Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Gdpr - upcoming law for European merchants

   X-Cart forums > News and Announcements
Thread Tools
Old 06-07-2018, 05:31 AM
Triple A Racing Triple A Racing is offline

Join Date: Jul 2008
Location: Manchester UK
Posts: 1,028

Default Re: Gdpr - upcoming law for European merchants

After some more testing in our Dev Store, what's become clear (to us anyway) is this:

1) The free XC5 GDPR Module will work when installed on its own yes, but... it has compromised functionality. A little reminiscent of a Chocolate Fireguard...

2) Using just the XC5 GDPR Module, the cookie-pop up on/off switch in settings is ineffective i.e. It serves no purpose whatsoever, because it does not function. Cookie pop-ups are always displayed regardless.

3) If the XC5 GDPR Module is installed AND the free XC Geolocation Module is installed, then the XC5 GDPR Module cookie-pop up on/off switch in settings does (finally) begin to function-ish

4) However, this is subject to: a) ensuring that the Display location select widget is switched on in the settings section of the XC5 Geolocation Module AND b) selecting each country that a cookie pop-up is desired for (otherwise cookie pop-ups will not be displayed at anytime, regardless of the cookie-pop up on/off switch in settings of the XC5 GDPR Module in our example testing...

Further to 4) above, Obviously, it is only Countries that are enabled as "live" within XC Admin (Countries, states, zones) that physically appear within the widget provided drop down box and are then selectable for Yes to a cookie-pop up status... The normal GDPR notifications / tick boxes are applied to any country by default by the XC5 GDPR Module at present unfortunately...with no way of altering that at all, within settings in the XC5 GDPR Module.

This is effectively what we referred too when we previously said "...If you must use Module A just to make Module B work, that's a clear example of why Module A is far from ideal and could be better prepared surely?" and to which @cflsystems commented on in POST #148 in this very thread.

We don't have XC4 anymore, so can't accurately comment on what the GDPR setup is like there, but from posts in this thread where people are using it, it does appear to be a lot more configurable when used on it's own not dependent on additional XC4 'add-ons' in order to function correctly (It appears to be PHP module dependent yes, but that's easy by comparison and free...)

Our current feeling is that XC5 GDPR Module is not finished yet and/or suitable for accurate configuration by XC5 Admin in it's current state. It is dependent on the XC Geolocation Module being installed (which is a major own-goal we think) and this additional module is pure comedy (we think) when the costs of maintaining/updating the module's accuracy are also factored in. Have a quick look at these COSTS from Maxmind... Really? That's feeling like the aforementioned Module C to us

Disappointing that XC5 appears to be way behind XC4 in making this functionality available, easily configurable and fit for purpose via a solo "add-on". Maybe this particular module can be re-designed soon, so that all those XC5 storeowners who have no need or desire to run any additional, cash-cow-style modules, just to achieve functionality, will have free choice not to do so? Harsh but fair we think
Dev Store & Live Store XC Business
Server; Ubuntu 22.04.2 LTS (HWE Kernel)) / Plesk Obsidian
Nginx 1.20.4 / Apache 2.4.52 (Ubuntu Backported) / MariaDB 10.11.4 / PHP 7.4.33
Reply With Quote
Old 06-08-2018, 07:51 PM
KevTheIrish KevTheIrish is offline

Advanced Member
Join Date: Feb 2018
Posts: 50

Default Re: Gdpr - upcoming law for European merchants

perhaps a better way of doing the checkbox would be once a customer selects an EU country as their shipping or billing address, then the consent box appears?
n0000b rockin
Reply With Quote
Old 06-08-2018, 09:25 PM
Triple A Racing Triple A Racing is offline

Join Date: Jul 2008
Location: Manchester UK
Posts: 1,028

Default Re: Gdpr - upcoming law for European merchants

Originally Posted by KevTheIrish
perhaps a better way of doing the checkbox would be once a customer selects an EU country as their shipping or billing address, then the consent box appears?
Is not as simple as that

If the 'customer' is from an EU country, but, creates an account, using ONLY their e-mail address and a password (which is the default XC5 setup and does work well) then (technically) GDPR has already been compromised, if..... all the correct consent notifications / get out of jail free cards with regard to cookies, have not already been provided to that customer. Would love to see a successful court case on that issue; The EU V XC5 and its unidentifiable visitor... but technically it is a '...failure to comply'

This is why when using the XC GDPR module on its own, there is no way to switch off the cookies pop-up warning (see our previous post and more below) It's a #Scattergun #CoverAll approach which is, in theory GDPR compliant, in terms of advance consent notifications / get out of jail free cards for cookies. It's explained (but in poor English unfortunately but...) on THIS XC blog page, as follows (extract):

3) The cookie popup
The addon settings allow disabling the cookie popup at all or showing it only for customers from particular countries only. You’ll need the Geolocation addon for it.

