Cookie Consent In E-Coomerce

> Hello All,
>
> The Cookie Law is a piece of privacy legislation that requires websites to
> get consent from visitors to store or retrieve any information on their
> computer, smartphone or tablet. It was designed to protect online privacy,
> by making consumers aware of how information about them is collected and
> used online, and give them a choice to allow it or not.
>
> The EU Cookie Legislation began as a directive from the European Union.
> Some variation on the policy has since been adopted by all countries within
> the EU.
>
> The EU Cookie Legislation requires 4 actions from website owners who use
> cookies:
> 1. When someone visits your website, you need to let them know that your
> site uses cookies.
> 2. You need to provide detailed information regarding how that cookie data
> will be utilized.
> 3. You need to provide visitors with some means of accepting or refusing
> the use of cookies in your site.
> 4. If they refuse, you need to ensure that cookies will not be placed on
> their machine.
>
> For more information about EU cookie policy, please visit here
> <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.
>
> As this crucial feature is missing in OFBiz E-Commerce application, we
> should work towards its implementation. There are numerous open-source
> jQuery plugins available which we can use. Thoughts?
>
>
> Thanks & Regards
> --
> Deepak Nigam
> HotWax Systems Pvt. Ltd.
>

> Hello all,
>
> just before you go in head over heels, please consider the following:
>
>    "However, some cookies are exempt from this requirement. Consent is
>    not required if the cookie is:
>
>      * used for the sole purpose of carrying out the transmission of a
>        communication, and
>      * strictly necessary in order for the provider of an information
>        society service explicitly required by the user to provide that
>        service.
>
>    Cookies clearly exempt from consent according to the EU advisory
>    body on data protection- WP29pdf
> <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf> include:
>
>      * *user‑input* cookies (session-id) such as first‑party cookies to
>        keep track of the user's input when filling online forms,
>        shopping carts, etc., for the duration of a session or
>        persistent cookies limited to a few hours in some cases
>      * *authentication* cookies, to identify the user once he has
>        logged in, for the duration of a session
>      * *user‑centric security* cookies, used to detect authentication
>        abuses, for a limited persistent duration
>      * *multimedia content player* cookies, used to store technical
>        data to play back video or audio content, for the duration of a
>        session
>      * *load‑balancing* cookies, for the duration of session
>      * *user‑interface customisation* cookies such as language or font
>        preferences, for the duration of a session (or slightly longer)
>      * *third‑party social plug‑in content‑sharing* cookies, for
>        logged‑in members of a social network."
>
> (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)
>
> Does OFBiz even set other cookies? If yes, for what are they needed?
>
> Kind regards, Benjamin Jugl
>
>
>
> On 31.10.18 13:11, Deepak Nigam wrote:
>> Hello All,
>>
>> The Cookie Law is a piece of privacy legislation that requires websites to
>> get consent from visitors to store or retrieve any information on their
>> computer, smartphone or tablet. It was designed to protect online privacy,
>> by making consumers aware of how information about them is collected and
>> used online, and give them a choice to allow it or not.
>>
>> The EU Cookie Legislation began as a directive from the European Union.
>> Some variation on the policy has since been adopted by all countries within
>> the EU.
>>
>> The EU Cookie Legislation requires 4 actions from website owners who use
>> cookies:
>> 1. When someone visits your website, you need to let them know that your
>> site uses cookies.
>> 2. You need to provide detailed information regarding how that cookie data
>> will be utilized.
>> 3. You need to provide visitors with some means of accepting or refusing
>> the use of cookies in your site.
>> 4. If they refuse, you need to ensure that cookies will not be placed on
>> their machine.
>>
>> For more information about EU cookie policy, please visit here
>> <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.
>>
>> As this crucial feature is missing in OFBiz E-Commerce application, we
>> should work towards its implementation. There are numerous open-source
>> jQuery plugins available which we can use. Thoughts?
>>
>>
>> Thanks & Regards
>> --
>> Deepak Nigam
>> HotWax Systems Pvt. Ltd.
>>
>
>

> Thanks Deepak, Benjamin,
>
> We are indeed only concerned by the ecommerce webapps (both ecommerce and
> ecomse). They are the sole to be public. The backend applications should
> not
> be concerned.
>
> Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID,
> possibly cookie.domain and maybe jstree* ones. I believe they all fall in
> the
> exempt cases.
>
> With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While
> doing so I spotted that securedLoginId has the same duration (1 year) than
> autoUserLoginId. I have reduced it to the browser session so it also falls
> in the exempt cases. I'll commit that very soon.
>
> I have not read all the details but I believe the only ones we should
> think about are the autoUserLoginId and OFBiz.Visitor cookies. They
> inherently
> does not contain party data, but from the visitorId or userLoginId fields
> it's possible to get to the party data. Not sure it's an issue as is,
> because AFAIK we use only first‑party cookies[1] but the problem seems
> their durations: one year.
