We're still working to improve our understanding of GDPR and how its articles are being modified by individual member states' own data privacy legislation. Depending on the audience, the requirements of GDPR can go well beyond providing information about cookie usage, but it seems as though the UK for example might not have as burdensome requirements, at least for the time being.

For now, we're studying the informational site: https://cookieconsent.insites.com/do...#informational . It provides a number of resources including an easy "builder" to configure and implement your own cookie notice feature.

***Edit -- I originally misspoke. Cookieconsent.insites.com isn't google's informational site, that's: https://www.cookiechoices.org/

To the good folks at MIVA.

It was nice that you sent an email about GDPR (General Data Protection Regulation). The article was like so many on the internet. Is Too General!. How does it pertain to Miva? Will Miva be releasing tools like Spotify did yesterday, to help merchants comply and set up these features. Its in the EU now, and you know because of facebook, it will be here in the US in some form.

How do we give customers a chance to opt out of Facebook, or Google analytics (built in to miva), while still keeping the Miva cookie alive?

What about notice to the customer requesting their permission to accept our cookies? How do we get them to opt in? How do they give their consent?

Two factor authentication. Is that just for admins or should each customer be required to have Two factor authentication?

Storage of Data collection, the question is how long do we keep basic customer information for ecommerce? 1 year, 3 years, 7 years as the IRS states? How do we strip out the customer information, yet keep the sales records?

How does Miva allow you to strip out customer information per the customers request to “forget me”? Those questions are easy for facebook, twitter, google, etc.. But smaller companies using miva

So many questions, and I am looking to MIVA for some guidance. Maybe a weekly email from you addressing topics one by one, with best practices and examples. Just a thought

Kevin
AutomotiveWorkwear.com

Thanks for chiming in Kevin - one of my questions that came up while looking at the Cookieconsent.insites.com that Justin shared was how would you even go about creating a one-click button for a store that would disable the cookies? Can a Miva store even function without them?

Maybe they should be sent to a page to a cookies page that explicitly explains why they "can't" (well they can do anything they want to) reject the cookies. Then if they still want to decline them, give them a link back to Google...

Yes, it would be nice to see more thorough steps on how to do as the customer might request.

Krsullivan We'll definitely be posting things as we have clarity, I doubt it'll be weekly though.

lesliekirk no Miva can't function without cookies.

I also suspect we'll have a combo of some new modules to make things easier to achieve (such as being forgotten), adding cookie warnings html snippets, and blogs/emails as these things turn from European Regulations into real world applications.

We spoke to a number of GDPR consultants in the past few months and we didn't find anyone that I thought could speak with any certainty about how these things would apply to our customers in the real world post May 25, 2018. There were lots of lawyers and consultants looking to charge roughly $100k to examine your business and give us their opinions, but with no guarantee it would match how the EU truly implements these things when live.

Finally I suspect the reason you're seeing most companies being so vague is there simply isn't enough history operating under these regs, nor case law, etc... to determine what the EU meant in our specific use cases, so companies are being conservative versus giving out legal advice they can't stand behind.

I don't view it as a Miva issue as much as an individual business process issue. Although, I'll certainly agree that anything Miva can do to make our lives easier is always welcome.

I spent the last couple days writing a new privacy policy. I'll admit that I haven't read the legislation, so you could say I have no idea if I'm legal. In my defense, I did visit the Privacy Shield website. My method was to review many of the revised privacy policies that I've been told about via email. They all pretty much use the same format, so there was my answer.

Our privacy policy went from a handful of sentences to full page of information that covers the how, what, when, where, and why of all the data we collect and share.

As far as personal information in orders goes, I simply stated that we will keep all information about an order as long as is legally required by our local, state, and federal governments regardless of any individual's request to have their information removed. Of course, this does not mean that they can't have their account removed along with any email subscriptions or chats.

I could be wrong, but I don't believe you have to allow someone to disable one or more cookies that your site uses. I believe you need to tell the visitor about the cookies, why you're using them, and the fact that their use of your website constitutes consent to collect the data they provide along with the fact that disabling cookies can render them unable to use your website.

Anyway, I have privacy policies on the brain today, so I just had to chime in. Have a great weekend everyone!

The UK is the same as the other 27 EU members see the Information Commissioner's Office website: https://ico.org.uk/

The above website uses cookie control from this company: https://www.civicuk.com/cookie-control They have a free version.

Smashing Magazine's Privacy Page: https://www.smashingmagazine.com/privacy-policy/ appears to include everything, if you have the time to read it all.

From the ICO: "The GDPR does not set specific time limits for different types of data. This is up to you, and will depend on how long you need the data for your specified purposes." So if the IRS requires you to keep that data for 7 years then that would, I assume be lawful.

Are there any type of public GDPR/Privacy Policy framework/template available that we can edit/use as necessary, or would anyone mind sharing theirs?

Finally, is there a free simple website Privacy Policy notification/consent responsive solution that is not hosted by a third-party?

Regarding the GDPR, what I'm wondering about is the concept of implied consent.

I'm sure many of you automatically add email addresses, when an order is placed, to your general mailing list.

Under GDPR guidelines is this practice no longer allowed (for EU customers)?

gjt You should never add a customer's email address to your mailing list without their consent.

I recently updated a client's privacy policy, and started using https://www.cookiebot.com/en/. It's been great so far & only displays a "cookie consent" bar to users in the EU (or desired countries). I looked at a few DIY solutions, but at the end of the day a free solution coupled with paid geotargeting still ended up being more expensive. If your goal is to only get consent from visitors in the EU then CookieBot is a great solution. Otherwise as stated above https://cookieconsent.insites.com/ has a super easy to set up solution – it's just a bit more work and potentially more expensive if you want to implement country control.

Question, could a US merchant be subjected to GDPR laws/penalties even is EU customer agrees to waive all their rights afforded under GDPR in order to shop and/or sell their merchandise to merchant?

I don't think anyone is qualified to say that with certainty yet. My suspicion is that'll be determined via case law in the next few years.

I was looking at the MIVA website to see what you had implemented, and the cookie pop-up "Learn More" link results in a page not found.

NOTE: I was on this page: https://apps.miva.com/ where the Learn More link gave an error.

I think it is working on other pages!

It has been over a couple months since we've seen any activity on this question, and in that time we've seen quite a few other web site builders include functionality intended to address GDPR compliance. Does miva have an update on what they will be implementing? It seems reasonable that at minimum a cookie notice should be made available.

We're going to release an update that adds those as point and click style features in the coming months, in the mean time it's easy to add it on your own to the page templates. I'll ask someone to post the instructions.