Author Topic: GDPR: What cookies does virtuemart use  (Read 803 times)

accessvirus

  • Beginner
  • *
  • Posts: 29
    • Creative Director
  • Skype Name: alexander-van-aken
GDPR: What cookies does virtuemart use
« on: August 15, 2018, 12:09:15 pm »
Hi, Recently I saw a cookie that calls vmapply. I can't find it anymore assigned to the site, but wonder why it was there, what it does/did and to what category it belongs. Is this a neccessary session cookie? Does VM have more cookies and if so, can I manage them from somewere? (for instance to enable/disable marketingcookies. I currently have the webshop in catalog mode and need to know if, once I make it a normal webshop instead of catalog, more cookies appear.

Cookiebot didn't detect vmapply (maybe because it is gone now. Did I change a setting? if there was one assigned to it), but when I open the Chrome > application tab
Jack of all trades with a specialization in Branding, Graphic- & sound design

jjk

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 3647
  • using Matomo instead of Google Analytics
Re: GDPR: What cookies does virtuemart use
« Reply #1 on: August 16, 2018, 00:17:32 am »
vmapply is a session cookie, which expires at the end of the session. As far as I know it is used in administration forms for example for buttons.
Looks like this:

Name   vmapply
Value   0
Host   yourdomain.com
Path   /
Expires   At end of session
Secure   No
HttpOnly   No

I think in the Netherlands you don't have to explain every single cookie that may be set by Joomla or VirtueMart automatically. It's worth to read the original text of the GDPR in Dutch. Lawyers tend to make everything more complicated and they often add their own interpretations.
Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations

diri

  • Jr. Member
  • **
  • Posts: 106
  • VirtueMart Version: most recent dev version (trunk)
Re: GDPR: What cookies does virtuemart use
« Reply #2 on: August 17, 2018, 06:14:12 am »
Sorry jjk,

explaining which cookie is used for what has nothing to do with making things complicated. It should be documented to help administration in relation to compliance at least. GDPR is active since spring 2016 - there has been time enough for everybody.

GDPR clearly states need to explain usage of each cookie being set and who is getting IP address of visitor (i.e. when using some CDN, Google maps / search / adwords / translate /..., ...) in language being understandable for non-techies and acceptable related legal reason. This makes it horrible even for developers of some products: Each backlink or build-in advertisement via external link must be known and documented for this. Otherwise there is high risk to not to be compliant for user of product.

If there is a session cookie consent is not requirred for GDPR but, there is an upcoming ePrivacy law in EU. I.e. in California there is obligation to get consent for everything being saved on user's machine since some time and this is not the onliest example.

There are many other issues as well:
In Germany changing a bill is forbidden since many years - this is nothing new ("Gesetz zur ordnungsgemäßen Buchführung"). Other countries might have other and / or same obligations.

OTOH:
No plaintiff, no judge. It's a question of time only.

cu,diri

jjk

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 3647
  • using Matomo instead of Google Analytics
Re: GDPR: What cookies does virtuemart use
« Reply #3 on: August 18, 2018, 17:38:17 pm »
Cookiebot didn't detect vmapply
Cookiebot is a (imho expensive) cloud service by Cybot, which scans if your website's frontend sets cookies and a lot of other stuff. Since cookies are always stored in the user's browser, it naturally can't find session cookies or for example language cookies which VirtueMart or Joomla are setting while you are connected to the backend administration views.

If you are using the Firefox browser with 'Web Developer Tools' extension installed, you can easily check for cookies yourself by selecting 'Storage Inspector > Cookies' from its menu.

Quote
GDPR clearly states need to explain usage of each cookie being set and who is getting IP address of visitor (i.e. when using some CDN, Google maps / search / adwords / translate /..., ...)
GDPR doesn't. (That's why I wrote "It's worth to read the original text of the GDPR in Dutch. See: https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1528874672298&uri=CELEX%3A32016R0679 Cookies and ip addresses are a different story.

In the Netherlands, cookies are regulated in the Dutch Telecommunications Act (cookiebepaling in de Telecommunicatiewet). If you read it, make sure you are reading the latest version, because it has been changed several times in the past few years.

I think this link summarizes the current requirements in the Netherlands fairly well: https://www.safira.nl/safira-deelt/-3236-nieuwe-avg-gdpr-privacywet-cookies-en-de-cookiemelding/

I'm pretty sure that you don't need a cookie report for VirtueMart cookies if you use a genuine VirtueMart.

Quote
If there is a session cookie consent is not requirred for GDPR but, there is an upcoming ePrivacy law in EU
Last thing I read about that was that they are likely to change their mind concerning session cookies.



Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations