Office: 0194 386 4688 | Bob: 0740 332 1862

Making a Woocommerce website GDPR compliant

lbfl ConsultancyData Data Protection GDPRMaking a Woocommerce website GDPR compliant

Making a Woocommerce website GDPR compliant

12 April 2018 , ,

Woocommerce website GDPR compliance.

As web development specialists, one of the questions that we’re frequently asked is how do I make my website GDPR Compliant?

GDPR ComplianceWe all know that the EU General Data Protection Regulation (GDPR) will come into force on the 25th May 2018.

So, the main question is: what changes do we need to make on our WooCommerce website to become compliant? And another important query might be: how does GDPR affect non-European WooCommerce websites?

In this article, I will tell you EXACTLY what you need to do. There are a million articles and plugins on WordPress GDPR compliance, but there is no “ultimate” blog that tells you what you should be doing.

If you don’t know what GDPR is or need a good refresher, read Wikipedia’s GDPR page or the “Introduction to GDPR Compliance for WooCommerce Stores” on the official WooCommerce blog.

We don’t particularly care about GDPR itself, I just want to know what I need to do to make my WooCommerce website GDPR compliant. The same practice applies to Joomla, HTML5 and other type of website that you may be operating.

So, let’s see what changes you’re required to make.

Please note: I’m not a lawyer and cannot guarantee this article is going to make you 100% compliant – make sure to assess your GDPR compliance with a qualified consultant.

WooCommerce GDPR Compliance

To be GDPR compliant, you will need to audit your WooCommerce website and marketing procedures.

Please note: EU GDPR will affect businesses both inside and outside of the EU. Any non-EU company dealing with EU customers will have to comply with the GDPR.

To achieve full compliance by the end of May 2018, WooCommerce businesses will need to:

  1. Tell the user who you are, what data you collect, why you collect the data, for how long you retain it and which third parties receive it (if any)
  2. Get a clear consent before collecting any data
  3. Let users access their data
  4. Let users download their data
  5. Let users delete their data
  6. Let users know if a data breach has occurred

If you don’t strictly adhere to these rules, you will eventually get fined up to €20 million or 4% of your worldwide annual turnover, whichever is greater.

Now, this is good to know, but the most important question is: what changes am I required to do on my WordPress/WooCommerce website, or for that matter any other website?

Well lets look at GDPR in plain English and in “WordPress”, the 6 rules outlined above will have implications on:

  • WooCommerce Terms & Conditions (Checkout page)
  • WooCommerce Privacy Policy (Checkout page)
  • WooCommerce User registration (My Account page)
  • WooCommerce Cart Abandonment (Checkout page)
  • WooCommerce product reviews (Single Product page)
  • WordPress comments (Blog pages)
  • WordPress & WooCommerce opt-in forms (Newsletter, Lead magnets, etc.)
  • WordPress contact forms (Contact Us page, widgets, etc.)
  • WooCommerce analytics Google Analytics etc.
  • WordPress and WooCommerce Plugins & APIs (Payments, Email marketing, etc.)
  • Breach notifications

That’s a huge amount of work but given I must do it for lbfl Consultancy, I thought why not share it with you too? There are 12 GDPR compliance steps that I’m going to take, which are the same 12 that WooCommerce store owner or Website developer, should work on. These are:

Step 1: WooCommerce Terms & Conditions

What is the difference between Privacy Policy and Terms and Conditions?“, the Privacy Policy is to inform the user about the data you gather, while the Terms and Conditions (also called T’s&C’s, Terms of Service or ToS) include the legal terms and rules that bind the customer to your business.

Therefore, while the biggest changes will need to be done on your Privacy Policy (as well as showing this everywhere, see following paragraph), you should also amend your T&C page regarding the new GDPR terminology and the gathering of customer data from the WooCommerce checkout.

It’s our opinion, it’s simply sufficient to add a paragraph to your ToS that links to the revised Privacy Policy and therefore the whole personal data usage document.

If you have no T&C page at all, you can use some of the online generators (google “terms and conditions generator” or “terms and conditions template”), or alternatively copy the T&C page from other websites (remember to change the words).

Needless to say – you need a T&C page now and also a checkout checkbox that users must click (it cannot be “checked” by default).

