[Compliance] GDPR / Privacy Compliance of indefinitely stored addresses can not be achieved #6108
Comments
|
@tvdeyen @jarednorman @kennyadsl I would like to directly put the finger in the flesh here: I assume that's the reason addresses are made the way they are was to leave them for completed orders and tax records. That behaviour is by today's standards not legal in the EU and neither in Canada I believe. I tried to leave additional comments in the PR, but assume @mamhoff is needing time to love me more and unblock me on his PRs. Citing @kennyadsl
I saw #3852 has been pushed across two major releases by now. We will have to implement this PR now on our fork as a hotfix or an alternative of it in any case and build on it to get in the end to a drop in replacement of current address model that deletes addresses, for real. It's not only unavoidable to get to deletable addresses, I can't see how privacy compliance in Europe is currently even a given if we don't. So my question is what's the plan to tackle this and can we contribute anything to it. For me personally this is a can't wait issue and I don't assume I am the only company all across Europe using this system. Honestly this is for me personally an issue that should be solved out of the community funds and the priority here is 120% and there's no way to push this topic any further down the road. I assume that the discussion has been made internally between you already on how to solve it (as I can imagine this issue has been on all of your bucket lists and you have probably already solved it for some of your customers). If i'd be you I'd consider this an expense from the community fund and feel like @mamhoff would be up to the task given that he already achieved wonders on promotions (of course depending on his personal will and availability to do that). Me personally I think this issue warrants a warning in the documentation given the legal consequences failures to comply can have in Europe. Honestly I am not willing to touch it mostly because I had to fight with you over 4 months to get anywhere on meta data and this topic goes probably very deep into the logic of addresses on the platform itself without any clear guidance. Given that this issue has implications for all merchants in Europe, Canada and UK and at least multiple states of the US[1], what do we want to do here? We can't leave it like this for sure. It would be great to get any feedback from all of you or at least of 2/3 of you on how to move. [1] California Consumer Privacy Act (CCPA), first passed in 2020 and amended in 2023 by the California Privacy Rights Act (CPRA) |
|
I agree. The above mentioned PR should be merged as is now and shouldn't be pushed back any further.
I will ask Martin to rebase this and then it should be released with 4.5 (which is due anyway) imo.
As for GDPR compliance in general we have the solidus_gdpr extension[1] - which needs some love on the test suite, though.
The keep addresses forever feature should also be re-considered. There is no need to keep them for incomplete orders and that editing an address necessarily always creates a new address record without deleting the old - maybe invalid - address is debatable.
I would love to see someone working on this. Using community funds to address this (pun intended) is a good idea 👍🏻
[1] https://github.com/solidusio-contrib/solidus_gdpr
|
|
@tvdeyen i do not agree that the GDPR extension currently covers you. I'd personally consider that solving this once for all for everybody would take some work, but considering that the EU privacy laws have settled very very well (there are not much changes to expect) it should be considered to either fully drop compliance (with also here a big disclaimer and not hindering you to implement it), document gaps or (at least try) to fully satisfy it (which probably means making some changes to how sessions work also). I have some recollection of us discussing cookies in a comment, but this is such a well defined building block box that I would really consider to cover in one go:
I would love to just drill that down and I would consider a lawyer here as much as we did on the license things to at least have a glance at it. Right now we can't reach compliance without significant effort in:
I imagine the US being a joyride on consumer issues the next 4 years as I expect states to behave differently according to political alignment on privacy issues. I think we could have that ready by end of next month / mid april covering all aspects with a Lawyer underwriting it. |
fthobe
changed the title
Keep in mind that storing addresses indefinitely is fine as long as the user consents to it. If you, let's say "store the data for the purpose of minimizing data entry for future orders" retention is absolutely within the rights till the user either
There's nothing legally wrong with it. The problem is that currently the data is kept even upon "cancellation". This does have some side effects to: For most erp / billing systems the address data is a mutable resource that gets "burned" into invoices. The invoice billing address is an immutable copy of the address upon submission while the address itself continues to be subject to changes I would also consider this a feature with can have positive impacts on each of your sales. Solving this problem with compliant solution for say script injection for analytics based on consent is a strong sales pitch in 2024. |
|
Which by the way given that a consent library could use some great jsonb array, it would be a magnificient reason to accept meta and extend the meta data for users to contain in the jsonb stored consent information for consent management. |
|
I put some thought in addresses (be prepared for an essay about government standards, naming conventions and other absurdities like why names are not validated on credit card payments, I know you all love me for those). I am trying to drill down all problems with addresses here. I hope you can see this in the spirit of solving multiple address related problems in 1-3 PRs. First name, last name, vat id, tax id, company name are all distinct individual fields for einvoicing in Europe according to en16931-1 and related standards on billing addresses (shipping address is much more easy going) and in the mind of the EU that's coming to everybody including B2B transactions soon and given that electronic receipts became standard as well, probably also online. Funny enough Italy was a leader in defining that standards. While I do not believe we need to offer the invoice generation, it should be a reasonable default to collect information needed for invoices at least in EU and NAFTA countries. As much as I appreciate from a technical point of view the comment once made by Thomas quoted below (seriously, I agree with every word of it) the technical reality of doing business in Europe and US is just a different one regarding address schemes. Quote from Thomas in #3234
The behavior of PayPal and stripe is caused by the historical difference in how names are normalized in card payments (normalising proved to be so difficult that till today the name is only partially or not validated at all in the credit card exchange). Who wants to smile can read this article about that. Basically the name is not checked at all during card payments itself (some banks have anti fraud software though that validates names) as the construction of names across countries (and even in only the US) has proven difficult back then. The Braintree solution to that was not wrong (to concatenate the first name and last name) but dropping everything after a space was. Anyhow, the direction is the one below: full xml field parity to allow collection of data for invoices with name, last name, company name according to need and I believe concatenating values here is a smaller problem than splitting them also because in the end for fiscal requirements name are normalised by the fiscal authorities and usually recoverable information through ID and / or company registry. So as much as there's outcome variability, it is usually drilled down by the authorities (admittedly much less in NAFTA than in the EU), which is also the reason that differently to good wine Thomas' remarks while technically spot on did not age well as good wine does. This brings me to this:
So I would account for what's universal standard in Europe and NAFTA which can be a very long, sometimes even alfanumeric, first name and last name often accompanied by a company name (with fiscal and vat id in Europe). So what I would propose is following:
This is pretty much how Europe is seeing einvoicing (and therefor addresses): Desired address format
|
|
Let's keep this issue to deletion of addresses. My PR #3852 does not fully address this issue, as the address will continue being stored in the addresses table, but without any reference to users or orders. So we don't have a a way to fully delete an address currently, and that needs to be addressed (pun intendended). Regarding the argument that we should add lots of fields to billing addresses, I think these arguments are all wrong.