Which equates to; the customer's physical "country" is unknown at that point, so unless there is some form of tandem ID tracing (e.g. GeoIP) or some other source of ID / location verification, it's just a pure guess at to which country they are from and so by default, the cookies pop-up can't be switched off...

Your suggestion of the consent notifications / get out of jail free cards etc being dependent on the country that is specified as part of the customer's checkout process is a good one for customers that do place orders. The irony is that XC are clever enough to have done that from the off, but instead, we have the current dogs breakfast / dual module offering, which is what we have summarised in our previous post.

We'll post (and other should) suggestions for a revised module as opposed to any more fault finding of the existing ones shortly.
Dev Store & Live Store XC Business
Server; Ubuntu 22.04.2 LTS (HWE Kernel)) / Plesk Obsidian
Nginx 1.20.4 / Apache 2.4.52 (Ubuntu Backported) / MariaDB 10.11.4 / PHP 7.4.33
Reply With Quote
Old 06-09-2018, 03:09 AM
Triple A Racing Triple A Racing is offline

Join Date: Jul 2008
Location: Manchester UK
Posts: 1,028

Default Re: Gdpr - upcoming law for European merchants

XC Team

Here is our suggested "Re-Work" of the free XC5 GDPR Module
It's easier, fully complaint (we think ) and is more user friendly / easily configurable than the current module / modules combination that's offered

This is a stand alone module and must NOT be dependent on other modules or third party plug-in items
A chargeable version of this module could offer these interactions c/w greater configurability. That's not within the scope of this 'suggestion' post however

Cookie Pop-Up Warning / Consent Note

1) The cookie pop-up warning / consent note option, must function directly from the on/off choice, made in settings by the XC5 store owner's administrator

2) Assuming that this a single module (see above) then this setting can only be generic i.e. not country specific in the free module version. Country specific options could be offered in the chargeable version if the correct interactions are applied with another module / third party source

3) The cookie pop-up pop-up warning / consent note must be an easily identified XC5 label, which the XC5 store owner's administrator, can edit themselves within XC5 (like other labels)

Account Warning / Consent Note

1) Assuming that this a single module (see above) then this setting can only be generic i.e. not country specific in the free module version. Country specific options could be offered in the chargeable version if the correct interactions are applied with another module / third party source

2) The account warning / consent note wording must be an easily identified XC5 label, which the XC5 store owner's administrator, can edit themselves within XC5 (like other labels)

3) The account warning / consent note MUST be a different warning / consent note than the warning / consent note utilised at checkout. That means TWO different XC5 labels are required. These two areas are not the same (actions carried out within them may not be the same) so the notes must be separate and different than each other, hence the requirement for two tables not one shared label, as is currently provided

4) The delete note / forget me note however (the one that is displayed, once the warning / consent note has been accepted) CAN be the same and can be used for both Account and Checkout areas. The required wording can be generic and easy to apply to both. This must also be an easily identified XC5 label, which the XC5 store owner's administrator, can edit themselves within XC5 (like other labels)

Checkout Warning / Consent Note

1) Assuming that this a single module (see above) then this setting must be country specific by default

2) The single module checkout warning / consent note, can be made country specific site without needing an additional module or IP checks or any other third party plug-ins

3) XC5 customers must choose a country (i.e. a "live" country in XC5 admin terms) as part of their order's delivery address requirements. Obviously this is a mandatory choice and not just an option. All "live" countries are provided within a drop down list in XC5 and customers must choose from this list or they cannot submit an order. This is a customer selected country from a defined list. It is not automatic IP address location query return. The two are different

4) The single module checkout warning / consent note, can be made country specific, by deriving it's display option (Yes or No) directly from the current list of countries, that have been deemed as "Live" and appropriately setup previously, by the XC5 store owner's administrator (see 2 above). In simple terms, When the customer chooses a country for their delivery address, their selection will (or will not - depending on both the country and the XC5 storeowners advance administrative work!) force the display of the checkout warning / consent note BEFORE the order can proceed or not proceed (if for example the customer refuses to tick the box adjacent to the checkout warning / consent note. It's a similar process to the dynamic shipping integration that already exists in XC5

