Jump to content
thirty bees forum

PGRD Compliancy Module

Eolia

By Eolia
in Modules

 Share

Recommended Posts

toplakd Contributor

toplakd

Posted
Posted

Session cookie with 0 value expires when browser closes and does not need any consent or blocking, and no need for converting the main tb/ps cookie as option is there in back office. But mostly preset to 20 days :) I don't need to convert it as I have it set to for long time already.

Link to comment
Share on other sites
toplakd Contributor

toplakd

Posted
Posted

I don't have anything from anonymous custumers. Most browsers support remeber login credentials, and when customer logs in than it has his cart available. Once visitor decides to register, than his cart will also be saved :)

Link to comment
Share on other sites
Beeta Enthusiast

Beeta

Posted
Posted

@datakick said in PGRD Compliancy Module:

So, the first thing you’ll wanna do is to disable module Data mining for statistics – that will fix this problem. We will lose statistics, though. While we are talking about this, you’ll also need to modify your apache/nginx logging settings, and omit/obfuscate IP addresses from your access/error logs, as this is also a GDPR violation.

What?! And what evidences can we have in case of abuse?

Link to comment
Share on other sites
Eolia Newbie

Eolia

Posted
  • Author
Posted

@datakick The cart has already saved item selections, associated with an ip and has a default address. In addition, Prestashop never destroys cookies, only the object customer in this, so it is an additional security. 2 lawyers approved my choice.

Link to comment
Share on other sites
Traumflug Newbie

Traumflug

Posted
Posted

Not to upset your lawyers, but not every lawyer understands how cookies work. Persistent cookies are considered to be personal data for their sheer existence. It doesn't matter what's inside.

Solution: either make it a session cookie, so the browser deletes it after the session, or ask the user for permission to store this cookie. Maybe you do this already, which is why your lawyers agree.

Link to comment
Share on other sites
Traumflug Newbie

Traumflug

Posted
Posted

What?! And what evidences can we have in case of abuse [without recorder IP addresses] ?

Regarding Apache/Nginx logs and such stuff, recording them for a "limited persistent duration" is explicitly allowed. See http://ec.europa.eu/ipg/basics/legal/cookies/indexen.htm#section2 , 5th bullet point. Which means, just rotating logs fast enough should bring compliance. If IP addresses disappear from logs after a week it should be compliant with GDPR. And to be honest, one doesn't really need logs older than a week for fighting abuse, right?

Link to comment
Share on other sites
datakick Experienced

datakick

Posted
Posted

@traumflug said in PGRD Compliancy Module:

Persistent cookies are considered to be personal data for their sheer existence. It doesn’t matter what’s inside.

This is nonsense. Show me where, in the GDPR text, is this written.

As a specific example: when I create persistent cookie that contains theme=light(and I obfuscate/omit IP addresses from nginx/apache logs), how can this be considered personal information? Show me how this cookie could be used to identify natural person. If you can't, it's not subject to GDPR, even though it's persistent cookie.

Another example: when I create session cookie that contains email=my@email.com, then every request to my server will contain this cookie. If I collect/process this information on server side in any way, then I've breached GDPR law. It doesn't matter at all that this information was stored in session cookie.

Everyone, please stop with this session/persistent cookies nonsense. Although it's important in cookie law context, it doesn't matter for GDPR.

For GDPR, only cookie content is important. If cookie can be used to identify natural person, either directly or indirectly, it's subject to this law. Otherwise it's not.

Link to comment
Share on other sites
lesley Newbie

lesley

Posted
Posted

Honestly, the truth is until the law is litigated we will not know what is actually required. I know for a point of contention that a ton of people can be identified without one piece of information given, just by machine footprint. I have been following this project for a while, https://amiunique.org/fp

Link to comment
Share on other sites
datakick Experienced

datakick

Posted
Posted

@lesley I agree with you.

Basically, any collected information that can be used to identify natural person is subject to GDPR.

In this case I'm not sure -- machine footprint can (to some extent) identify anonymous visitor, but is it the same as identifying natural person? I agree that we will need to wait for a court decision. And it will be really interesting, as it will impact all analytics solutions that exists.

But that doesn't change the fact that cookie lifespan/persistence is not a factor in GDPR. I just wanted to point it out, so you guys don't implement something that's not really necessary into the official GDPR module. There's no need to change tb cookie to session, as it doesn't change anything. It definitely won't make thirtybees more GDPR compliant.

Link to comment
Share on other sites
Traumflug Newbie

Traumflug

Posted
Posted

@datakick said in PGRD Compliancy Module:

@traumflug said in PGRD Compliancy Module:

Persistent cookies are considered to be personal data for their sheer existence. It doesn’t matter what’s inside.

This is nonsense. Show me where, in the GDPR text, is this written.

It's written here: http://ec.europa.eu/ipg/basics/legal/cookies/indexen.htm#section2

The ePrivacy directive [...] requires prior informed consent for storage or for access to information stored on a user's terminal equipment. In other words, you must ask users if they agree to most cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts to use them.

And then a couple of exemptions are noted. Common to all those exemptions: they're not persistent.

The reason why a persistent cookie is personal information regardless of its content is simple: it's stored on the user's PC and sent on subsequent visits. In your example this means, if the server finds a cookie which sets the theme, it sees "Hey, this user was here earlier".

If your theme doesn't use such cookies maliciously its entirely fine, still you have to ask for consent. Or use session cookies.

Link to comment
Share on other sites
datakick Experienced

datakick

Posted
Posted

The link you have provided describes requirements for content published on Europa website. I'm sure these requirements meet all the European laws (cookie law, gdpr law, etc...). But that does not mean these requirements are the law. It's basically just a 'company policy', a policy that is more tough than necessary.

When we are talking about GDPR, we should stick to the text of GDPR law. So once again, where in the actual law is written that "Persistent cookies are considered to be personal data"?

It's really a rhetorical question. We clearly don't see eye to eye on this matter, so it's indeed moot to continue this conversation. I'm very frightened, though. I really hope you guys don't strip all the important features from the tb platform, and render it unusable for merchants

Link to comment
Share on other sites
Beeta Enthusiast

Beeta

Posted
Posted

@datakick said in PGRD Compliancy Module:

The link you have provided describes requirements for content published on Europa website. I'm sure these requirements meet all the European laws (cookie law, gdpr law, etc...). But that does not mean these requirements are the law. It's basically just a 'company policy', a policy that is more tough than necessary.

When we are talking about GDPR, we should stick to the text of GDPR law. So once again, where in the actual law is written that "Persistent cookies are considered to be personal data"?

It's really a rhetorical question. We clearly don't see eye to eye on this matter, so it's indeed moot to continue this conversation. I'm very frightened, though. I really hope you guys don't strip all the important features from the tb platform, and render it unusable for merchants

I think you're right, on the same page I can see: "EUROPA websites must follow the Commission's guidelines on privacy and data protection and inform users that cookies are not being used to gather information unnecessarily."

Link to comment
Share on other sites
Traumflug Newbie

Traumflug

Posted
Posted

When we are talking about GDPR, we should stick to the text of GDPR law.

You can do that in a forum for lawyers. Laws always have to be interpreted and if you think you can do this interpretation better than actual lawyers, that's pretty bold.

For my part I'll stick to how independent/neutral lawyers interpret this law. Especially if such an interpretation follows simple logic more than some personal interpretation. Above I've shown you how persistent cookies can be used to track visitors, you ignore this totally.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...