Slashdot Mirror
New Service Blocks EU Users So Companies Can Save Thousands on GDPR Compliance (bleepingcomputer.com)
Catalin Cimpanu, reporting for BleepingComputer: A new service called GDPR Shield made the rounds last week and for all the wrong reasons. The service, advertised as a piece of JavaScript that webmasters embed on their sites, blocks EU-based users from accessing a website, just so the parent company won't have to deal with GDPR compliance. GDPR, or General Data Protection Regulation, is a new user and data privacy regulation slated to come into effect in the EU three weeks from now, on May 25, 2018.
The new regulation brings a wealth of protections to user privacy but is a nightmare for companies doing business in Europe. The reasons are plenty, but the humongous fines for failing to meet GDPR standards are at the top of the list for most companies ($24 million or 4% of a company's annual worldwide revenue -- whichever is higher). There's also the 72-hour deadline to reveal data breaches and the necessity of hiring a so-called "Data Protection Officer." Plus, GDPR also mandates that companies must inform users on what data they collected about them, allow them to review the data, and even let users delete the data from the company's servers if they so wish.
The new regulation brings a wealth of protections to user privacy but is a nightmare for companies doing business in Europe. The reasons are plenty, but the humongous fines for failing to meet GDPR standards are at the top of the list for most companies ($24 million or 4% of a company's annual worldwide revenue -- whichever is higher). There's also the 72-hour deadline to reveal data breaches and the necessity of hiring a so-called "Data Protection Officer." Plus, GDPR also mandates that companies must inform users on what data they collected about them, allow them to review the data, and even let users delete the data from the company's servers if they so wish.
geofencing is not exactly a new concept. At least it finally is being used for good (privacy protection) rather then for evil (arbitrary geographical media blocking)
A new service called GDPR Shield made the rounds last week and for all the wrong reasons. The service, advertised as a piece of JavaScript that webmasters embed on their sites, blocks EU-based users from accessing a website, just so the parent company won't have to deal with GDPR compliance.
This is just the type of service you would hope exists to make sure citizens can decide what levels of privacy they want and companies can decide what level of privacy they are willing to provide. For some time now we will see many stories of companies improving their privacy, companies pulling out of the EU market, and companies being fined by the EU. All are good and expected outcomes of rules such as the GDPR.
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
When I read Ender's game for the first time several years ago, I was struck by the idea that even though the story had been written long before the internet became what it is now, "the Nets" could still be in our future. The ever increasing geographic restrictions on the internet are taking us closer and closer to "the Nets". Now we just gotta hope that the bugs stay away...
Just like China has their own websites that comply with the great firewall we will have a world where large chunks of the internet will be GDPR walled. I expect most US companies will find it more profitable to block than comply.
We didn't find much trouble in compliance. Sure we had to write a few policies and work out a procedure for exporting and deleting data from our systems. We did not spend even 25k in work to pull this off. It was fairly trivial for companies that don't make a product out of consumers.
If the US does similar legislation then suddenly the Internet will align to us and people will figure out new ways to make money.
“Common sense is not so common.” — Voltaire
can't you just destroy all data?
The way I see it as a European, it will mean that they where selling my data anyway, so that means they won't do that anymore. It also means they will not be able to do that for any of the other 350+MM Europeans.
This was also the intended reason for the law. It is as if Europe is saying "You are not allowed to take our data" and these websites are saying "Well, if that is the case, as punishment, we are not going to take your data."
Don't fight for your country, if your country does not fight for you.
As a EU resident, I don't mind if companies are choosing to block EU if they can't comply with privacy rules. I'd rather not do business with those companies.
I actually want this to happen. Forks are good at times and allow for improvements. Maybe the european internet can create something better than the american one.
Avantgarde Hebrew science fiction
This is for all the right reasons and there is nothing wrong with it.
Many businesses don't target foreign visitors, but get them anyway. Websites target local content (small businesses, retail locations, etc) that really gain no monetary benefit in showing their products to EU customers. Why deal with any compliance?