|
|
I am trying really hard not to copy and paste your slack remark here, trying to stay positive and answer all your points exhaustively trying to believe that you are acting in good spirit here and not just to contesting whatever I say for the pleasure of doing it. First Name and Last
TL;DR: Germany, Belgium and France don't, but others do and it does not hurt Germany to have it separated as you can always combine strings Don't ask me why we ended up with 25 standards for one EU regulation, but that's how it is. Keep in mind that EU regulations are broad guidelines, not strict implementation rules. Basically there are 5 concepts:
VAT ID should be stores with user accounts (Part 1)
TL;DR: companies having one VAT ID is not a correct statement A company can also have many VAT IDs actually and it is a frequently encountered problem, especially with ERP systems. So while setting it on the customer might work for many cases, it does not work for all. Putting the VAT ID / Tax ID in the address instead does work for all cases and is literally the same effort considering also the fact that reverse charge eligibility is determined by origin country, destination country and VAT ID vies participation. That's the reason why many B2B stores display the prices incl / excl VAT. Actually it gets even worse: Cases with more VAT IDs
So no, having them in the customer does not cover plenty of cases while keeping it in the address does actually do it. Other Quirks to be consideredIn addition, just to make life worse: To give you the most extreme example:
To determine if a VAT ID is eligible to receive the order without VAT you need to consult this platform otherwise you risk having to backpay VAT (if the national fiscal authority doesn't reject your invoice straight away). VAT ID should be stores with user accounts (Part 2)
Every company who wants to order needs an invoice to detract VAT with a VAT ID, consumers don't. Our customer model in reality is a User Model. Why should we ram a VAT ID into the user if we have the above described outcome variability. Just putting it into the address covers all cases while not all users we have need one. It's called billing address for a purpose. Privacy for VAT IDs
So you are right about the data frugality for consumer information, but you didn't get the application right in this case: VAT-IDs are not covered by privacy for various reasons:
So i hope this exhaustively answers all your points.
Do you want to do it or should we give it a try? We would throw in an Address PR directly afterwards, otherwise we can try to fix the whole issue. |
|
Please open two other issues: One for handling of the VAT ID, and one for the purported issues with the name field, so that we can decide separately on each of them. We're mixing concerns in this PR, and it's confusing. When doing that, please link to the resources you linked to above so we have a complete problem description for each of them. These are not linked (and should not be tackled by the same PR, either). |
I have heard of people not dying by admitting they are wrong. 😬
I would actually consider structuring it differently. I mean, we should align with lowest possible pain to what’s legislative standard in privacy and data preparation for export (like API import into the system that actually handles stock, billing and taxes), so I would split this up in two Issues:
Also because calculating tax correctly (2) is not possible without a full address (1). |
fthobe
changed the title
|
Thank you for opening up the two issues. It's unfortunate that they still don't separate the schema changes out separately, so we keep discussing several things at once now in a separate issue. Regarding the deletion of addresses: Currently, every address is unique. That means, if two user accounts store the same address in their address book, that address is now shared between user accounts. If user a wants "their" data to be deleted, we need to delete only that user's address entry. Addresses can be added without a user account. When changing an address on an anonymous order, the old address stays in the database. Any solution to this problem should avoid the following bugs:
I do not currently have time for working on this. |
I have replied on the other issue why I believe that VAT-IDs do not require a separate schema. I see your point, just don't agree with it ;)
Man ok, so two ways around it:
How would orders behave if we kill of an address used in an order? Please be patient with me here. Also is there a quantification of shared addresses? I have no idea how prevalent or non-prevalent the issue is? |
Concerns open PR: #3852 #3234 solidus_braintree #226
I am trying to wrap my head around this:
EU says clearly that personal data needs to be deleted upon customer request.
I do not see right now how we can make the address situation fit with that.
In Europe if the address is not needed for fiscal reason there's no reason to store it.
This means in Europe we need a solution to:
I don't see how to avoid that to comply with European regulations.
Solidus Version:
All
The text was updated successfully, but these errors were encountered: