Gdpr - upcoming law for European merchants

elmirage001 · #31 04-10-2018, 03:45 PM

As a US business with 97% of our sales to non EU countries it's not worth our time to try to become compliant with GDPR. I've also been monitoring to see if there were any exemptions to small mom & pop businesses and have not found any.

Here is a good page to read - https://www.compliancejunction.com/gdpr-for-us-companies/

We are going to opt out of GDPR and stop selling to EU countries. Step 1 is to uncheck all EU countries and the UK. But this still allows existing EU customers to place orders. At least in 4.6.6. Step 2 is to send EU customers to my GDPR Policy page whenever they click on the cart or checkout pages.

In cart.php around line 640

After:

Code:

// Update minicart
x_load('minicart');
$smarty->assign(func_get_minicart_totals());

Add:

Code:

//  GDPR - Send EU customers to GDPR static policy page

    $gdpr = "false";
    $eu_country  = Array('AT','BE','BG','HR','CY','CZ','DK','EE','FI','FR','DE','GR','HU','IE','IT','LV','LT','LU','MT','NL','PL','PT','RO','SK','SI','ES','SE','GB');
    
    foreach ($eu_country as $eu_test) {
        if (($eu_test == $userinfo['s_country']) or ($eu_test == $userinfo['b_country'])) {
            $gdpr = "true";
        }    
    }
    
    if ($gdpr == "true") {
        header("Location: https://mydomain.com/gdpr-policy.html");
        exit;
    }
    
// / GDPR

As I'm no where near an expert with php in x-cart I welcome those of you who are to test & post a better solution.

Use at your own risk

Paul

Triple A Racing · #32 04-10-2018, 05:39 PM

Meanwhile... If you're looking for GPDR leading role models, then look no further than ICANN because they will be completely ready... surely?

ITVV · #33 04-13-2018, 06:43 AM

Looks like Google are not opting out of GDPR

Have a read: -

Quote:

Dear Google Analytics Administrator,

Over the past year we've shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force on May 25, 2018. Today we are sharing more about important product changes that may impact your Google Analytics data, and other updates in preparation for the GDPR. This e-mail requires your attention and action even if your users are not based in the European Economic Area (EEA).

Product Updates
Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data.

Action: Please review these data retention settings and modify as needed.

Before May 25, we will also introduce a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). Details will be available on our Developers site shortly.

As always, we remain committed to providing ways to safeguard your data. Google Analytics and Analytics 360 will continue to offer a number of other features and policies around data collection, use, and retention to assist you in safeguarding your data. For example, features for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization may prove useful as you evaluate the impact of the GDPR for your company’s unique situation and Analytics implementation.

Contract And User Consent Related Updates

Contract changes
Google has been rolling out updates to our contractual terms for many products since last August, reflecting Google’s status as either data processor or data controller under the new law (see full classification of our Ads products). The new GDPR terms will supplement your current contract with Google and will come into force on May 25, 2018.

In both Google Analytics and Analytics 360, Google operates as a processor of personal data that is handled in the service.
• For Google Analytics clients based outside the EEA and all Analytics 360 customers, updated data processing terms are available for your review/acceptance in your accounts (Admin ➝ Account Settings).
• For Google Analytics clients based in the EEA, updated data processing terms have already been included in your terms.
• If you don’t contract with Google for your use of our measurement products, you should seek advice from the parties with whom you contract.

Updated EU User Consent Policy

Per our advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy. Google's EU User Consent Policy is being updated to reflect new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consent from, end users of your sites and apps in the EEA.

Action: Even if you are not based in the EEA, please consider together with your legal department or advisors, whether your business will be in scope of the GDPR when using Google Analytics and Analytics 360 and review/accept the updated data processing terms as well as define your path for compliance with the EU User Consent Policy.

Find Out More

You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as view our data processing terms.

We will continue to share further information on our plans in the coming weeks and will update relevant developer and help center documentation where necessary.

Thanks,

The Google Analytics Team

I'll get my coat...

Kind regards

ITVV

cflsystems · #34 04-13-2018, 07:37 AM

For companies like Google, FB, Microsoft, etc which are international companies and have offices all over the worlds is impossible to opt out of this. Google has offices in EU so at the very least their EU business has to comply.