Keeping up with the laws of hundreds of foreign countries (and the states/provinces within them) is a full-time job. It's also very technical. A business in Canada or USA or any other country can either study EU legislation and adjust their web site for no real benefit (avoiding the risk of hefty fines) or just block the EU and move on with life.
Until countries unify their data protection and online laws for the greater good of society as a whole, this is the new state of the Internet. Focus on your own markets which makes you money, block everyone else. Saves risking non-compliance with foreign laws.
when you see the word 'Linux', drink!
Europe has to offer plenty of customers or plenty of juicy data if you will. With about 511 million citizens of which probably 2/3 are relevant to the market there's a lot of money to be made.
Now companies will have to decide whether it'll cost them more to lose the EU market or comply to their regulations.
As someone living in the EU I'm curious how the outcome will look like. I expect most of the big businesses to comply but possibly a lot of smaller ones resorting to geoblocking. At any rate there's still VPNs and TOR available.
Disclaimer: I've worked myself into GDPR details to shape my employer up for it.
GP is a little off on some details.
You have to *name* a Data Protectoin Officer. This can be anybody empowered to check compliance. Usually this is done by some administrative or IT specialist. Germany has had this for decades. No need for an extra hire.
You don't have to spend thousands or millions. You just need to have a proper setup and due diligence in place. The new thing is that you need to document procedures in a standardized manner. The big difference between the law that come in on 25.4.2018 is that someone could only sue you if he was damaged and only if he could prove a data breach of critical personal data. The fines up to this point also were laughable.
Now anyone involved, including customers, can ask how data is handled and the authorities and others have the right to review documentation of your SOPs for data protection. Also you're in for big trouble with massive fines (up to 4% of global anual revenue) if you're careless with data and aren't willing to comply with the GDPR.
In short: If you have your IT in order GDPR compliance isn't that much of a big deal.
Documentation is, but compliance is not.
If however your IT is shit, then you're in for trouble if they come for you. Big time. ... Can't really complain about that actually.
Since they *will* eventually come for you *and* most companies (online *and* brick and mortar) IT setups are somewhere between disorganized shite and abysmal, companies would rather opt out than go through the hassle of complying. Which means only companies with proper procedures and due diligence in their IT will remain doing business in the EU.
Thus endeth some real-world details on GDPR.
You're welcome.
We suffer more in our imagination than in reality. - Seneca
Seeing as neither of those things are true, want to try again?
Don't want to deal with a country's rules? Don't let their citizens use their service or open an office there.
Should be everyone's right. Yeah privacy gets a hit but free market, someone else will fill the void and the world keeps on going.
While trusting users to load and execute Javascript is hopelessly naive (any company relying on this to avoid huge fines, is about to pay some huge fines) how is wanting to avoid huge fines the "wrong reasons?"
This is shockingly stupid implementation, not stupid motivation.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If you don't want to have to deal with the laws of a certain country, should have the right to not do business inside that country.
Of course, that leaves a big underserved market. In less than 4 years someone will come along and serve them, while abiding by the laws they hate.
Which could very well lead to those companies losing world wide market share as those new, privacy conscience companies expand out of their underserved market into the general world wide marketplace.
As for the laws they are trying to avoid? We need them in our country.
excitingthingstodo.blogspot.com
The trouble is, actually being in compliance isn't enough. You have to be able to afford the lawyers to defend against the accusations, even when they're completely invalid. All you've done is reduce your risk; you haven't eliminated it.
A one person shop does not need a DPO:
(Source: GDPR FAQ)
Unless that one person shop does engage in large scale processing of sensitive personal data, of course, but then they either have enough revenue to afford a DPO, or they are a shady 'ethicul biznizman' (aka spammer).
"I know I will be modded down for this": where's the option '-1, Asking for it'?
Only big companies need DPO. As per GDPR, DPOs must be appointed where the core activities of the controller or the processor involve regular and systematic monitoring of data subjects on a large scale.
Also, an existing employee can function as DPO.
That's as it should be. If the regulatory costs of serving a region exceed the benefits to the company, then they don't serve that region.