The setting for checkout warning / consent note (Yes or No) can be made via a drop down box / multi selectable XC5 widget, very similar to the one already provided when using the two current, separate XC5 modules, but in that case it's used for country specific cookie pop-up selection only (by IP) in XC5

That's it. It's simple, effective, compliant but easy to customise and use. Queue a long list of XC objections / faults / corrections / additions / reasons why it can't be done But it is what is is. For XC5 storeowners who want even more bells & whistles and/or even more customisation options, then a chargeable module alternative would be the real world option. If you are one of these, then get involved with XC soon and share your ideas / preferences with them

The current XC5 free GDPR module has already been assessed (previous posts). The suggestions in this post are only in relation to a re-worked XC5 free GDPR single module. This post is not about any future additional XC5 chargeable GDPR single module or modules and does not relate to XC4 at all.
Dev Store & Live Store XC Business
Server; Ubuntu 22.04.2 LTS (HWE Kernel)) / Plesk Obsidian
Nginx 1.20.4 / Apache 2.4.52 (Ubuntu Backported) / MariaDB 10.11.4 / PHP 7.4.33
Reply With Quote
Old 06-09-2018, 05:23 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline

Join Date: Apr 2007
Posts: 14,195

Default Re: Gdpr - upcoming law for European merchants

So GDPR says you have to get consent from EU customers. If you use any way of identifying where any customer is coming from (country specific based on IP location) without first asking this customer if it is ok to do that - isn't this technically a breach?

The fact is in order to show message/save cookies for particular group of customers only you have to identify them first. While the IP may not be consider personal info it is still something that is tied to particular customer or his/her location.

This basically forces every site to show consent yes/no to all customers in order to get permission for any further cookies/tracking.

At least this is how it looks like to me
Steve Stoyanov
Web Development
Reply With Quote
Old 06-09-2018, 06:33 PM
Triple A Racing Triple A Racing is offline

Join Date: Jul 2008
Location: Manchester UK
Posts: 1,028

Default Re: Gdpr - upcoming law for European merchants

Originally Posted by cflsystems
So GDPR says you have to get consent from EU customers. If you use any way of identifying where any customer is coming from (country specific based on IP location) without first asking this customer if it is ok to do that - isn't this technically a breach?
Another reason why we posted our testing review on the current free XC5 GDPR Module (aka the dog's breakfast) and why IP location plays no part whatsoever within the suggestions that we then posted for a re-worked version of the free XC5 GDPR Module
Originally Posted by cflsystems
The fact is in order to show message/save cookies for particular group of customers only you have to identify them first. While the IP may not be consider personal info it is still something that is tied to particular customer or his/her location. This basically forces every site to show consent yes/no to all customers in order to get permission for any further cookies/tracking
Yep, we've included this factor within the suggestions we posted. i.e. by default, the cookie pop-up warning / consent note is shown to all visitors BUT it can be completely switched off by XC admin (unlike with the current free XC5 GDPR Module when used on its own...)

There still has to be this freedom of choice for store owners and their approach. It's NOT an Orwellian XC1984 that we're all using
Dev Store & Live Store XC Business
Server; Ubuntu 22.04.2 LTS (HWE Kernel)) / Plesk Obsidian
Nginx 1.20.4 / Apache 2.4.52 (Ubuntu Backported) / MariaDB 10.11.4 / PHP 7.4.33
Reply With Quote
Old 06-10-2018, 09:26 PM
kevinrm kevinrm is offline

Join Date: Aug 2003
Posts: 1,003

Default Re: Gdpr - upcoming law for European merchants

I changed the wording to sound a bit less invasive to this:

"I consent to the collection and processing of my personal data (Name, address, email, IP address, etc)."

So far it hasn't affected sales and everyone, EU or wherever, sees it and has to click on the box. So far outside of one customer no one seems to cares and it doesn't seem to be affecting our USA sales. Basically, it's not turning out to be much of a big deal.