Step 2: WooCommerce Privacy Policy

Your Privacy Policy page is the one that requires a lot of editing and copywriting. On top of this, we will need to show the Privacy Policy opt-in message on the checkout page and other places, such as contact forms and opt-in forms.

Regarding the Privacy Policy page content, you must inform the user about the data you collect, store and use.

You will need to cover the following:

  • who you are (company, address, etc)
  • what data you collect (IP addresses, name, email, phone, address, etc)
  • for what reason you collect the data (invoicing, tracking, email communication, etc)
  • for how long you retain it (e.g. you keep invoices for 6 years for accounting purposes)
  • which third parties receive it (MailChimp, Google, CRM, etc)
  • how to download data (either automatically or by emailing the Data Protection Officer)
  • how to delete data (either automatically or by emailing the Data Protection Officer)
  • how to get in touch with you for data-related issues (the contact details of the assigned Data Protection Officer, probably you)

Now that you’ve written your Privacy Policy, you need to show this on every page of the website (a link in the footer would do) and on top of that, a privacy policy link on any opt-in or checkout form.

If I know, users do not need to actively “check” or “agree” to the Privacy Policy (unlike the T&C) so you can just show a message. This concludes the Privacy Policy work.

Step 3: WooCommerce User Registration

Ok, now that you got a little more familiar with the GDPR, we’ll fly through the next WooCommerce website changes.

As this is personal data, we need to show the Privacy Policy message on the frontend, similarly to what we’ve done on the checkout page.

Also remember only to collect information you require to run your business.

You’ll need a snippet that allows you to add content on the WooCommerce My Account Register form. You will need to change “hook” and instead of using “woocommerce_register_form_start” you could try with “woocommerce_register_form_end” so that your HTML can be positioned below the register button.

To-do list:

  • Double check if you have enabled My Account registrations
  • If yes, add a Privacy Policy message in the registration form

Step 4: WooCommerce Cart Abandonment

This is MOST IMPORTANT, and we almost overlooked this. It heavily affects WooCommerce functionality. Cart Abandonment plugins collect email addresses without consent. In fact, when a user is on the checkout page and enters her email address without completing the payment, they have “no time” to tick & accept the Terms and Conditions and read the Privacy Policy. This flies in the face of GDPR, which requires explicit consent (i.e. ticking a box). I expect that the major Cart Abandonment plugins (YITH and Jilt) are already working on this and will provide you with a workaround to comply with GDPR.

Either way, we may need to add a privacy policy link or something below the WooCommerce Checkout billing email address field. Here are our thoughts…

A possible solution for GDPR-compliant cart abandonment plugins

To add the required HTML content, we simply edited the “billing_email” checkout field label by using a default WooCommerce filter.There are woocommerce tutorials that enable you to do this.Or you could “disable guest checkouts” from WooCommerce settings, which is a bad idea for conversion rate, but a very good for GDPR.

Step 5: WooCommerce Product Reviews

In ecommerce, they really matter! Of course, reviews contain personal data, so you need user consent.

The best method way to avoid this “consent” is to allow only logged in customers who purchased the product to leave a review. This is a great compromise, since customers will be already aware of your T&C and Privacy Policy, so nothing will need to be added to the product review form if they’re logged in. If you choose to allow reviews from non-logged-in, non-purchaser users, that’s another story.

Step 6: WordPress Comments – BLOG & PAGES

If your WordPress pages and posts have comments enabled then you’re facing another GDPR compliance issue.

Users are usually prompted to enter their name, email address and website URL together with their message without the need to register an account. This information is then stored within the WordPress Dashboard (Comments), WordPress single pages and single posts (Edit Post > Comments) and of course in your WordPress Database. Once again the solution is relatively simple – you will need to add a consent message in the “Leave a comment” form.

Step 7: WordPress & WooCommerce Opt-in Forms

An opt-in form is a contact form where users enter their name and email address (usually) to join your email marketing list (or database of contacts).