>
> [1]
> https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
>
> Jacques
>
> Le 31/10/2018 à 14:05, Benjamin Jugl a écrit :
> > Hello all,
> >
> > just before you go in head over heels, please consider the following:
> >
> >    "However, some cookies are exempt from this requirement. Consent is
> >    not required if the cookie is:
> >
> >      * used for the sole purpose of carrying out the transmission of a
> >        communication, and
> >      * strictly necessary in order for the provider of an information
> >        society service explicitly required by the user to provide that
> >        service.
> >
> >    Cookies clearly exempt from consent according to the EU advisory
> >    body on data protection- WP29pdf
> > <
> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf
> > include:
> >
> >      * *user‑input* cookies (session-id) such as first‑party cookies to
> >        keep track of the user's input when filling online forms,
> >        shopping carts, etc., for the duration of a session or
> >        persistent cookies limited to a few hours in some cases
> >      * *authentication* cookies, to identify the user once he has
> >        logged in, for the duration of a session
> >      * *user‑centric security* cookies, used to detect authentication
> >        abuses, for a limited persistent duration
> >      * *multimedia content player* cookies, used to store technical
> >        data to play back video or audio content, for the duration of a
> >        session
> >      * *load‑balancing* cookies, for the duration of session
> >      * *user‑interface customisation* cookies such as language or font
> >        preferences, for the duration of a session (or slightly longer)
> >      * *third‑party social plug‑in content‑sharing* cookies, for
> >        logged‑in members of a social network."
> >
> > (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)
> >
> > Does OFBiz even set other cookies? If yes, for what are they needed?
> >
> > Kind regards, Benjamin Jugl
> >
> >
> >
> > On 31.10.18 13:11, Deepak Nigam wrote:
> >> Hello All,
> >>
> >> The Cookie Law is a piece of privacy legislation that requires websites
> to
> >> get consent from visitors to store or retrieve any information on their
> >> computer, smartphone or tablet. It was designed to protect online
> privacy,
> >> by making consumers aware of how information about them is collected and
> >> used online, and give them a choice to allow it or not.
> >>
> >> The EU Cookie Legislation began as a directive from the European Union.
> >> Some variation on the policy has since been adopted by all countries
> within
> >> the EU.
> >>
> >> The EU Cookie Legislation requires 4 actions from website owners who use
> >> cookies:
> >> 1. When someone visits your website, you need to let them know that your
> >> site uses cookies.
> >> 2. You need to provide detailed information regarding how that cookie
> data
> >> will be utilized.
> >> 3. You need to provide visitors with some means of accepting or refusing
> >> the use of cookies in your site.
> >> 4. If they refuse, you need to ensure that cookies will not be placed on
> >> their machine.
> >>
> >> For more information about EU cookie policy, please visit here
> >> <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.
> >>
> >> As this crucial feature is missing in OFBiz E-Commerce application, we
> >> should work towards its implementation. There are numerous open-source
> >> jQuery plugins available which we can use. Thoughts?
> >>
> >>
> >> Thanks & Regards
> >> --
> >> Deepak Nigam
> >> HotWax Systems Pvt. Ltd.
> >>
> >
> >
>
>

> Thanks, Benjamin, Jacques.
>
> Definitely, we will move forward only after studying  OFBiz cookies in
> depth. I just put initial thought came to my mind.
>
>
>
> On Wed, Oct 31, 2018 at 9:03 PM Jacques Le Roux <
> [hidden email]> wrote:
>
>> Thanks Deepak, Benjamin,
>>
>> We are indeed only concerned by the ecommerce webapps (both ecommerce and
>> ecomse). They are the sole to be public. The backend applications should
>> not
>> be concerned.
>>
>> Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID,
>> possibly cookie.domain and maybe jstree* ones. I believe they all fall in
>> the
>> exempt cases.
>>
>> With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While
>> doing so I spotted that securedLoginId has the same duration (1 year) than
>> autoUserLoginId. I have reduced it to the browser session so it also
>> falls in the exempt cases. I'll commit that very soon.
>>
>> I have not read all the details but I believe the only ones we should
>> think about are the autoUserLoginId and OFBiz.Visitor cookies. They
>> inherently
>> does not contain party data, but from the visitorId or userLoginId fields
>> it's possible to get to the party data. Not sure it's an issue as is,
>> because AFAIK we use only first‑party cookies[1] but the problem seems
>> their durations: one year.