If visitor lie about where they are from because they are just dying to use that juicy non-EU website, then fine, they don't get the regulatory protection. The company did due diligence to keep them out.
Seems reasonable.
Yep. Now we can only hope that more markets follow in their footsteps and make it impossible for such sites to stay in business at all. It's not like compliance is hard - just stop recording information about your visitors. Unless of course your business model depends on spying on your visitors, in which case good riddance.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
If the short-bus version actually respects people's privacy instead of spying on visitors, then maybe we need more short buses.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
What are the parameters for determining if you must supply them with documentation and how are they triggered?
Good.
When countries have congressmen/equivalent that pretend they can control the internet as part of their endless life of posturing, the correct answer is to move them off the adult table and block them.
Repeat until they decide they want to sit at the grown-up's table again, instead of playing Imaginary Level Of Reach And Obligations.
one or two (or even a dozen) events does not a systemic situation make
The little ones will ignore the EU, just as they ignore laws from Thailand and Saudi.
We'll see if the EU 'great firewalls' them in mass.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Not necessarily. Treaties and a general good relationship with the EU means they could have US courts enforce judgment. Currently, the US is not under treaty to enforce the GDPR, but that could easily change.
It could get tricky, but in theory it's possible. In the end, unless you're storing private sensitive data about EU citizens in your database, why would you care?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Very obviously you haven't even looked at it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
With blackjack and hookers?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
People you do business with don't have to be sitting in the EU when they visit your site for you to be liable.
... as long as they are EU citizens.
A EU citizen sitting in Starbucks in the US is equally as protected as if they were sitting in France.
Also, if you stored the shipping label to let's say...send them a package to their vacation home in Iowa, you're still liable
If all you do is Geo-fence, you're already not going to make it.
Block users and go out of business or at least cut down the operation would probably be the result.
Even businesses need a critical mass to operate and if you fall below a threshold you lose. But I suspect that most businesses will never even have a problem if they just follow the rules. The businesses that will suffer are all those pixel trackers and shit that are totally useless anyway.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Depends on how important the EU market is for them. But yeah, I expect that a lot of small companies that operate outside of the EU don't have a lot of EU customers to begin with. So their decision will be to either ignore it completely or if they give a shit block the EU from their side.
Actively locking them out of EU countries is the last resort of the EU if they do not comply in any way. Although that will probably have to happen on national basis, where every country may act in a different way.
But if that happens I'm already looking forward to the inner political backlash and shitstorms caused by infuriated EU citizens.
As a EU resident, I don't mind if companies are choosing to block EU if they can't comply with privacy rules. I'd rather not do business with those companies.
Yeah, providing a GDPR Shield service is a bit like providing a shielding service that protects your business from customers in countries where there are regulations forbidding the sale of E. Coli infected food. The customer list would be a veritable consumer’s guide to where not to shop.
Yep. Now we can only hope that more markets follow in their footsteps and make it impossible for such sites to stay in business at all. It's not like compliance is hard - just stop recording information about your visitors. Unless of course your business model depends on spying on your visitors, in which case good riddance.
Or, you know, keeping a customer's order history, so that you can provide customer service and process returns. Would you prefer that only Amazon-sized companies have the resources to be able to sell things online?
Socialism: a lie told by totalitarians and believed by fools.
They aren't protected AT ALL. Unless you want to try to invade the US to enforce your rules, you can call all the cops you want, file some diplomatic grievances, quote some EU law, and they will laugh at you.
EU people are always on about the US trying to police the world. Well, this is the EU trying to enforce their laws globally. We tell the Chinese to piss off and they have *real* power. The EU is a bunch of backwater corrupotocrats trying to replicate the USSR who have no power whatsoever, and depend on us for both endless streams of money and for subsidizing their defense (in some cases because we don't trust them to have any power themselves, Germany being a repeat offender). You have NO control and the people that are currently paying their fines are doing it semi-voluntarily - it's extortion and designed to be.
If push comes to shove, US companies will tell you to piss off and there's not one damn thing you can do about it.
