Woocommerce website GDPR compliance.
As web development specialists, one of the questions that we’re frequently asked is how do I make my website GDPR Compliant?
We all know that the EU General Data Protection Regulation (GDPR) will come into force on the 25th May 2018.
So, the main question is: what changes do we need to make on our WooCommerce website to become compliant? And another important query might be: how does GDPR affect non-European WooCommerce websites?
In this article, I will tell you EXACTLY what you need to do. There are a million articles and plugins on WordPress GDPR compliance, but there is no “ultimate” blog that tells you what you should be doing.
If you don’t know what GDPR is or need a good refresher, read Wikipedia’s GDPR page or the “Introduction to GDPR Compliance for WooCommerce Stores” on the official WooCommerce blog.
We don’t particularly care about GDPR itself, I just want to know what I need to do to make my WooCommerce website GDPR compliant. The same practice applies to Joomla, HTML5 and other type of website that you may be operating.
So, let’s see what changes you’re required to make.
Please note: I’m not a lawyer and cannot guarantee this article is going to make you 100% compliant – make sure to assess your GDPR compliance with a qualified consultant.
WooCommerce GDPR Compliance
To be GDPR compliant, you will need to audit your WooCommerce website and marketing procedures.
Please note: EU GDPR will affect businesses both inside and outside of the EU. Any non-EU company dealing with EU customers will have to comply with the GDPR.
To achieve full compliance by the end of May 2018, WooCommerce businesses will need to:
- Tell the user who you are, what data you collect, why you collect the data, for how long you retain it and which third parties receive it (if any)
- Get a clear consent before collecting any data
- Let users access their data
- Let users download their data
- Let users delete their data
- Let users know if a data breach has occurred
If you don’t strictly adhere to these rules, you will eventually get fined up to €20 million or 4% of your worldwide annual turnover, whichever is greater.
Now, this is good to know, but the most important question is: what changes am I required to do on my WordPress/WooCommerce website, or for that matter any other website?
Well lets look at GDPR in plain English and in “WordPress”, the 6 rules outlined above will have implications on:
- WooCommerce Terms & Conditions (Checkout page)
- WooCommerce User registration (My Account page)
- WooCommerce Cart Abandonment (Checkout page)
- WooCommerce product reviews (Single Product page)
- WordPress comments (Blog pages)
- WordPress & WooCommerce opt-in forms (Newsletter, Lead magnets, etc.)
- WordPress contact forms (Contact Us page, widgets, etc.)
- WooCommerce analytics Google Analytics etc.
- WordPress and WooCommerce Plugins & APIs (Payments, Email marketing, etc.)
- Breach notifications
That’s a huge amount of work but given I must do it for lbfl Consultancy, I thought why not share it with you too? There are 12 GDPR compliance steps that I’m going to take, which are the same 12 that WooCommerce store owner or Website developer, should work on. These are:
Step 1: WooCommerce Terms & Conditions
If you have no T&C page at all, you can use some of the online generators (google “terms and conditions generator” or “terms and conditions template”), or alternatively copy the T&C page from other websites (remember to change the words).
Needless to say – you need a T&C page now and also a checkout checkbox that users must click (it cannot be “checked” by default).
You will need to cover the following:
- who you are (company, address, etc)
- what data you collect (IP addresses, name, email, phone, address, etc)
- for what reason you collect the data (invoicing, tracking, email communication, etc)
- for how long you retain it (e.g. you keep invoices for 6 years for accounting purposes)
- which third parties receive it (MailChimp, Google, CRM, etc)
- how to download data (either automatically or by emailing the Data Protection Officer)
- how to delete data (either automatically or by emailing the Data Protection Officer)
- how to get in touch with you for data-related issues (the contact details of the assigned Data Protection Officer, probably you)
Step 3: WooCommerce User Registration
Ok, now that you got a little more familiar with the GDPR, we’ll fly through the next WooCommerce website changes.
Also remember only to collect information you require to run your business.
You’ll need a snippet that allows you to add content on the WooCommerce My Account Register form. You will need to change “hook” and instead of using “woocommerce_register_form_start” you could try with “woocommerce_register_form_end” so that your HTML can be positioned below the register button.
- Double check if you have enabled My Account registrations
Step 4: WooCommerce Cart Abandonment
A possible solution for GDPR-compliant cart abandonment plugins
To add the required HTML content, we simply edited the “billing_email” checkout field label by using a default WooCommerce filter.There are woocommerce tutorials that enable you to do this.Or you could “disable guest checkouts” from WooCommerce settings, which is a bad idea for conversion rate, but a very good for GDPR.