Of course who knows what their next step will be…
X-Cart Live
PHP 7.4.33
5.5.5-10.3.38-MariaDB MariaDB
Apache 2.4
CENTOS 7.8 64Bit Single Quad-Core E3-1241v3 3.4Ghz 8M 1600 w/ HT
32GB RAM 2x 512GB Samsung 850 Pro SSD RAID 1
Reply With Quote

The following user thanks kevinrm for this useful post:
ITVV (06-10-2018)
Old 06-10-2018, 10:13 PM
Triple A Racing Triple A Racing is offline

Join Date: Jul 2008
Location: Manchester UK
Posts: 1,028

Default Re: Gdpr - upcoming law for European merchants

Originally Posted by kevinrm
....Of course who knows what their next step will be…
As an XC5 storeowner having tested / used it and presumably, having had the same test (or in your case test and live) results as we have, plus having read all the previous posts in this thread from both us and others, do you think the current free XC5 GDPR Module when used on its own (i.e. without having to use the additional free XC Geolocation Module as well...) is good enough / fit for purpose / doesn't need re-working? Like ours, this would only be an opinion, but it would be good to read it
Dev Store & Live Store XC Business
Server; Ubuntu 22.04.2 LTS (HWE Kernel)) / Plesk Obsidian
Nginx 1.20.4 / Apache 2.4.52 (Ubuntu Backported) / MariaDB 10.11.4 / PHP 7.4.33
Reply With Quote
Old 06-11-2018, 12:27 AM
kevinrm kevinrm is offline

Join Date: Aug 2003
Posts: 1,003

Default Re: Gdpr - upcoming law for European merchants

The only thing I don't like about it is that it shows up for USA residents when it's unnecessary to show that to them. I have the Geolocation module installed because it works with the multi currency module and that is very important for us. It has no effect with the GDPR module on our installation except for the pop-up, but at checkout EVERYONE has to check that stupid box whether they are in Europe or not. Supposedly there is a php geo module, I looked into installing it and it was a headache and gave up on that.

So outside of having it show up for EU only, I'm fine with the module as it is.
X-Cart Live
PHP 7.4.33
5.5.5-10.3.38-MariaDB MariaDB
Apache 2.4
CENTOS 7.8 64Bit Single Quad-Core E3-1241v3 3.4Ghz 8M 1600 w/ HT
32GB RAM 2x 512GB Samsung 850 Pro SSD RAID 1
Reply With Quote

The following user thanks kevinrm for this useful post:
Triple A Racing (06-11-2018)
Old 06-11-2018, 01:54 AM
Triple A Racing Triple A Racing is offline

Join Date: Jul 2008
Location: Manchester UK
Posts: 1,028

Default Re: Gdpr - upcoming law for European merchants

Originally Posted by kevinrm
....So outside of having it show up for EU only, I'm fine with the module as it is.
Thanks @kevinrm for posting your opinion

FWIW We think it's badly designed, poorly thought out and not fit for purpose as a stand-alone module. Being dependent on another module to be of any real use (and allow useful self-configuration) still equates to our 'dogs breakfast' analogy in our opinion. Sledgehammer to crack a nut etc

Good for you that you already have (and use/need elsewhere) the additional free XC Geolocation Module because without that, currently, on it's own, the the XC GDPR module is pointless. Other XC5 storeowners have no need or desire for this additional module, other than having to use it alongside the XC GDPR module... All of which, XC seem to have conveniently ignored / by passed / placed in the 'too hard' pile...

Again FWIW, as far as we're aware, there is no 'compliant' way round the cookie pop-up warning for any visitor, regardless of country (e.g. see @cflsystems previous post) but there should be the ability to turn that OFF without needing another module to do so. In our re-work suggestion, we've covered that settings change already

On your final point, the inability to remove the mandatory warning / consent notice at check out for non-affected counties. Yep, it's pure comedy and underlines the lack planning / sufficient effort that's very clear on this module's "functionality". We have also covered this particular shortfall too, in our re-work suggestions, which you may have noticed and without banging the drum for too long, the re-worked module will work, entirely on it's own and... provide the answers to all of these queries / nags / bugs / errors / lack of planning / poor interaction etc It just needs providing - soon!

XC Team step up and be counted please. This module needs a re-work ASAP
Dev Store & Live Store XC Business
Server; Ubuntu 22.04.2 LTS (HWE Kernel)) / Plesk Obsidian
Nginx 1.20.4 / Apache 2.4.52 (Ubuntu Backported) / MariaDB 10.11.4 / PHP 7.4.33
Reply With Quote
   X-Cart forums > News and Announcements

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

All times are GMT -8. The time now is 07:21 PM.


X-Cart forums © 2001-2020