New Stripe cookie can block the payment

[Emma-fOT]

Describe the bug There is a problem with Stripe on the checkout page of my customer's website. His customers can’t enter any information on the blank fields (IBAN for transfers, credit card informations for card payments). I discussed it on the Wordpress.org support of the Woocommerce Gateway Stripe plugin and I found a workaround, but find important to put it here also in order to avoid others to have the same problem.

To Reproduce Steps to reproduce the behavior:

1. Go to https://babyinberlin.com/
2. Go to the Cookie panel on the bottom of the screen
3. Click on "Show details"
4. In the "unclassified" list, there is the "1" cookie (purpose: Registers data on visitors' website-behaviour. This is used for internal analysis and website optimization.)
5. This cookie lands automatically in the "statistics" panel, I put it manually in the "unclassified" list because the plugin doesn't work otherwise. (see screenshot)

Expected behavior I expect that the plugin runs even if this cookie is in the "statistics" area because it's a tracking cookie and what I did is not GDPR-friendly.

Screenshots Here is a screenshot on how the checkout page looks like when this cookie is in the "stastics" panel. Screenshot1

Environment (please complete the following information): List of the plugins used and linked to the payment process: – Woocommerce – Woocommerce Memberships – Woocommerce Stripe Gateway – YITH Woocommerce Affiliates Premium – Sendinblue – WooCommerce Email Marketing – German Market – Checkout field editor for Woocommerce

Additional context Add any other context about the problem here.

[karen-martin]

We're experiencing the same problem. I've talked with WooCommerce, Stripe, and CookieBot and still have no resolution. We've changed the category on the "1" cookie as well, which seems to violate GDPR.

Interestingly, a Stripe rep I talked with said "1" cookie isn't theirs even though it's clearly is. There are 4 additional ones that the rep said aren't theirs even though they clearly are: m, _ab, _mf, and id. Stripe seems to have a cookie knowledge gap.

I've escalated the issue and will report back what I learn.

[lucabastholm]

Hi, did you get an answer/solution from them? I've encountered the same issue.

[karen-martin]

No response. Very frustrating. I'm sorry you're having the same issue.

[lucabastholm]

Ah, yes frustrating. I will write them again today and let you know if I get a response :)

[ianmkahn]

I'm also having the same issue for a client. I haven't found any solution online.

[mikedoeswebs]

I am also seeing this problem

[karen-martin]

Still no solution that I've found. We may change cookie providers to see if that fixes it. Seems an extreme measure for something that Stripe should be able to solve. @lucabastholm - have you heard back from Stripe?

[interactivevalues]

hi, having the same issue! is there an update? even setting the 1 cookie as necessary doesnt help.

[karen-martin]

Hi @interactivevalues - I'm surprised it's not helping to make the "1" cookie necessary. That allowed our CC fields to function properly and they still are.

Interestingly, I think (but am not sure) that the description of the "1" cookie has changed since I first posted on GitHub. This is the current description:

I believe it sounded far more non-compliant with GDPR before, but I can't remember the exact description.

I just ran it past our attorney who's in the process of revising Terms of Service, Privacy Policy, and Cookie Policy and he had this to say:

**I think internal analysis and website optimization are legitimate interests. Even from the example that's given, it seems that this cookie would "take place in a client relationship" since it's during the processing of payments. With that rationale I don't think it's anything to be worried about.

https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/what-does-grounds-legitimate-interest-mean_en

It would be classified as a statistics cookie too, and doesn't contain personally identifiable information, so it has a legitimate interest without infringing on an individual user's privacy.

Statistics cookies — Also known as “performance cookies,” these cookies collect information about how you use a website, like which pages you visited and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions. This includes cookies from third-party analytics services as long as the cookies are for the exclusive use of the owner of the website visited.

https://gdpr.eu/cookies/

From that description I wouldn't see any problem with leaving that cookie intact.**

Obviously, it's best to get your own attorney's view, but it seems if you can get the CC fields to function properly with the "1" cookie in the necessary/essential category, you'd be good to go.

FYI... @Emma-fOT, @lucabastholm @ianmkahn @mikedoeswebs

[simonbauza]

@interactivevalues Had the same issue. Clearing browser cache worked!

[github-actions[bot]]

Hi, This issue has gone 150 days (5 months) without any activity. This means it is time for a check-in to make sure it is still relevant. If you are still experiencing this issue with the latest version, you can help the project by responding to confirm the problem and by providing any updated reproduction steps. Thanks for helping out.

[github-actions[bot]]

This issue has gone 180 days (6 months) without any activity.