PrestaShop 1.6 sends PII to Google Analytics

Hi @Prestafan1234,

Thank you for your report.
We'll first try to reproduce it and we'll come back to you if we need more information.
In my case, I don't have a result yet.

Thanks!

Hi @Prestafan1234,

Thank you for your report.
We'll first try to reproduce it and we'll come back to you if we need more information.
In my case, I don't have a result yet.

Thanks!

I think what happens is if Google Analytics is enabled on this page, it collects the URL.
However we should check, GDPR module might hide this email from being collected.

Also comes the question: is it an issue that the email is available in the URL, or is it an issue that the shop/module enables Google Analytics on this page ?

Hi,
Thanks for the quick response.

The issue is that the email is available in the URL, as it is against Google's policies and everyone risks having their accounts suspended or deleted. https://support.google.com/analytics/answer/6366371?hl=en

@Prestafan1234, in my case I did not manage to reproduce the issue with PS1.7.6.0 & the Google Analytics v3.1.3
I don't have an email in the URL

Thanks to check & feedback.

The issue is that the email is available in the URL, as it is against Google's policies and everyone risks having their accounts suspended or deleted. https://support.google.com/analytics/answer/6366371?hl=en

@Prestafan1234 How did you enable Google Analytics on this page ? Using the GA module https://github.com/PrestaShop/ganalytics ?

@matks - Yes it is the GA module. I have just checked on some of my client's shops where they use the same module. The issue is the same.

@ khouloudbelguith - unfortunately I cannot just upgrade my shop and all client's shops to 1.7. There are too many errors upgrading still and live shops with turnovers do not wish to be out of business or struggle with errors:-(

@Prestafan1234, I tried also with PS1.6.1.24 & ganalytics module v2.3.4 & it is ok

Thanks!

@khouloudbelguith did you also do guest tracking after completing the order? It looks like you have tested with standard 5-step checkout and not guest checkout?

@Prestafan1234, no, it is the same
I attached a video record
https://drive.google.com/file/d/1432cfxHU9PlNL5kzZfx6YobzL-NAvKT7/view
THanks!

@khouloudbelguith

You cannot count on tracking being recorded instantly in Google Analytics and you are missing a step in the order. Please see attachemnts.

@Prestafan1234, thanks for these clarifications.
I manage to reproduce the issue with PS1.6.1.2.4

This issue occurs, only if click on follow my order

This option doesn't exist in the PS1.7.6 => that why I did not manage to reproduce it.

@marionf what do you think of this issue? it could be a security / critical issue for PS1.6?

Thanks!

@marionf what do you think of this issue? it could be a security / critical issue for PS1.6?

Thanks!

This is a legal compliance matter. This is clearly a GDPR issue. However it is not clear whether the PrestaShop core project should comply with GDPR (for example we have users in countries which are not in the GDPR scope so they do not care about it), whether the GA module should comply with GDPR, or whether the GDPR module should take care of this matter.

I believe we need to ask PrestaShop Legal team to analyze this matter.

Hello,

as you say @matks some countries do not care about GDPR, so in my opinion, it should not be integrated in the core but in a module.
Furthermore, we developed the official GDPR module to be "pluggable" (through hooks) to other modules which involve private data and make it easy to comply with the law.

With this logic, there's should be an update of the Google Analytics module to use the hooks which are provided by the GDPR module.

Hi,
When will this bug be fixed?

@marionf In order for @atomiix to get onboarded on module issues, I think he can check this bug :)

We suggest the following behavior to solve this issue:

• update the GDPR module, so it can detect when the Google Analytics module is installed
• if it is installed, then on the Guest Tracking page, we inject a JS code that modifies how the Google Analytics script works and removes the email from the URL (so GA does not collect the email)

Does it look OK ?

@matks

update the GDPR module, so it can detect when the Google Analytics module is installed

Why not an update of the Google Analytics module like suggested by @colinegin ?

on the Guest Tracking page, we inject a JS code that modifies how the Google Analytics script works and removes the email from the URL (so GA does not collect the email)

Ok for that

Why not an update of the Google Analytics module like suggested by @colinegin ?

Because this would not work like this. If I understand correctly, the GDPR module filters data to make sure it is protected. However the data here that we wants to protect is in the URL. I dont think the current GDPR module has the ability to filter data inside the URLs, that is why we need to update it.

I prefre to validate that with @colinegin when she will be back, she knows GDPR better than me

Is there anything to do in the core then ? Or only in the GDPR module ?
Wdyt @v4lux @Darmona ?