>>
>> [1]
>> https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
>>
>> Jacques
>>
>> Le 31/10/2018 à 14:05, Benjamin Jugl a écrit :
>> > Hello all,
>> >
>> > just before you go in head over heels, please consider the following:
>> >
>> >    "However, some cookies are exempt from this requirement. Consent is
>> >    not required if the cookie is:
>> >
>> >      * used for the sole purpose of carrying out the transmission of a
>> >        communication, and
>> >      * strictly necessary in order for the provider of an information
>> >        society service explicitly required by the user to provide that
>> >        service.
>> >
>> >    Cookies clearly exempt from consent according to the EU advisory
>> >    body on data protection- WP29pdf
>> > <
>> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf
>> > include:
>> >
>> >      * *user‑input* cookies (session-id) such as first‑party cookies to
>> >        keep track of the user's input when filling online forms,
>> >        shopping carts, etc., for the duration of a session or
>> >        persistent cookies limited to a few hours in some cases
>> >      * *authentication* cookies, to identify the user once he has
>> >        logged in, for the duration of a session
>> >      * *user‑centric security* cookies, used to detect authentication
>> >        abuses, for a limited persistent duration
>> >      * *multimedia content player* cookies, used to store technical
>> >        data to play back video or audio content, for the duration of a
>> >        session
>> >      * *load‑balancing* cookies, for the duration of session
>> >      * *user‑interface customisation* cookies such as language or font
>> >        preferences, for the duration of a session (or slightly longer)
>> >      * *third‑party social plug‑in content‑sharing* cookies, for
>> >        logged‑in members of a social network."
>> >
>> > (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)
>> >
>> > Does OFBiz even set other cookies? If yes, for what are they needed?
>> >
>> > Kind regards, Benjamin Jugl
>> >
>> >
>> >
>> > On 31.10.18 13:11, Deepak Nigam wrote:
>> >> Hello All,
>> >>
>> >> The Cookie Law is a piece of privacy legislation that requires
>> websites to
>> >> get consent from visitors to store or retrieve any information on their
>> >> computer, smartphone or tablet. It was designed to protect online
>> privacy,
>> >> by making consumers aware of how information about them is collected
>> and
>> >> used online, and give them a choice to allow it or not.
>> >>
>> >> The EU Cookie Legislation began as a directive from the European Union.
>> >> Some variation on the policy has since been adopted by all countries
>> within
>> >> the EU.
>> >>
>> >> The EU Cookie Legislation requires 4 actions from website owners who
>> use
>> >> cookies:
>> >> 1. When someone visits your website, you need to let them know that
>> your
>> >> site uses cookies.
>> >> 2. You need to provide detailed information regarding how that cookie
>> data
>> >> will be utilized.
>> >> 3. You need to provide visitors with some means of accepting or
>> refusing
>> >> the use of cookies in your site.
>> >> 4. If they refuse, you need to ensure that cookies will not be placed
>> on
>> >> their machine.
>> >>
>> >> For more information about EU cookie policy, please visit here
>> >> <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.
>> >>
>> >> As this crucial feature is missing in OFBiz E-Commerce application, we
>> >> should work towards its implementation. There are numerous open-source
>> >> jQuery plugins available which we can use. Thoughts?
>> >>
>> >>
>> >> Thanks & Regards
>> >> --
>> >> Deepak Nigam
>> >> HotWax Systems Pvt. Ltd.
>> >>
>> >
>> >
>>
>>

> FYI, here is the Jira ticket
> <https://issues.apache.org/jira/browse/OFBIZ-10639> for further discussion
> and research.
>
> On Thu, Nov 1, 2018 at 3:02 PM Deepak Nigam <[hidden email]>
> wrote:
>
>> Thanks, Benjamin, Jacques.
>>
>> Definitely, we will move forward only after studying  OFBiz cookies in
>> depth. I just put initial thought came to my mind.
>>
>>
>>
>> On Wed, Oct 31, 2018 at 9:03 PM Jacques Le Roux <
>> [hidden email]> wrote:
>>
>>> Thanks Deepak, Benjamin,
>>>
>>> We are indeed only concerned by the ecommerce webapps (both ecommerce and
>>> ecomse). They are the sole to be public. The backend applications should
>>> not
>>> be concerned.
>>>
>>> Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID,
>>> possibly cookie.domain and maybe jstree* ones. I believe they all fall in
>>> the
>>> exempt cases.
>>>
>>> With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While
>>> doing so I spotted that securedLoginId has the same duration (1 year) than
>>> autoUserLoginId. I have reduced it to the browser session so it also
>>> falls in the exempt cases. I'll commit that very soon.
>>>
>>> I have not read all the details but I believe the only ones we should
>>> think about are the autoUserLoginId and OFBiz.Visitor cookies. They
>>> inherently
>>> does not contain party data, but from the visitorId or userLoginId fields
>>> it's possible to get to the party data. Not sure it's an issue as is,
>>> because AFAIK we use only first‑party cookies[1] but the problem seems
>>> their durations: one year.
