Discussion:
Cookie Consent In E-Coomerce
Deepak Nigam
2018-10-31 12:11:28 UTC
Permalink
Hello All,

The Cookie Law is a piece of privacy legislation that requires websites to
get consent from visitors to store or retrieve any information on their
computer, smartphone or tablet. It was designed to protect online privacy,
by making consumers aware of how information about them is collected and
used online, and give them a choice to allow it or not.

The EU Cookie Legislation began as a directive from the European Union.
Some variation on the policy has since been adopted by all countries within
the EU.

The EU Cookie Legislation requires 4 actions from website owners who use
cookies:
1. When someone visits your website, you need to let them know that your
site uses cookies.
2. You need to provide detailed information regarding how that cookie data
will be utilized.
3. You need to provide visitors with some means of accepting or refusing
the use of cookies in your site.
4. If they refuse, you need to ensure that cookies will not be placed on
their machine.

For more information about EU cookie policy, please visit here
<http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.

As this crucial feature is missing in OFBiz E-Commerce application, we
should work towards its implementation. There are numerous open-source
jQuery plugins available which we can use. Thoughts?


Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd.
Benjamin Jugl
2018-10-31 13:05:32 UTC
Permalink
Hello all,

just before you go in head over heels, please consider the following:

"However, some cookies are exempt from this requirement. Consent is
not required if the cookie is:

* used for the sole purpose of carrying out the transmission of a
communication, and
* strictly necessary in order for the provider of an information
society service explicitly required by the user to provide that
service.

Cookies clearly exempt from consent according to the EU advisory
body on data protection- WP29pdf
<http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf> include:

* *user‑input* cookies (session-id) such as first‑party cookies to
keep track of the user's input when filling online forms,
shopping carts, etc., for the duration of a session or
persistent cookies limited to a few hours in some cases
* *authentication* cookies, to identify the user once he has
logged in, for the duration of a session
* *user‑centric security* cookies, used to detect authentication
abuses, for a limited persistent duration
* *multimedia content player* cookies, used to store technical
data to play back video or audio content, for the duration of a
session
* *load‑balancing* cookies, for the duration of session
* *user‑interface customisation* cookies such as language or font
preferences, for the duration of a session (or slightly longer)
* *third‑party social plug‑in content‑sharing* cookies, for
logged‑in members of a social network."

(http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)

Does OFBiz even set other cookies? If yes, for what are they needed?

Kind regards, Benjamin Jugl
Post by Deepak Nigam
Hello All,
The Cookie Law is a piece of privacy legislation that requires websites to
get consent from visitors to store or retrieve any information on their
computer, smartphone or tablet. It was designed to protect online privacy,
by making consumers aware of how information about them is collected and
used online, and give them a choice to allow it or not.
The EU Cookie Legislation began as a directive from the European Union.
Some variation on the policy has since been adopted by all countries within
the EU.
The EU Cookie Legislation requires 4 actions from website owners who use
1. When someone visits your website, you need to let them know that your
site uses cookies.
2. You need to provide detailed information regarding how that cookie data
will be utilized.
3. You need to provide visitors with some means of accepting or refusing
the use of cookies in your site.
4. If they refuse, you need to ensure that cookies will not be placed on
their machine.
For more information about EU cookie policy, please visit here
<http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.
As this crucial feature is missing in OFBiz E-Commerce application, we
should work towards its implementation. There are numerous open-source
jQuery plugins available which we can use. Thoughts?
Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd.
Jacques Le Roux
2018-10-31 15:32:50 UTC
Permalink
Thanks Deepak, Benjamin,

We are indeed only concerned by the ecommerce webapps (both ecommerce and ecomse). They are the sole to be public. The backend applications should not
be concerned.

Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID, possibly cookie.domain and maybe jstree* ones. I believe they all fall in the
exempt cases.

With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While doing so I spotted that securedLoginId has the same duration (1 year) than
autoUserLoginId. I have reduced it to the browser session so it also falls in the exempt cases. I'll commit that very soon.

I have not read all the details but I believe the only ones we should think about are the autoUserLoginId and OFBiz.Visitor cookies. They inherently
does not contain party data, but from the visitorId or userLoginId fields it's possible to get to the party data. Not sure it's an issue as is,
because AFAIK we use only first‑party cookies[1] but the problem seems their durations: one year.