Step 5: WooCommerce Product Reviews
In ecommerce, they really matter! Of course, reviews contain personal data, so you need user consent.
Step 6: WordPress Comments – BLOG & PAGES
If your WordPress pages and posts have comments enabled then you’re facing another GDPR compliance issue.
Users are usually prompted to enter their name, email address and website URL together with their message without the need to register an account. This information is then stored within the WordPress Dashboard (Comments), WordPress single pages and single posts (Edit Post > Comments) and of course in your WordPress Database. Once again the solution is relatively simple – you will need to add a consent message in the “Leave a comment” form.
Step 7: WordPress & WooCommerce Opt-in Forms
An opt-in form is a contact form where users enter their name and email address (usually) to join your email marketing list (or database of contacts).
You must remove all automatic opt-ins on your site. All checkboxes must be not checked by default (a “checked” checkbox by default cannot imply acceptance in the new GDPR). Besides that, are you passing those details to third parties or other partners? Either way, users must:
- Undersatnd why their personal data is needed (“Enter your email address to receive our weekly newsletter “).
- Supply you with only the data relevant (to join your newsletter, that is you don’t need to ask for the date of birth unless you want to send them a gift on their birthday! In this case, you’ve got to make it clear WHY you want that personal piece of data.
- You need to know how to delete/download the data at any time.
- You need to know how to let subscribers opt-out.
Usually, an opt-in form is tied to a specific software e.g. Mailchimp. In this case, Mailchimp should be providing the “revised”, GDRP-compliant opt-in form in an upcoming plugin release.
Whoever you send that email address to, make sure they are reliable, and that they are actively working on HELPING you being GDPR-ready.
- Review all your opt-in forms
- See if your opt-in form provider has a GDPR solution
Step 8: WordPress Contact Forms
Many of us use third party plugins on our Contact Us pages and other WordPress pages.These forms now require consent.
Step 9: WooCommerce Analytics
Whether you use Google Analytics, Bing, etc, you’re capturing user data and using cookies without consent. The same rules apply to Google AdWords, Facebook, Twitter,… the list is endless. The best thing to do in this case is to check each provider’s GDPR policy, because THEY are collecting the data and not YOU.
“Under the GDPR, if you use Google Analytics, then Google is your Data Processor. Your organization is the Data Controller since you control which data is sent to Google Analytics” – I took this quote from a good article I found on Medium called “Google Analytics and GDPR Compliance“.
- Use only reliable tracking software.
- Ask software providers how they’re handling the data.
- If in doubt, seek an alternative provider/method.
Step 10: WordPress and WooCommerce Plugins
This is extremely important, and really easy to deal with. Ask yourself whether:
Does plugin _____ either get, read, store, use, edit, handle, access user personal data?
If the answer is yes:
- Is it a reliable plugin?
- Is the plugin GDPR ready?
- Is the plugin GDPR compliant?
- Select GDPR compliant plugins
- Replace none compliant plugins
Step 11: WordPress and WooCommerce APIs
We already mentioned this before, but “API” cover a lot of different applications. An external API can be absolutely anything. An API (Application Programming Interface) is basically “something” that allows you to access an external software without ever leaving your website.
Here are a few examples:
- Visitors can join your Mailchimp list without ever leaving your website – Mailchimp API.
- Visitors can checkout using SagePay API without leaving your website.
Facebook, Twitter, or any kind of third party software can provide you with APIs. These APIs connect your WooCommerce store to the outside world, passing data to them – possibly private, personal user data.
You should be at least aware and know:
- About API’s which you use.
- The data sent via these API’s
- That the API is GDPR compliant (there could be an issue with facebook!)
- Audit all your API’s.
- Discard none compliant GDPR API’s.
Step 12: Breach Notifications
If your website experiences a data breach this needs to be immediately communicated to those users affected by the breach in order to comply with GDPR. A notification must be sent to those affected within 72 hours.
In addition to this, you will need to have a security data breach response plan and process in place.
- Secure your WordPress/WooCommerce website please! Ideally you need to use an SSL certificate, irrespective of whether on not your payments are handled on or off site by a third party payment gateway.
- Subscribe to all your third-party software / API providers so that you are immediately made aware of any data breach that affects your users or website subscribers.
- Reduce the amount of data you store, and ensure that this is backed up and securely stored, prefferably offline
- Have a data breach emergency plan ready to be actioned in case of a data breach.
Don’t wait! Act now to ensure that your website is fully GDPR compliant.