websites must follow the Commission's guidelines on privacy and data protection and inform users that cookies are not being used to gather information unnecessarily."

[Traumflug]

When we are talking about GDPR, we should stick to the text of GDPR law.

You can do that in a forum for lawyers. Laws always have to be interpreted and if you think you can do this interpretation better than actual lawyers, that's pretty bold.

For my part I'll stick to how independent/neutral lawyers interpret this law. Especially if such an interpretation follows simple logic more than some personal interpretation. Above I've shown you how persistent cookies can be used to track visitors, you ignore this totally.