[1] https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies

Jacques
Post by Benjamin Jugl
Hello all,
   "However, some cookies are exempt from this requirement. Consent is
     * used for the sole purpose of carrying out the transmission of a
       communication, and
     * strictly necessary in order for the provider of an information
       society service explicitly required by the user to provide that
       service.
   Cookies clearly exempt from consent according to the EU advisory
   body on data protection- WP29pdf
     * *user‑input* cookies (session-id) such as first‑party cookies to
       keep track of the user's input when filling online forms,
       shopping carts, etc., for the duration of a session or
       persistent cookies limited to a few hours in some cases
     * *authentication* cookies, to identify the user once he has
       logged in, for the duration of a session
     * *user‑centric security* cookies, used to detect authentication
       abuses, for a limited persistent duration
     * *multimedia content player* cookies, used to store technical
       data to play back video or audio content, for the duration of a
       session
     * *load‑balancing* cookies, for the duration of session
     * *user‑interface customisation* cookies such as language or font
       preferences, for the duration of a session (or slightly longer)
     * *third‑party social plug‑in content‑sharing* cookies, for
       logged‑in members of a social network."
(http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)
Does OFBiz even set other cookies? If yes, for what are they needed?
Kind regards, Benjamin Jugl
Post by Deepak Nigam
Hello All,
The Cookie Law is a piece of privacy legislation that requires websites to
get consent from visitors to store or retrieve any information on their
computer, smartphone or tablet. It was designed to protect online privacy,
by making consumers aware of how information about them is collected and
used online, and give them a choice to allow it or not.
The EU Cookie Legislation began as a directive from the European Union.
Some variation on the policy has since been adopted by all countries within
the EU.
The EU Cookie Legislation requires 4 actions from website owners who use
1. When someone visits your website, you need to let them know that your
site uses cookies.
2. You need to provide detailed information regarding how that cookie data
will be utilized.
3. You need to provide visitors with some means of accepting or refusing
the use of cookies in your site.
4. If they refuse, you need to ensure that cookies will not be placed on
their machine.
For more information about EU cookie policy, please visit here
<http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.
As this crucial feature is missing in OFBiz E-Commerce application, we
should work towards its implementation. There are numerous open-source
jQuery plugins available which we can use. Thoughts?
Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd.
Deepak Nigam
2018-11-01 09:32:53 UTC
Permalink
Thanks, Benjamin, Jacques.

Definitely, we will move forward only after studying OFBiz cookies in
depth. I just put initial thought came to my mind.



