|

CS-CART and implimetation of the 'cookie' regulations
Posted 24 July 2011 - 01:44 AM #1
to have a popup or other form of opting out of certain types of
cookies, whilst they browse our sites.
http://www.ft.com/cm...l#axzz1SyzEudFh
In the UK its been deferred for a year but you still need to show
you have a plan of action on how you will be dealing with it.
This to me is a major issue and one that should be brought up
on here, when this finally gets passes any visitor to your site
that isnt given the option to opt to having certain cookied
disabled will be etitled to sue you.
The full EU directive is below
http://eur-lex.europ...011:0036:En:PDF
Posted 24 July 2011 - 06:04 AM #2
EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.
Posted 28 July 2011 - 12:02 PM #3
My understanding of the regulation is that the customer must be notified of any cookie being stored regardless of it's content.They don't store anything other than timestamps and session ID in cookies. So there is no sensitive info collected and no need to notify the customer. No names, or other personal information.
There is a lot of confusion over this though. At least half the people I talk to at networking events think it works as you do and the other half think it works like I do.
Knowing the EU the reality is somewhere in the middle.
It would be nice to have a definitive statement from CS-Cart as, even though the regs aren't in place yet, a new web store could get into bother if they bought into non-complying software during the build up period.
Posted 28 July 2011 - 01:22 PM #4
I am not impacted by the EU regulations, but am wondering what is included in "certain types of
cookies". If CS-CART does not store the "certain types of cookies", there would be no need for a pop up to opt out. Maybe just a simple block/notice on the appropriate pages that would indicate that only non-regulated cookies are being stored. Obviously, it would not be good to have someone opt out of required cookies in order to have the cart to function. I used to have a FAQ concerning cookies at my site and a statement to indicate that they need to accept cookies or the cart would not add products and the cart would be empty.
Bob
Version CS-Cart 4.3.5
Posted 25 May 2012 - 07:03 AM #5
Any update on the exact definition of what is cover by the new regs?
Does anyone have a link to further info on this?
Posted 30 May 2012 - 01:12 PM #7
As far as I can tell you need to ask permission if you're storing any sort of tracking info (Google analytics) and/or any info that lets you greet the person next time they come to the store. As in the person logging on and staying logged on between sessions.
Cookies that are necessary for the operation of the shop, such as basket contents do not require consents.
It's a shame that we've heard nothing form CS-Cart about this. My old cart provider (CubeCart) released an update to cover this directive a few weeks ago.
Posted 07 June 2012 - 10:19 PM #8
"Thank you for your request.
As far as I understand the document, they will not suspend your website if you store some cookies in users' browsers within the first few months of the new policy, so displaying a message about cookie usage in the storefront is enough for now. CS-Cart sets cookies to the visitor's browser in order to distinguish the visitor from other visitors that might browse the site at the same time. By distinguishing the user, CS-Cart preserves his/her settings between storefront pages. For example, if the visitor adds a product to his/her shopping cart, he/she will see the number of products in cart and their cost at every page of the storefront. Without cookies, this would not be possible. I suggest that you should emphasize the fact that without cookies, it is not possible for the online store to "remember" anything about the customer.
Unfortunately, in its current state, CS-Cart stores cookies in the visitor's browser without asking him/her about it. In order to implement "cookieless" operation of the software, it is necessary to modify CS-Cart source code in several places. The "cookieless" mode of operation is planned to be implemented in future versions of CS-Cart. Unfortunately, there is no more detailed information. If you need to implement a cookieless browsing mode in your CS-Cart storefront immediately, I suggest that you should consider our custom development service. Our custom development specialist can explore whether it is possible to change CS-Cart code to meet your requirements and, if possible, can estimate your request. Please let me know if you are interested in it and I will forward your request to our specialist.
Alternatively, you could add an index.html file to the root directory of your CS-Cart installation, with a description of cookies and a link to the storefront (index.php). If the visitor is OK with cookies, he/she will click the link and see the storefront (and receive the cookies). Otherwise, he/she will just close the browser tab.
I hope this explains the situation.
Thank you."
Posted 15 June 2012 - 04:49 PM #10
Regards
Posted 16 June 2012 - 03:53 AM #11
The user's session holds the user's data related to their authentication (if any) at the site and other session data as the application requires to hold 'state' from page to page.
A session cookie contains no personal information which is what the law (as I understand it) is intended to protect. However, a session ID could be used to access a user's personal information such as their credit card info, etc. if the session is hijacked (or spoofed) during the checkout process.
Cs-cart doesn't utilize (that I'm aware of) any tracking cookies in and of itself.
With the variety of 3rd party javascript tracking that merchants seem to simply cut/paste into their site without any idea of what they pasting, the issue becomes more a merchant issue and/or a 3rd party issue rather than cs-cart.
Like most security issues (or privacy issues), someone has enabled it to occur, usually introduced through ignorance versus awareness.
So before you trust ANY 3rd party to have access to your user's browser, be sure you completely understand the terms and conditions you agreed to (and by implication are subjecting your users to comply with - usually involuntarily) and exactly what the code you copy/paste is doing. You owe it to your customers.
EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.
Posted 16 June 2012 - 08:40 AM #12
Posted 16 June 2012 - 08:43 PM #13
EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.
Posted 13 July 2012 - 08:12 PM #14
Posted 13 July 2012 - 08:50 PM #15
Also note that only sites resident and subject to the laws of the EU (or UK or whichever regulators are attempting this) are required to comply. Any business outside that governing body is subject to the rules and regulations of their own government/authority.
So while cs-cart may want to make changes to their cart so they can sell to EU customers and have those customers be compliant to EU law, there's no requirement (for instance) for a US based company to do anything and I'd hope that cs-cart would take this into account when they develop (if they develop) a solution.
EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.
Posted 14 July 2012 - 08:52 AM #16
The other cart I use (cubecart) added a simple feature that was switched on/off from the admin control panel to cater for the regulation without affecting non-EU companies.
Posted 14 July 2012 - 02:15 PM #17
See http://www.urbanoutf...s/page/cookies/ for a good example. This page has a direct link on the homepage.
Does anybody know which cookies cs-cart exactly uses so we can make something similar?
When life hands you lemons, bring on the Tequila baby!
Posted 14 July 2012 - 03:07 PM #18
My previous cart provider issued a statement (which I don't have to hand) but I recall it was along the lines of: "The only cookies used are essential for the operation of the website and are excluded from the regulations. We do not use marketing cookies or share cookie information with third parties". I don't know if this statement is accurate for CS Cart and if essential cookies are excluded from regulations (although it sounds logical). I would rather not have the customer "opt-in" or make it complicated if we can have just a link to a fiendly statement. Is a statement like this possible? - and if so could CS Cart issue one and a list of the cookie names / purpose?
P.S. Picked up a great quote yesterday: "It's not finding a way around regulations, it's finding a way that what you do is not affected by regulations".
Posted 14 July 2012 - 04:45 PM #19
cs-cart uses only about 3. Your SID, your login username (if remember me is checked), language and/or localization, and currency settings. But many of these are many times held in the session versus individual cookies.
Search your cart for 'set_cookie' and/or 'COOKIES' and you will find all the instances where cookies are being set by the core-cart code.
EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.
Posted 14 July 2012 - 04:51 PM #20
Yep, that urban site uses an awful lot of cookies. You'll notice it after visiting.. they'll keep tracking you forever

When life hands you lemons, bring on the Tequila baby!