You must remove all automatic opt-ins on your site. All checkboxes must be not checked by default (a “checked” checkbox by default cannot imply acceptance in the new GDPR). Besides that, are you passing those details to third parties or other partners? Either way, users must:

  • Consent.
  • Undersatnd why their personal data is needed (“Enter your email address to receive our weekly newsletter “).
  • Supply you with only the data relevant (to join your newsletter, that is you don’t need to ask for the date of birth unless you want to send them a gift on their birthday! In this case, you’ve got to make it clear WHY you want that personal piece of data.
  • You need to know how to delete/download the data at any time.
  • You need to know how to let subscribers opt-out.

Usually, an opt-in form is tied to a specific software e.g. Mailchimp. In this case, Mailchimp should be providing the “revised”, GDRP-compliant opt-in form in an upcoming plugin release.

Whoever you send that email address to, make sure they are reliable, and that they are actively working on HELPING you being GDPR-ready.

To-do list:

  • Review all your opt-in forms
  • See if your opt-in form provider has a GDPR solution
  • If not, add privacy policy consent

Step 8: WordPress Contact Forms

Many of us use third party plugins on our Contact Us pages and other WordPress pages.These forms now require consent.

Simply put, you should add a checkbox (very easy with any of the above plugins) close to the “Submit” button, to make sure users are agreeing to your Privacy Policy.

Step 9: WooCommerce Analytics

Whether you use Google Analytics, Bing, etc, you’re capturing user data and using cookies without consent. The same rules apply to Google AdWords, Facebook, Twitter,… the list is endless. The best thing to do in this case is to check each provider’s GDPR policy, because THEY are collecting the data and not YOU.

Under the GDPR, if you use Google Analytics, then Google is your Data Processor. Your organization is the Data Controller since you control which data is sent to Google Analytics” – I took this quote from a good article I found on Medium called “Google Analytics and GDPR Compliance“.

To-do list:

  • Use only reliable tracking software.
  • Ask software providers how they’re handling the data.
  • Add to your Privacy Policy who handles your tracking data.
  • If in doubt, seek an alternative provider/method.

Step 10: WordPress and WooCommerce Plugins

This is extremely important, and really easy to deal with. Ask yourself whether:

Does plugin _____ either get, read, store, use, edit, handle, access user personal data?

If the answer is yes:

  • Is it a reliable plugin?
  • Is the plugin GDPR ready?
  • Ensure that you add the plugin to the list of “third parties” that get access to data in your Privacy Policy

To-do list:

  • Is the plugin GDPR compliant?
  • Select GDPR compliant plugins
  • Replace none compliant plugins

Step 11: WordPress and WooCommerce APIs

We already mentioned this before, but “API” cover a lot of different applications. An external API can be absolutely anything. An API (Application Programming Interface) is basically “something” that allows you to access an external software without ever leaving your website.

Here are a few examples:

  • Visitors can join your Mailchimp list without ever leaving your website – Mailchimp API.
  • Visitors can checkout using SagePay API without leaving your website.

Facebook, Twitter, or any kind of third party software can provide you with APIs. These APIs connect your WooCommerce store to the outside world, passing data to them – possibly private, personal user data.

You should be at least aware and know:

  • About API’s which you use.
  • The data sent via these API’s
  • That the API is GDPR compliant (there could be an issue with facebook!)

As before, you must add the details about API’s that handle user data to your Privacy Policy.

To-do list:

  • Audit all your API’s.
  • Discard none compliant GDPR API’s.

Step 12: Breach Notifications

If your website experiences a data breach this needs to be immediately communicated to those users affected by the breach in order to comply with GDPR. A notification must be sent to those affected within 72 hours.

In addition to this, you will need to have a security data breach response plan and process in place.

To-do list:

  • Secure your WordPress/WooCommerce website please! Ideally you need to use an SSL certificate, irrespective of whether on not your payments are handled on or off site by a third party payment gateway.
  • Subscribe to all your third-party software / API providers so that you are immediately made aware of any data breach that affects your users or website subscribers.
  • Reduce the amount of data you store, and ensure that this is backed up and securely stored, prefferably offline
  • Have a data breach emergency plan ready to be actioned in case of a data breach.


Next steps

Don’t wait! Act now to ensure that your website is fully GDPR compliant.

We would recommend completing steps 1-12 for your WooCommerce website (ordinary website) and to seek some legal advice, whether or not you’re based in EU. At the very least make sure to use only GPD compliant plugins and API’s, and write your Privacy Policy.