CS-CART and implimetation of the 'cookie' regulations

How will cs-cart be implimenting the need for all EU customers

to have a popup or other form of opting out of certain types of

cookies, whilst they browse our sites.



Subscribe to read | Financial Times



In the UK its been deferred for a year but you still need to show

you have a plan of action on how you will be dealing with it.



This to me is a major issue and one that should be brought up

on here, when this finally gets passes any visitor to your site

that isnt given the option to opt to having certain cookied

disabled will be etitled to sue you.



The full EU directive is below

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:En:PDF

They don't store anything other than timestamps and session ID in cookies. So there is no sensitive info collected and no need to notify the customer. No names, or other personal information.

[quote name='tbirnseth' timestamp='1311487448' post='118110']

They don't store anything other than timestamps and session ID in cookies. So there is no sensitive info collected and no need to notify the customer. No names, or other personal information.

[/quote]

My understanding of the regulation is that the customer must be notified of any cookie being stored regardless of it's content.



There is a lot of confusion over this though. At least half the people I talk to at networking events think it works as you do and the other half think it works like I do.



Knowing the EU the reality is somewhere in the middle.



It would be nice to have a definitive statement from CS-Cart as, even though the regs aren't in place yet, a new web store could get into bother if they bought into non-complying software during the build up period.

Hi,

I am not impacted by the EU regulations, but am wondering what is included in “certain types of

cookies”. If CS-CART does not store the “certain types of cookies”, there would be no need for a pop up to opt out. Maybe just a simple block/notice on the appropriate pages that would indicate that only non-regulated cookies are being stored. Obviously, it would not be good to have someone opt out of required cookies in order to have the cart to function. I used to have a FAQ concerning cookies at my site and a statement to indicate that they need to accept cookies or the cart would not add products and the cart would be empty.

Bob

Just seen a piece on the BBC news about this (so there might be a deluge of enquires regarding this matter).



Any update on the exact definition of what is cover by the new regs?



Does anyone have a link to further info on this?

There is a script here: Google Code Archive - Long-term storage for Google Code Project Hosting. that can be used



John Carroll

Best place for definitive information is here - http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx



As far as I can tell you need to ask permission if you're storing any sort of tracking info (Google analytics) and/or any info that lets you greet the person next time they come to the store. As in the person logging on and staying logged on between sessions.



Cookies that are necessary for the operation of the shop, such as basket contents do not require consents.



It's a shame that we've heard nothing form CS-Cart about this. My old cart provider (CubeCart) released an update to cover this directive a few weeks ago.

I asked CS-Cart Helpdesk about this and I've pasted their reply below. What's interesting me right now is that Amazon.co.uk have nothing on their site that mentions cookies and if they're not worrying about complying then I'm not sure I should be feeling too concerned about it.



“Thank you for your request.



As far as I understand the document, they will not suspend your website if you store some cookies in users' browsers within the first few months of the new policy, so displaying a message about cookie usage in the storefront is enough for now. CS-Cart sets cookies to the visitor's browser in order to distinguish the visitor from other visitors that might browse the site at the same time. By distinguishing the user, CS-Cart preserves his/her settings between storefront pages. For example, if the visitor adds a product to his/her shopping cart, he/she will see the number of products in cart and their cost at every page of the storefront. Without cookies, this would not be possible. I suggest that you should emphasize the fact that without cookies, it is not possible for the online store to “remember” anything about the customer.



Unfortunately, in its current state, CS-Cart stores cookies in the visitor's browser without asking him/her about it. In order to implement “cookieless” operation of the software, it is necessary to modify CS-Cart source code in several places. The “cookieless” mode of operation is planned to be implemented in future versions of CS-Cart. Unfortunately, there is no more detailed information. If you need to implement a cookieless browsing mode in your CS-Cart storefront immediately, I suggest that you should consider our custom development service. Our custom development specialist can explore whether it is possible to change CS-Cart code to meet your requirements and, if possible, can estimate your request. Please let me know if you are interested in it and I will forward your request to our specialist.



Alternatively, you could add an index.html file to the root directory of your CS-Cart installation, with a description of cookies and a link to the storefront (index.php). If the visitor is OK with cookies, he/she will click the link and see the storefront (and receive the cookies). Otherwise, he/she will just close the browser tab.



I hope this explains the situation.



Thank you.”

This works well - http://civicuk.com/cookie-law/configuration

Just so that we can be transparent with all of our customers, are CS-Cart or any CS-Cart developers able to share with us the cookies that CS-Cart use for sessions if possible so that we can list them for our customers. Obviously the main culprit would be google as I can expect many websites are running google analytics code.