>>>
>>> [1]
>>> https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
>>>
>>> Jacques
>>>
>>> Le 31/10/2018 à 14:05, Benjamin Jugl a écrit :
>>>> Hello all,
>>>>
>>>> just before you go in head over heels, please consider the following:
>>>>
>>>>     "However, some cookies are exempt from this requirement. Consent is
>>>>     not required if the cookie is:
>>>>
>>>>       * used for the sole purpose of carrying out the transmission of a
>>>>         communication, and
>>>>       * strictly necessary in order for the provider of an information
>>>>         society service explicitly required by the user to provide that
>>>>         service.
>>>>
>>>>     Cookies clearly exempt from consent according to the EU advisory
>>>>     body on data protection- WP29pdf
>>>> <
>>> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf
>>>> include:
>>>>
>>>>       * *user‑input* cookies (session-id) such as first‑party cookies to
>>>>         keep track of the user's input when filling online forms,
>>>>         shopping carts, etc., for the duration of a session or
>>>>         persistent cookies limited to a few hours in some cases
>>>>       * *authentication* cookies, to identify the user once he has
>>>>         logged in, for the duration of a session
>>>>       * *user‑centric security* cookies, used to detect authentication
>>>>         abuses, for a limited persistent duration
>>>>       * *multimedia content player* cookies, used to store technical
>>>>         data to play back video or audio content, for the duration of a
>>>>         session
>>>>       * *load‑balancing* cookies, for the duration of session
>>>>       * *user‑interface customisation* cookies such as language or font
>>>>         preferences, for the duration of a session (or slightly longer)
>>>>       * *third‑party social plug‑in content‑sharing* cookies, for
>>>>         logged‑in members of a social network."
>>>>
>>>> (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)
>>>>
>>>> Does OFBiz even set other cookies? If yes, for what are they needed?
>>>>
>>>> Kind regards, Benjamin Jugl
>>>>
>>>>
>>>>
>>>> On 31.10.18 13:11, Deepak Nigam wrote:
>>>>> Hello All,
>>>>>
>>>>> The Cookie Law is a piece of privacy legislation that requires
>>> websites to
>>>>> get consent from visitors to store or retrieve any information on their
>>>>> computer, smartphone or tablet. It was designed to protect online
>>> privacy,
>>>>> by making consumers aware of how information about them is collected
>>> and
>>>>> used online, and give them a choice to allow it or not.
>>>>>
>>>>> The EU Cookie Legislation began as a directive from the European Union.
>>>>> Some variation on the policy has since been adopted by all countries
>>> within
>>>>> the EU.
>>>>>
>>>>> The EU Cookie Legislation requires 4 actions from website owners who
>>> use
>>>>> cookies:
>>>>> 1. When someone visits your website, you need to let them know that
>>> your
>>>>> site uses cookies.
>>>>> 2. You need to provide detailed information regarding how that cookie
>>> data
>>>>> will be utilized.
>>>>> 3. You need to provide visitors with some means of accepting or
>>> refusing
>>>>> the use of cookies in your site.
>>>>> 4. If they refuse, you need to ensure that cookies will not be placed
>>> on
>>>>> their machine.
>>>>>
>>>>> For more information about EU cookie policy, please visit here
>>>>> <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.
>>>>>
>>>>> As this crucial feature is missing in OFBiz E-Commerce application, we
>>>>> should work towards its implementation. There are numerous open-source
>>>>> jQuery plugins available which we can use. Thoughts?
>>>>>
>>>>>
>>>>> Thanks & Regards
>>>>> --
>>>>> Deepak Nigam
>>>>> HotWax Systems Pvt. Ltd.
>>>>>
>>>>
>>>

> Le 31/10/2018 à 16:32, Jacques Le Roux a écrit :
>> With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While doing so I spotted that securedLoginId has the same duration (1 year) than
>> autoUserLoginId. I have reduced it to the browser session so it also falls in the exempt cases. I'll commit that very soon.
>>
>> I have not read all the details but I believe the only ones we should think about are the autoUserLoginId and OFBiz.Visitor cookies. They
>> inherently does not contain party data, but from the visitorId or userLoginId fields it's possible to get to the party data. Not sure it's an issue
>> as is, because AFAIK we use only first‑party cookies[1] but the problem seems their durations: one year.
>>
>> [1] https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
>
> I re-read above and the Benjamin's copy from " WP29pdf ".
>
> It seems to me that autoUserLoginId and OFBiz.Visitor cookies don't fit in any of these categories, and we don't inform the visitor about these
> cookies.
> Deepak's proposition in OFBIZ-10639 does not allow to not consent.  But I guess in this case it's the user's responsibility to quit the site before
> login in and so we are covered.
>
> Please chime in if you disagree
>
> Jacques
>
>