Comment removed based on user account deletion
I actually want this to happen. Forks are good at times and allow for improvements. Maybe the european internet can create something better than the american one.
Therein lies the problem for Europe though. What/who is going to make 'their' internet? They piggyback off Americans for pretty much all their IT. Search engines, streaming services, mobile platforms, OS'es, online retailers, and so forth.
As an example. We have a specific enumeratured right in the constitution permitting us to bear arms. So I am sitting in a coffee shop in, say, Berlin, with my Navy Colt in a holster on my hip. Do you think my rights are protected?
Because since corporations write our trade agreements and GDPR is not in their best interest in terms of profit, they'll just simply write an exemption into the next one. Or they'll go to the WTO and have it struck down that way.
Anonymous Cowards generally receive no replies because you're a coward and I'm a bitch
That states when you MUST have a DPO; it does not absolve you of a DPO in all other cases.
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Nice! Let's make the lawyers even richer by paying them to defend us against the rules they wrote!
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
While you can block based on IP, this doesn't address EU citizens living abroad in non-EU countries like the US. GDPR applies to all EU citizens regardless of location.
You really think it's THAT hard to collect only permitted information, and allow customers to see exactly what you're collecting and delete it?
It may be expensive to update an existing code base, but that's fairly straight-forward for anything new. As for keeping that information reasonably secure - if you can't be bothered to spend the time and effort to do that (as most current sites can't), you have no business collecting it in the first place.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
The point is that geo-fencing is a misguided attempt to avoid liability since a user can be outside the EU and still be protected by the law.
You argue that the law might be unenforceable for companies not having a legal presence in the EU, but assuming this to be correct, it makes the geo-fencing even more useless: why geo-fencing away users when by your assumption you can ignore EU liabilities anyway?
A EU citizen sitting in Starbucks in the US is equally as protected as if they were sitting in France.
No they're not. The text of the GDPR doesn't mention "citizens" even once, but it does specify the cases where it applies:
Article 3(1): This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
I.e. All European companies must comply.
Article 3(2): This regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a. The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b. The monitoring of their behavior as far as their behavior takes place within the Union.
I.e. Any foreign company selling to or monitoring someone physically located in the EU—regardless of their citizenship—must comply.
Article 3(3): This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
I.e. Any foreign company who is otherwise required to comply by international law must comply.
And that's it. That's the exhaustive list. There are no other cases where it applies.
Notably absent from that list is anything even remotely resembling your claims. In fact, EU citizens traveling abroad are, generally speaking, NOT protected by the GDPR so long as they are abroad. And really, that's how it should be since it'd be wholly unenforceable in a jurisdiction outside of EU control. Jurisdictionally, it'd be no different than the US' recent, wrongful attempt to enforce its will outside its jurisdiction when it demanded that Microsoft hand over data contained in its European data centers.
So, contrary to your claim, if all a foreign company does is geofence their service, then yes, they should be just fine.
seems pretty true, at least by germany's (the defacto leader of europes) own statements.
but mod it down because i hurt your feelz
have you seen my sig? there are many others like it but none that are the same
just stop recording information about your visitors. Unless of course your business model depends on spying on your visitors, in which case good riddance.
So if you for example buy something, and would like to have your purchase, oh lets say shipped to the purchaser for example, that pretty much requires recording at least some personal data!
Of course the whole point isn't really privacy, it's just the typical EU's thinly veiled protectionism.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Yep. And if I give them my credit card information, address, etc. I expect them to take reasonable security precautions with that information for as long as they retain it. (We only need to watch the headlines to know that even most major companies do no such thing) It's also not unreasonable to ask them to let me know what information they've collected about me (nor difficult for them to deliver), and to delete it all if I so request.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
It may be expensive to update an existing code base
That's rather the point, though, isn't it. Deleting your order history etc is not a feature that many of the off-the-shelf web stores have. Hopefully they will eventually, so at least new small businesses won't find it onerous to comply.
As for keeping that information reasonably secure - if you can't be bothered to spend the time and effort to do that (as most current sites can't), you have no business collecting it in the first place.
