Support » Plugin: Payment Plugins for Stripe WooCommerce » Feature request: conditional loading for GDPR compliance

  • Resolved karlemilnikka

    (@karlemilnikka)


    It would be great if there was a hook or setting to disable all connections to Stripe’s servers until the user has accepted the terms (so that the GDPR isn’t violated, and the customer can choose to let us make an exception under article 49). The plugin currently establishes connections to Stripe without the consent needed for transferring personal data to countries without adequate data protection. I tried loading the payment gateway conditionally using the woocommerce_available_payment_gateways filter, but connections were made to stripe.com regardless.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Payment Plugins

    (@mrclayton)

    Hi @karlemilnikka

    Thanks for contacting us.

    The plugin currently establishes connections to Stripe without the consent needed for transferring personal data to countries without adequate data protection.

    Have you reviewed all of our server code to confirm that? Because any server to server calls that include customer information do not occur until after the customer has initiated the payment or created an account on your site which should be after your user approves your GDPR policy.

    As far as the loading of scripts like js.stripe.com, there are plugins that exists that allow you to defer loading until your GDPR policy is accepted if that’s a concern.

    Here is a guideline from Stripe that you may find helpful. https://stripe.com/guides/general-data-protection-regulation

    I’d recommend you reach out directly to Stripe for guidance regarding your GDPR policy.

    Kind Regards,

    Thread Starter karlemilnikka

    (@karlemilnikka)

    Thanks for the amazingly quick reply. Yes, it’s the connections to js.stripe.com from the visitor’s browser I’m referring to. I’ll look into blocking them with a third-party plugin.

    gilles24

    (@gilles24)

    Hi
    I’m interested in the solution… because indeed, m.stripe is problematic from a GDPR point of view…

    Plugin Author Payment Plugins

    (@mrclayton)

    Hi @gilles24

    m.stripe is problematic from a GDPR point of view

    What specifically about m.stripe is problematic with respect to GDPR?

    Thanks,

    gilles24

    (@gilles24)

    Hi,
    Because this cookie (or other data recording system under m.stripe.netword?) transfers data outside the European Union, without the consent of the user (since it is anyway impossible not to accept this cookie). The other payment cookies necessary for Stripe remain in the European Union.
    A European Union site has been pinned for this issue (voyez ici).
    Furthermore, the purpose of using this data remains very obscure (see here).
    Also note that this cookie is deposited for a period of 2 years…
    (it’s in French… sorry).
    The developer of the order management plugin I used before provided me with a solution that worked (with php files): replace
    <script src=”https://js.stripe.com/v3″></script&gt; by <script src=”https://js.stripe.com/v3/?advancedFraudSignals=false”></script&gt;
    But, according to the support of Borlabs Cookie (cookie management plugin, with which it is normally possible to block cookies as long as the user’s consent is not acquired), it seems that this is not possible with your javascript files…`
    But perhaps it is possible to consider, for a future version of your plugin, a parameter option which would make it possible not to integrate this cookie?
    Thanks

    Thread Starter karlemilnikka

    (@karlemilnikka)

    It’s not only the cookies that are an issue. Just like we cannot make automatic connections to Google Fonts (until the US has changed their mass-surveillance laws), we cannot make automatic connections to Stripe. We’d have to rely on the article 49 exception, which required explicit consent. Keep in mind that I’m not a lawyer, so I’m not saying use of Stripe would be GDPR compliant under article 49. That’s just the only way I see we could use Stripe at all after the EDPS sanctioned the European Parliament for using Stripe as a payment provider.

    I made a proof-of-concept-fix for Woocommerce’s own Stripe plugin by dequeuing the scripts ‘stripe’ and ‘woocommerce_stripe’ (from the wp_enqueue_scripts hook), and removing the payment option (using the woocommerce_available_payment_gateways filter) until consent to make an exception had been given. I haven’t been able to make a similar solution for this plugin (yet).

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.