Regards

A cookie identifies a user's session ID and the browser passes this to the server's environment each time a page is requested. Generally they are encrypted is some simplistic form that can be handled by the variety of web servers out there.



The user's session holds the user's data related to their authentication (if any) at the site and other session data as the application requires to hold 'state' from page to page.



A session cookie contains no personal information which is what the law (as I understand it) is intended to protect. However, a session ID could be used to access a user's personal information such as their credit card info, etc. if the session is hijacked (or spoofed) during the checkout process.



Cs-cart doesn't utilize (that I'm aware of) any tracking cookies in and of itself.



With the variety of 3rd party javascript tracking that merchants seem to simply cut/paste into their site without any idea of what they pasting, the issue becomes more a merchant issue and/or a 3rd party issue rather than cs-cart.



Like most security issues (or privacy issues), someone has enabled it to occur, usually introduced through ignorance versus awareness.



So before you trust ANY 3rd party to have access to your user's browser, be sure you completely understand the terms and conditions you agreed to (and by implication are subjecting your users to comply with - usually involuntarily) and exactly what the code you copy/paste is doing. You owe it to your customers.

CS-Cart does use a cookie that remembers the persons logon details and that is one of the types that comes under the regulations though.

@NairdaCart, please identify the cookie you're mentioning. I'm not aware of any code where cs-cart saves user information in a cookie.

With CS-Cart 3 if you login as a customer and check the remember me box the next time you go to the site your name is on the My Account tab. That's listed as one of the things (personal greeting) you must get the users opt-in for under the regulation.

The user checked the box. Isn't that an opt-in?



Also note that only sites resident and subject to the laws of the EU (or UK or whichever regulators are attempting this) are required to comply. Any business outside that governing body is subject to the rules and regulations of their own government/authority.



So while cs-cart may want to make changes to their cart so they can sell to EU customers and have those customers be compliant to EU law, there's no requirement (for instance) for a US based company to do anything and I'd hope that cs-cart would take this into account when they develop (if they develop) a solution.

It could be construed as an opt-in but there is no explanation next to the check box which is another requirement of the regulation. Adding a link next to the box that explains checking it would set a cookie would probably suffice but as it stands at the moment I don't think it complies.



The other cart I use (cubecart) added a simple feature that was switched on/off from the admin control panel to cater for the regulation without affecting non-EU companies.

I think the regulations have changed a little bit. Almost all big webshops have removed the pop-up checkbox and have now just made their cookie regulations more clear.



See http://www.urbanoutfitters.co.uk/help-and-info/cookies/page/cookies/ for a good example. This page has a direct link on the homepage.



Does anybody know which cookies cs-cart exactly uses so we can make something similar?

That's an awful lot of cookies - even marketing cookies shared between websites which is what I thought the new regulations were supposed to ensure you “opted in” for (I hope CS Cart doesn't use anything like this many?).



My previous cart provider issued a statement (which I don't have to hand) but I recall it was along the lines of: “The only cookies used are essential for the operation of the website and are excluded from the regulations. We do not use marketing cookies or share cookie information with third parties”. I don't know if this statement is accurate for CS Cart and if essential cookies are excluded from regulations (although it sounds logical). I would rather not have the customer “opt-in” or make it complicated if we can have just a link to a fiendly statement. Is a statement like this possible? - and if so could CS Cart issue one and a list of the cookie names / purpose?



P.S. Picked up a great quote yesterday: “It's not finding a way around regulations, it's finding a way that what you do is not affected by regulations”.

@Flow - just search your browser's cookies for your domain name (assuming you don't have other stuff under your domain other than your cart). There should be about 3 or 4 from cs-cart. If you choose to use Google Analytics, then the _utm* cookes will also be there. Note that any 3rd party application can also set cookies if you use their services. So truly identifying what your site uses would probably require you starting with a fresh browser instance, remove all cookies, login to your site as a customer, go through a normal shopping process, go through and complete checkout (including payment processor) and then view your browser cookies.



cs-cart uses only about 3. Your SID, your login username (if remember me is checked), language and/or localization, and currency settings. But many of these are many times held in the session versus individual cookies.



Search your cart for 'set_cookie' and/or 'COOKIES' and you will find all the instances where cookies are being set by the core-cart code.

Thanks! I’ll take care of that this week. I so do not want a warning popup! This would scare away too many people.



Yep, that urban site uses an awful lot of cookies. You’ll notice it after visiting… they’ll keep tracking you forever :)