You know, I'm fine with some small mom-and-pop web store not being experts at this sort of thing. Small target for hackers anyhow. They won't be doing their own CC processing anyhow, so no worries there.
Socialism: a lie told by totalitarians and believed by fools.
This is not in any way a new thing.
GDPR is one of the dumbest things I've ever seen
That's sad to hear, Mark.
Ezekiel 23:20
I manage the CRM of a US financial institution with EU clients and there is guidance
So, how many $hundreds of thousands did some legal team charge your employer that guidance, not to mention ongoing guidance and review?
As a EU resident... I'd rather not do business with those companies.
And you'd rather impose that "choice" on hundreds of millions of your neighbors too, since GDPR can't be waived.
How nice for you. But this is also a matter of principle.
GDPR is based on location, not citizenship. https://cybercounsel.co.uk/data-subjects/
Very unlikely that this would happen retrospectively. Also, very unlikely that the US with weak personal privacy data protections would agree to this. Especially given that data protection of this form has been around for years and years; in fact, the only place it applies in the US is when a US company is contracted to deal with data about EU citizens. This was set up to allow US companies to tender on contracts they would otherwise not be allowed to take.
Of course, not all US companies do this; they can choose to ignore the regulation but must then ignore the market. So, what you are seeing here is nothing new.
"If push comes to shove, US companies will tell you to piss off and there's not one damn thing you can do about it."
Well, other than sue the ass of their EU assets. Which they will have because we're all global these days
The point is that geo-fencing is a misguided attempt to avoid liability since a user can be outside the EU and still be protected by the law.
You shouldn't believe everything you read online. Article 3 of the GDPR (see: page 110) specifies the "territorial scope" where the GDPR applies. While there are some details I'm glossing over, the gist of it is that the GDPR only applies when you, the company, or the target of the business is physically located in the EU. Notably, it makes no attempt at distinguishing between citizens and non-citizens, whether local or abroad, nor does it attempt to apply itself outside EU borders, except inasmuch as international law applies (e.g. reciprocal treaties, territories subject to EU member states, etc.).
So, if you're a person in Frankfurt trying to book a flight with Lufthansa, you get GDPR protection, regardless of if you're German, American, or anything else. The company is based in the EU and you're in the EU, so you get the protection.
If you're a person in New York trying to book a flight with Lufthansa, the company is still based in the EU, so you get GDPR protection, again without regard for your citizenship. This is a fact that—as an American—I am very much looking forward to, since it means that some of the benefits actually do extend to me over here.
If you're signing up for Netflix on its German-language site while in Frankfurt, you get GDPR protection. They're targeting people in the EU with their website, so they've made themselves subject to EU regulation. And again, the regulation applies, regardless of your nationality.
If you're signing up for Netflix on its English-language site while in New York, the company is neither targeting you in the EU nor is it based in the EU, so YOU DO NOT GET GDPR PROTECTION. And, as with the other examples, that's true whether you're from the EU or not.
As for what any of this has to do with geofencing, whether the GDPR applies to a foreign company boils down to whether they are targeting users located in the EU. If they engage in marketing in the EU, make their website available in the native language of an EU member state, or accept payment in Euros, those could be taken as proof that a company is targeting EU users and is subject to the GDPR. Conversely, geofencing the site to prevent users in the EU from accessing it is an effective way to proactively protect themselves from claims that they are targeting European users and should be subject to the terms of the GDPR.
All of which is to say, no, geofencing is not a misguided attempt at avoiding liability. It's actually a perfectly legal step that fully complies with the terms laid out in the GDPR. Moreover, the GDPR is completely unenforceable at a Starbucks in Iowa, not because the EU has no ability to enforce it there, but rather because the EU made no attempt to enforce it there. They respected the sovereignty of foreign regions.
I don't think americans have some magical talent for engineering that other nations don't, despite what propoganda says. I also don't believe that capitalism magically creates amazing things that no other discipline can't. Hell, the internet itself was made with government funding.