In this essence if your site is running Google Analytics for example, which will collect visitors data regardless of if you do business with EU or not, you have to comply.
If you have FB Like or Share on the site - you have to comply.

These scripts collect visitors data just by browsing your site, or interact with the feature, so disabling EU countries so visitors cannot purchase is not enough. ( post 31 elmirage001 )

kevinrm · #35 04-13-2018, 07:41 AM

Google, XYZ, ABC inc, that has an actual presence in Europe will not be able to opt out because, well, they're in Europe and thus have to. I can't see Google bailing out of Europe.

A small non-Europe based internet shop that has no presence whatsoever in the EU, who's owner is not a EU citizen, and happens to have Europeans visiting their sites online and making purchases cannot be forced to comply with the laws of some foreign land just because it's rulers dictate so - it doesn't work like that.

It's possible they might coerce the payment processing systems to force their customers to comply. Kind of like how the US government forces foreign banks to turn over all tax info about it's US customers abroad. Until it gets to that point, I won't really be going out of my way to comply with this thing.

ITVV · #36 04-13-2018, 07:53 AM

Just for the record, I do indeed know that Google has a European presence

I was being 'Tongue in cheek'

My point is that this whole GDPR issue has far reaching effect.

As Steve has pointed out: -

Quote:

In this essence if your site is running Google Analytics for example, which will collect visitors data regardless of if you do business with EU or not, you have to comply.
If you have FB Like or Share on the site - you have to comply.

These scripts collect visitors data just by browsing your site, or interact with the feature, so disabling EU countries so visitors cannot purchase is not enough. ( post 31 elmirage001 )

How on earth are companies thinking that they can "opt out" just because they don't like the idea? The likes of Google and FB have you trapped into having to comply!

Just saying...

I have now got my coat and hat on...

Regards

ITVV

elmirage001 · #37 04-13-2018, 07:54 AM

Quote:

Originally Posted by cflsystems

For companies like Google, FB, Microsoft, etc which are international companies and have offices all over the worlds is impossible to opt out of this. Google has offices in EU so at the very least their EU business has to comply.

In this essence if your site is running Google Analytics for example, which will collect visitors data regardless of if you do business with EU or not, you have to comply.
If you have FB Like or Share on the site - you have to comply.

These scripts collect visitors data just by browsing your site, or interact with the feature, so disabling EU countries so visitors cannot purchase is not enough. ( post 31 elmirage001 )

Thank you Steve for the info! I was in the process of reading the email I receive from Google. We are fortunate that we dominate our niche and don't rely on FB and haven't looked at GA in many months. We do spend time on SEMRUSH every day.

cflsystems · #38 04-13-2018, 08:09 AM

I very much support the "close your FB account" movement

Keep in mind though it is not only Analytics. If you run Google AdWords and they are targeting EU, if you have FB OpenGraph on the site, or Instagram... All these are traps to collect visitors info and it has always been your responsibility to inform visitors about this.

@ITVV - don't forget to put on shoes

ITVV · #39 04-13-2018, 08:11 AM

@cflsystems

I knew that I had forgotten something

Kind regards

ITVV

voodoo1967 · #40 04-13-2018, 11:14 AM

Quote:

Originally Posted by cflsystems

I very much support the "close your FB account" movement

Keep in mind though it is not only Analytics. If you run Google AdWords and they are targeting EU, if you have FB OpenGraph on the site, or Instagram... All these are traps to collect visitors info and it has always been your responsibility to inform visitors about this.

@ITVV - don't forget to put on shoes

Steve you can inform visitors vis the usual cookies info and put in your Terms&Conditions etc.

Technically that FB data / Analytics data is stored on Google / FB servers, so as long as they are GDPR compliant and secure etc - then you should be ok on that front.

Ive spoken to the Information Commissioners Office in the UK and they are very friendly re GDPR, they acknowledge people may make mistakes etc - and it wil take a while to bed in. As long as you can show you have reasonable steps etc - they are more than happy to tell what you need do to get compliant - that's as far as UK businesses are concerned anyway.

What will be interesting is that the US govt think they will have jurisdiction when it comes to Google. That is - there is data on a Google server in Ireland, the US want to see that data etc - that will be an interesting outcome