search

woocommerce / woocommerce-gateway-stripe

The official Stripe Payment Gateway for WooCommerce
https://wordpress.org/plugins/woocommerce-gateway-stripe/
228 stars 201 forks source link

New Stripe cookie can block the payment #2600

Open Emma-fOT opened 1 year ago

Emma-fOT commented 1 year ago

Describe the bug There is a problem with Stripe on the checkout page of my customer's website. His customers can’t enter any information on the blank fields (IBAN for transfers, credit card informations for card payments). I discussed it on the Wordpress.org support of the Woocommerce Gateway Stripe plugin and I found a workaround, but find important to put it here also in order to avoid others to have the same problem.

To Reproduce Steps to reproduce the behavior:

  1. Go to https://babyinberlin.com/
  2. Go to the Cookie panel on the bottom of the screen
  3. Click on "Show details"
  4. In the "unclassified" list, there is the "1" cookie (purpose: Registers data on visitors' website-behaviour. This is used for internal analysis and website optimization.)
  5. This cookie lands automatically in the "statistics" panel, I put it manually in the "unclassified" list because the plugin doesn't work otherwise. (see screenshot)

Expected behavior I expect that the plugin runs even if this cookie is in the "statistics" area because it's a tracking cookie and what I did is not GDPR-friendly.

Screenshots Here is a screenshot on how the checkout page looks like when this cookie is in the "stastics" panel. Screenshot1

Environment (please complete the following information): List of the plugins used and linked to the payment process: – Woocommerce – Woocommerce Memberships – Woocommerce Stripe Gateway – YITH Woocommerce Affiliates Premium – Sendinblue – WooCommerce Email Marketing – German Market – Checkout field editor for Woocommerce

Additional context Add any other context about the problem here.

karen-martin commented 1 year ago

We're experiencing the same problem. I've talked with WooCommerce, Stripe, and CookieBot and still have no resolution. We've changed the category on the "1" cookie as well, which seems to violate GDPR.

Interestingly, a Stripe rep I talked with said "1" cookie isn't theirs even though it's clearly is. There are 4 additional ones that the rep said aren't theirs even though they clearly are: m, _ab, _mf, and id. Stripe seems to have a cookie knowledge gap.

I've escalated the issue and will report back what I learn.

lucabastholm commented 1 year ago

Hi, did you get an answer/solution from them? I've encountered the same issue.

karen-martin commented 1 year ago

No response. Very frustrating. I'm sorry you're having the same issue.

lucabastholm commented 1 year ago

Ah, yes frustrating. I will write them again today and let you know if I get a response :)

ianmkahn commented 10 months ago

I'm also having the same issue for a client. I haven't found any solution online.

mikedoeswebs commented 10 months ago

I am also seeing this problem

karen-martin commented 10 months ago

Still no solution that I've found. We may change cookie providers to see if that fixes it. Seems an extreme measure for something that Stripe should be able to solve. @lucabastholm - have you heard back from Stripe?

interactivevalues commented 9 months ago

hi, having the same issue! is there an update? even setting the 1 cookie as necessary doesnt help.

karen-martin commented 7 months ago

Hi @interactivevalues - I'm surprised it's not helping to make the "1" cookie necessary. That allowed our CC fields to function properly and they still are.

Interestingly, I think (but am not sure) that the description of the "1" cookie has changed since I first posted on GitHub. This is the current description:

image

I believe it sounded far more non-compliant with GDPR before, but I can't remember the exact description.

I just ran it past our attorney who's in the process of revising Terms of Service, Privacy Policy, and Cookie Policy and he had this to say:

**I think internal analysis and website optimization are legitimate interests. Even from the example that's given, it seems that this cookie would "take place in a client relationship" since it's during the processing of payments. With that rationale I don't think it's anything to be worried about.

https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/what-does-grounds-legitimate-interest-mean_en

It would be classified as a statistics cookie too, and doesn't contain personally identifiable information, so it has a legitimate interest without infringing on an individual user's privacy.

Statistics cookies — Also known as “performance cookies,” these cookies collect information about how you use a website, like which pages you visited and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions. This includes cookies from third-party analytics services as long as the cookies are for the exclusive use of the owner of the website visited.

https://gdpr.eu/cookies/

From that description I wouldn't see any problem with leaving that cookie intact.**

Obviously, it's best to get your own attorney's view, but it seems if you can get the CC fields to function properly with the "1" cookie in the necessary/essential category, you'd be good to go.

FYI... @Emma-fOT, @lucabastholm @ianmkahn @mikedoeswebs

simonbauza commented 7 months ago

@interactivevalues Had the same issue. Clearing browser cache worked!