Avantgarde Hebrew science fiction
So all I need to do to protect my privacy in the US is to VPN myself via the EU? Of course that means the NSA + GCHQ will definitely collect all my metadata. Do the NSA + GCHQ have to comply with the GDPR?
They have been sending strongly worded letters to, say, North Korea for some time. This will be precisely as effective.
You think this is new ? Ever heard of FATCA (https://www.irs.gov/businesses/corporations/foreign-account-tax-compliance-act-fatca) ?
Learn what non-US banks do to comply with US laws.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
If the site does not process relevant data, then yes, go for it.
Otherwise, no.
This sounds like a business opportunity. Some GDPR compliant EU company can have a single shipping address and the rest of a process to make EU customers anonymous to businesses outside the EU. Then, they can set up a server outside the EU and allow EU customers to anonymously shop the world. Businesses outside the EU don't have to worry about compliance and customers inside the EU will have access to products from anywhere. Plus, for the EU customers, another small delay and another fee will seem very ordinary. It won't be long before such a business will find non EU customers who prefer private shopping as well, especially when the customer data is stored in the EU, and organizations in the non-EU customer's government have to deal with delays and fees to obtain that data and de-anonymize the shopping.
Comment removed based on user account deletion
You completely misread my remark. It's about people -- not banks -- and US law certainly isn't what's at issue here.
I was remarking that the poster was blithely saying that he'd prefer to not do business with certain companies and that the poster's ok with a law that rams the poster's choice down the throats of neighbors, family, countrymen...
You completely misunderstood reality.
It's about people, not banks ? So banks ate not run by people ? And banks are not used by people, both within their country of origin and outside ?
Even this EU regulation is about internet companies, not people.
US laws are not an issue here ? It is called an example, an analogy. US lawmakers imposed their choice on all US citizens : the choice of not doing business with people running any bank that does not share information about US citizens doing business with their bank. This doesn't help the US citizen at all, except securing the revenue of the US government.
EU lawmakers also imposed their choice on all citizens of EU : to not do business with companies invading users' privacy. This actually helps citizens keep done privacy.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
Anubis already demolished this claim.
Furthermore, if the TOS say that you agree not to assert certain rights against the company and your citizenship prevents you from making such a deal, then you simply can't use the service.
UNLESS you are actually a 'citizen' and subject to the EU jurisdiction, OR you have registered as an entity in their jurisdiction - just ignore it.
The EU can threaten, but as I am not part of the EU, I will continue to be free to engage with any EU citizen under the jurisdiction of MY government.
The EU wants, requests, and might get. Cannot enforce.
It's EU law, not international law.
Unless you are actually under EU jurisdiction, no nothing.
The EU is toothless and just wishing the world would do what it wants.
Perhaps the 'citizens' there should only choose to deal with those that specifically state they adhere to the GDPR.
You and I? Continue life as normal.
Though a firm outside the Union can designate an existing employee as its data protection officer, it still has to hire somebody in the Union to act as the firm's representative to customers in the Union pursuant to article 27. This service costs $2,700 per year (source, even for a business that has less than $40,000 per year of revenue from the Union.
Would you find it acceptable for a business to provide an opt-in marketing preference and charge a handling fee that's waived for customers who opt in?
Tell me, what of my personal data beyond billing and shipping data for my most recent order would a Mom and Pop shop need?
The billing and shipping data themselves are enough personal data to trigger the obligations of the GDPR, including the obligation for a firm outside the Union to spend a substantial fee on designating a firm in the Union as its representative pursuant to article 27. The only payment methods I can think of that do not use personal data are cash and cryptocurrency, and the only shipping method I can think of that does not use personal data is in-store pickup.
I agree with you that the DPO requirement is not nearly as onerous as the requirement under article 27 for firms outside the Union to hire a representative within the Union. But article 27 alone is enough to warrant use of GDPR Shield if a firm doesn't do enough business with individuals in the Union to cover the cost of an article 27 representative service.
I don't see how to simultaneously "stop recording information about your visitors" and record the fact that your visitors purchased a product and expect it to be shipped to their door.