On Wed, Oct 31, 2018 at 9:03 PM Jacques Le Roux <
Post by Jacques Le Roux
Thanks Deepak, Benjamin,
We are indeed only concerned by the ecommerce webapps (both ecommerce and
ecomse). They are the sole to be public. The backend applications should
not
be concerned.
Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID,
possibly cookie.domain and maybe jstree* ones. I believe they all fall in
the
exempt cases.
With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While
doing so I spotted that securedLoginId has the same duration (1 year) than
autoUserLoginId. I have reduced it to the browser session so it also falls
in the exempt cases. I'll commit that very soon.
I have not read all the details but I believe the only ones we should
think about are the autoUserLoginId and OFBiz.Visitor cookies. They
inherently
does not contain party data, but from the visitorId or userLoginId fields
it's possible to get to the party data. Not sure it's an issue as is,
because AFAIK we use only first‑party cookies[1] but the problem seems
their durations: one year.
[1]
https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
Jacques
Post by Benjamin Jugl
Hello all,
"However, some cookies are exempt from this requirement. Consent is
* used for the sole purpose of carrying out the transmission of a
communication, and
* strictly necessary in order for the provider of an information
society service explicitly required by the user to provide that
service.
Cookies clearly exempt from consent according to the EU advisory
body on data protection- WP29pdf
<
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf
Post by Benjamin Jugl
* *user‑input* cookies (session-id) such as first‑party cookies to
keep track of the user's input when filling online forms,
shopping carts, etc., for the duration of a session or
persistent cookies limited to a few hours in some cases
* *authentication* cookies, to identify the user once he has
logged in, for the duration of a session
* *user‑centric security* cookies, used to detect authentication
abuses, for a limited persistent duration
* *multimedia content player* cookies, used to store technical
data to play back video or audio content, for the duration of a
session
* *load‑balancing* cookies, for the duration of session
* *user‑interface customisation* cookies such as language or font
preferences, for the duration of a session (or slightly longer)
* *third‑party social plug‑in content‑sharing* cookies, for
logged‑in members of a social network."
(http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)
Does OFBiz even set other cookies? If yes, for what are they needed?
Kind regards, Benjamin Jugl
Post by Deepak Nigam
Hello All,
The Cookie Law is a piece of privacy legislation that requires websites
to
Post by Benjamin Jugl
Post by Deepak Nigam
get consent from visitors to store or retrieve any information on their
computer, smartphone or tablet. It was designed to protect online
privacy,
Post by Benjamin Jugl
Post by Deepak Nigam
by making consumers aware of how information about them is collected and
used online, and give them a choice to allow it or not.
The EU Cookie Legislation began as a directive from the European Union.
Some variation on the policy has since been adopted by all countries
within
Post by Benjamin Jugl
Post by Deepak Nigam
the EU.
The EU Cookie Legislation requires 4 actions from website owners who use
1. When someone visits your website, you need to let them know that your
site uses cookies.
2. You need to provide detailed information regarding how that cookie
data
Post by Benjamin Jugl
Post by Deepak Nigam
will be utilized.
3. You need to provide visitors with some means of accepting or refusing
the use of cookies in your site.
4. If they refuse, you need to ensure that cookies will not be placed on
their machine.
For more information about EU cookie policy, please visit here
<http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.
As this crucial feature is missing in OFBiz E-Commerce application, we
should work towards its implementation. There are numerous open-source
jQuery plugins available which we can use. Thoughts?
Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd.
Deepak Nigam
2018-11-05 04:43:17 UTC
Permalink
FYI, here is the Jira ticket
<https://issues.apache.org/jira/browse/OFBIZ-10639> for further discussion
and research.
Post by Deepak Nigam
Thanks, Benjamin, Jacques.
Definitely, we will move forward only after studying OFBiz cookies in
depth. I just put initial thought came to my mind.
On Wed, Oct 31, 2018 at 9:03 PM Jacques Le Roux <
Post by Jacques Le Roux
Thanks Deepak, Benjamin,
We are indeed only concerned by the ecommerce webapps (both ecommerce and
ecomse). They are the sole to be public. The backend applications should
not
be concerned.
Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID,
possibly cookie.domain and maybe jstree* ones. I believe they all fall in
the
exempt cases.
With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While
doing so I spotted that securedLoginId has the same duration (1 year) than
autoUserLoginId. I have reduced it to the browser session so it also
falls in the exempt cases. I'll commit that very soon.
I have not read all the details but I believe the only ones we should
think about are the autoUserLoginId and OFBiz.Visitor cookies. They
inherently
does not contain party data, but from the visitorId or userLoginId fields
it's possible to get to the party data. Not sure it's an issue as is,
because AFAIK we use only first‑party cookies[1] but the problem seems
their durations: one year.
[1]
https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
Jacques
Post by Benjamin Jugl
Hello all,
"However, some cookies are exempt from this requirement. Consent is
* used for the sole purpose of carrying out the transmission of a
communication, and
* strictly necessary in order for the provider of an information
society service explicitly required by the user to provide that
service.
Cookies clearly exempt from consent according to the EU advisory
body on data protection- WP29pdf
<
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf
Post by Benjamin Jugl
* *user‑input* cookies (session-id) such as first‑party cookies to
keep track of the user's input when filling online forms,
shopping carts, etc., for the duration of a session or
persistent cookies limited to a few hours in some cases
* *authentication* cookies, to identify the user once he has
logged in, for the duration of a session
* *user‑centric security* cookies, used to detect authentication
abuses, for a limited persistent duration
* *multimedia content player* cookies, used to store technical
data to play back video or audio content, for the duration of a
session
* *load‑balancing* cookies, for the duration of session
* *user‑interface customisation* cookies such as language or font
preferences, for the duration of a session (or slightly longer)
* *third‑party social plug‑in content‑sharing* cookies, for
logged‑in members of a social network."
(http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)
Does OFBiz even set other cookies? If yes, for what are they needed?
Kind regards, Benjamin Jugl
Post by Deepak Nigam
Hello All,
The Cookie Law is a piece of privacy legislation that requires
websites to
Post by Benjamin Jugl
Post by Deepak Nigam
get consent from visitors to store or retrieve any information on their
computer, smartphone or tablet. It was designed to protect online
privacy,
Post by Benjamin Jugl
Post by Deepak Nigam
by making consumers aware of how information about them is collected
and
Post by Benjamin Jugl
Post by Deepak Nigam
used online, and give them a choice to allow it or not.
The EU Cookie Legislation began as a directive from the European Union.
Some variation on the policy has since been adopted by all countries
within
Post by Benjamin Jugl
Post by Deepak Nigam
the EU.
The EU Cookie Legislation requires 4 actions from website owners who
use
Post by Benjamin Jugl
Post by Deepak Nigam
1. When someone visits your website, you need to let them know that
your
Post by Benjamin Jugl
Post by Deepak Nigam
site uses cookies.
2. You need to provide detailed information regarding how that cookie
data
Post by Benjamin Jugl
Post by Deepak Nigam
will be utilized.
3. You need to provide visitors with some means of accepting or
refusing
Post by Benjamin Jugl
Post by Deepak Nigam
the use of cookies in your site.
4. If they refuse, you need to ensure that cookies will not be placed
on
Post by Benjamin Jugl
Post by Deepak Nigam
their machine.
For more information about EU cookie policy, please visit here
<http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.
As this crucial feature is missing in OFBiz E-Commerce application, we
should work towards its implementation. There are numerous open-source
jQuery plugins available which we can use. Thoughts?
Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd.
Loading...