Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Legal and Technical Concerns: amzn-checkout-session Cookie Creation and Error Handling #1256

Open
mehdichaouch opened this issue Dec 5, 2024 · 1 comment

Comments

@mehdichaouch
Copy link

Hello

I have reviewed the FAQ page for information about cookie management, but found no specific details addressing my concerns.

I would like to report an issue regarding the amzn-checkout-session cookie implementation.

Current Behavior:

  1. The amzn-checkout-session cookie is currently being created on all pages of the store, regardless of whether the customer is using Amazon Pay or not.
  2. When attempting to prevent cookie creation by overriding the storage.js file (amzn/amazon-pay-magento-2-module/view/frontend/web/js/model/storage.js), JavaScript console errors are triggered on various pages, including the product pages.

Technical Impact:

  • The cookie creation on all pages may not comply with privacy regulations and cookie consent requirements in certain jurisdictions
  • Attempting to modify the cookie behavior leads to JavaScript errors, making it difficult to implement proper cookie consent management

Legal Concerns:

  • The automatic cookie creation without user consent may not align with GDPR and similar privacy regulations
  • This behavior could potentially expose merchants to legal risks in jurisdictions with strict cookie consent requirements

Suggested Improvements:

  1. Implement conditional cookie creation that only triggers when Amazon Pay features are actively being used
  2. Add proper error handling in the JavaScript code to prevent console errors when the cookie is not present
  3. Consider adding built-in cookie consent integration

Would it be possible to modify the cookie creation logic to be more privacy-focused while maintaining the plugin's functionality?

@sgabhart22
Copy link
Contributor

Hello @mehdichaouch ,

This is an interesting topic worth discussing. One thing to note before going further is the module uses the amzn-checkout-session and amzn-checkout-session-config items in local storage only, and does not include the data stored in them in requests to the server; these are only needed client side to render the button (amzn-checkout-session-config) and make requests to the Amazon Pay API (amzn-checkout-session, which is essentially a UUID). I don't believe the checkout session ID could be construed as personally identifiable.

A genuine question regarding cookie consent in Magento stores, which I can't seem to find a definitive answer for: when a user initially responds to a cookie consent prompt when landing on the site, shouldn't this cover any cookies created by third-party modules? Personally I don't recall visiting a site where I've selected my cookie preferences, traveled through some other portions of the site, and then received a subsequent prompt regarding additional cookies that may be created in that particular area. But maybe this is a genuine concern in some regions.

Thanks,
Spencer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants