Have you taken all possible measures to make your WooCommerce website GDPR ready?

Doing business on the web and having a target European audience makes you legally obliged to comply with the most extensive and comprehensive General Data Protection Regulation.

You might have already known about it! But the question is, have you taken all possible measures to make your WooCommerce website GDPR ready?

So this article is intended for WooCommerce website owners who are looking to make their store GDPR-ready.

In this post, you’ll walk through a brief overview of the GDPR, the need of becoming adherent to the law, and finally, the steps that help prepare your WooCommerce store for GDPR compliance.

GDPR — Explained in brief

On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect across the European Union. The law comprises a set of rules aimed at providing maximum protection over the personal data of the people in the EU.

GDPR applies to businesses regardless of its physical location — your business will be subjected to the GDPR if it handles the data of Europeans in any manner.

The violators of the GDPR can be fined up to €20 million or 4% of their organization’s annual global turnover of the previous fiscal year — whichever is higher.

Why do you need to prepare your WooCommerce store for GDPR?

The data collection in your WooCommerce store can happen in various forms. When a user signs up in your store, you’d usually ask for their personal information such as name, email address, contact number, etc.

When they enter the checkout stage, you will have to gather their card details or any other type of payment data to process their order.

Besides these, you might collect the users’ personal data for analytics or various other purposes including targeted advertising.

All these activities can give rise to serious privacy concerns among your store users — to address these growing concerns, you must prepare your store to function in line with the GDPR.

On seeing that your business complies with the GDPR, you could make your customers feel that their data and privacy are valued. This will build trust in them and when they trust you, indeed they’d be loyal to you.

Steps to make your WooCommerce store GDPR compliant

If you are a WooCommerce retailer longing for business success, you need to give importance to the data privacy laws along with the rest of your business activities.

So check out these important steps that will help make your store comply with the GDPR standards.

1. Update your WooCommerce store

In the first place, check whether you have the most recent version of WordPress and WooCommerce. If not, you need to update them immediately, because the latest versions of WordPress and WooCommerce have introduced new features and tweaks that will help you on your path towards GDPR compliance.

The latest WooCommerce version includes the GDPR features like:

  • personal data export;
  • personal data erasure;
  • data retention settings;
  • showing policy notices on the checkout page;
  • avoiding unnecessary data collection by making specific checkout form fields ‘hidden’ or ‘optional’; and
  • bulk anonymization of order data.

You will come to know more about these later in this article.

Note: Always keep a working backup of your website before testing updates. Also, consider testing the updates on a development site prior to updating your live site.

2. Secure your WooCommerce website

Securing your online store includes several factors — like upgrading the website to HTTPS, selecting a reliable hosting provider, firewall implementation to prevent unauthorized accesses, making your website PCI DSS compliant to secure the users’ credit/debit card data, and so forth.

Among these, securing your WooCommerce store with HTTPS is the most crucial factor. You need to implement SSL certification on your website to use HTTPS.

How to Make Your WooCommerce Website GDPR Compliant?

3. Add a link to your Privacy Policy on your store

A Privacy Policy page is an important requirement under the GDPR. While creating a Privacy Policy, make sure you incorporate all the necessary details regarding your data collection practices.

To comply with the terms of GDPR, you may include the following information on your Privacy Policy document.

  • The types of data that you collect from the users.
  • Mode of your data collection.
  • How the data will be stored and the time period it will be retained.
  • With whom these data will be shared.
  • Details about the types of cookies you use and how they are managed.
  • Your contact information.
  • Changes to the Privacy Policy.

To create a Privacy Policy page:

Step 1: Log in to your WordPress dashboard > Go to Pages > Click Add New.
Step 2: Create a Privacy Policy document > Click Publish to publish the page.

How to Make Your WooCommerce Website GDPR Compliant?

To display your Privacy Policy link on your WooCommerce store:

Step 1: Navigate to WooCommerce > Settings.

How to Make Your WooCommerce Website GDPR Compliant?

Step 2: Select the Accounts & Privacy tab.

2.1: Scroll down to Privacy policy.
2.2: Click on the dropdown bar next to Privacy page > Select the Privacy Policy document that you have created from the dropdown list.
2.3: Make sure you have added the WooCommerce shortcode [privacy_policy] in your Registration privacy policy and Checkout privacy policy — this will enable you to display your Privacy Policy link on your account registration form as well as the checkout form.
2.4: Click on Save changes to save all your settings.

Note: The [privacy_policy] shortcode inserts a link to your Privacy Policy page.

How to Make Your WooCommerce Website GDPR Compliant?

4. Obtain user consent for the use of tracking cookies

If your WooCommerce store uses tracking cookies (aka third-party cookies) or similar tracking mechanisms to collect users’ personal data, you need to get the consent of users prior to obtaining and processing their data.

The best way to collect and manage user consent is to add a cookie banner to your website. An ideal cookie consent banner would include:

  • a quick description of the cookie usage of a particular website;
  • an ‘Accept’ button — to enable users to opt into the cookie usage of that website;
  • a ‘Reject’ button — to help users opt-out of the website’s use of cookies;
  • a link to “cookie preferences” or “cookie settings” of the website — to let the users selectively allow/deny specific cookie categories;
  • link to the organization’s Privacy Policy and Cookie Policy pages.

Note: A separate Cookie Policy page is not a requirement under the GDPR. However, you need to incorporate your cookie usage policies in your Privacy Policy document.

Now, let’s see how you could create a cookie consent banner and display it on your WooCommerce website. To do this, you could either use:

  • a suitable plugin; or
  • the WooCommerce Store Notice feature.

Create and manage cookie consent using a WordPress plugin

Being a WooCommerce store owner, you could go for a good plugin like the “GDPR Cookie Consent” to implement a cookie consent banner or a cookie notice pop-up for your website.

This is the most widely used GDPR-ready WordPress plugin for implementing and managing cookie consents. The plugin lets you:

  • add a fully customizable cookie banner to your WooCommerce store’s header or footer;
  • categorize cookies as necessary/non-necessary;
  • make your consent banner run multilingual with WPML or qTranslate;  and much more.

The GDPR Cookie Consent Premium Plugin provides yet more useful features such as automatic cookie scan, blocking of cookie scripts, location-based cookie notices, etc.

How to Make Your WooCommerce Website GDPR Compliant?

Implement cookie consent banner using WooCommerce Store Notice

Besides using a plugin, you could take advantage of the “WooCommerce Store Notice” feature to show cookie notification pop-ups to your website visitors, during their first visit.

Store Notice will let you add a site-wide cookie banner to your website. But remember, this feature allows you to add only a “notice only” cookie banner and it includes a ‘dismiss’ button to enable users to dismiss the notice after they see it.

However, you can use the “Store Notice” to inform visitors how they can disable the cookies from within their browser.

Note: “WooCommerce Store Notice” would not help you block any type of cookies that are being installed on a user’s browser without their consent.

To enable WooCommerce Store Notice:

Step 1: Log in to your WordPress dashboard > Go to Appearance in the left panel >
Click Customize.

How to Make Your WooCommerce Website GDPR Compliant?

Step 2: Navigate to WooCommerce > Select Store Notice.
Step 3: Enter the required text in the given text box, as shown below > Check the Enable store notice option > Click Publish.

How to Make Your WooCommerce Website GDPR Compliant?

And this is how the WooCommerce Store Notice will be displayed on your website:

How to Make Your WooCommerce Website GDPR Compliant?

“Notice only” cookie banner created using WooCommerce Store Notice

6. Make your “My Account” page GDPR compliant

WooCommerce offers a “My Account” page, in which users can create their own accounts on your store.

To create a “My Account” page:

Step 1: Log in to your WordPress dashboard > Go to Pages in the left panel > Click on Add New.
Step 2: You could create a My Account page using the shortcode [woocommerce_my_account] > click Publish.

How to Make Your WooCommerce Website GDPR Compliant?

To enable users to create an account on the WooCommerce “My Account” page:

Step 1: From your WordPress dashboard, navigate to WooCommerce in the left panel > Click Settings.
Step 2: Switch to the Accounts & Privacy tab > Enable the Allow customers to create an account on the “My account” page option > Scroll down and click on the Save changes button.

How to Make Your WooCommerce Website GDPR Compliant?

Now, you need to make your “My account” registrations compliant with the GDPR, as you would need to handle the personal data of users during the registration process.

As you might know, WooCommerce does not offer default opt-in features at the registration level. So in order to add a privacy policy checkbox field to the user registration form, you would need to:

  • seek the help of an appropriate plugin; or
  • add custom codes to your WordPress Theme Editor.

Add Privacy Policy checkbox for opt-in consent: Using a custom code snippet

By adding a “Privacy Policy” checkbox to the “My Account” registration form, you could receive explicit opt-in consent of users to use their personal data. So now, let’s check how to add this checkbox using a custom code snippet.

To add the custom code snippet to your WordPress Theme Editor:

Step 1: Log in to your WordPress dashboard > Navigate to Appearance in the left panel > Select Theme Editor.
Step 2: Select Theme Functions (functions.php) under Theme Files.
Step 3: Add the required code snippet in this functions.php file > Click Update File.

How to Make Your WooCommerce Website GDPR Compliant?

Sample Code

add_action( 'woocommerce_register_form', 'mystore_add_registration_privacy_policy', 12);

function mystore_add_registration_privacy_policy() {
woocommerce_form_field( 'privacy_policy_reg', array(
'type' => 'checkbox',
'class' => array('form-row privacy'),
'label_class' => array('woocommerce-form_label woocommerce-form_label-for-checkbox checkbox'),
'input_class' => array('woocommerce-form_input woocommerce-form_input-checkbox input-checkbox'),
'required' => true,
'label' => 'I\'ve read and accept the <a href="https://example/mystore/privacy-policy/">Privacy Policy</a>',
));
}

// Show error if user does not tick
add_filter( 'woocommerce_registration_errors', 'mystore_validate_privacy_registration', 10, 3 );
function mystore_validate_privacy_registration( $errors, $username, $email ) {
if ( ! is_checkout() ) {
if ( ! (int) isset( $_POST['privacy_policy_reg'] ) ) {
$errors->add( 'privacy_policy_reg_error', _( 'Privacy Policy consent is required!', 'woocommerce' ) );
}
}
return $errors;
}

Now, have a look at how the “My account” registration form will be displayed on your website — before and after adding the above code snippet.

How to Make Your WooCommerce Website GDPR Compliant?

“My account” registration form — before adding the above code snippet to the functions.php file

How to Make Your WooCommerce Website GDPR Compliant?

“My account” registration form — after adding the above code snippet to the functions.php file

7. Export the personal data of users upon their request

Under the GDPR, the data subjects (individuals) have the right to access their personal data that your organization has obtained from them. And you must be able to provide them with the requested information within the specified time limits.

To export personal data:

Step 1: Log in to your WordPress dashboard > Navigate to Tools in the left panel > Select the Export Personal Data option.

How to Make Your WooCommerce Website GDPR Compliant?

Step 2: Enter the username or email address of the person who has requested to access their personal data > Click Send Request.

  • Now, an email will be sent to the concerned individual, asking them to confirm the export of their personal data. Meanwhile, the confirmation status will be marked as Pending, as shown below.
  • Once the user confirms, the status of the personal data export verification will be changed from Pending to Confirmed.

How to Make Your WooCommerce Website GDPR Compliant?

Step 3: After the status has changed to Confirmed, hover over the requester name or email address to click on Download Personal Data — this will enable you to download the data associated with that particular user.

Step 4: Now, click on the Email Data button under the Next Steps to send an email with the link to download their personal data.

8. Erase personal data upon request

The GDPR provides personal data erasure rights for individuals. So your customers can request you to erase their personal data whenever they want. Hence, you must be prepared to take the necessary steps to erase their data without undue delay.

To erase personal data:

Step 1: Log in to your WordPress dashboard > Navigate to Tools in the left panel > Select the Erase Personal Data option.

Step 2: Enter the username or email address of the person who has requested to erase their personal data > Click Send Request.

  • Now, an email will be sent to the concerned individual, asking them to confirm the erasure of their personal data.
  • Once the user confirms, the status of the personal data export verification will be changed from Pending to Confirmed.

How to Make Your WooCommerce Website GDPR Compliant?

Step 3: After the status has changed to Confirmed, hover over the requester name or email address to click on Erase Personal Data — this will erase the data associated with that particular person.

Note: The above steps will not erase the personal data within orders. You need to take additional actions to remove them.

To erase personal data within orders:

Step 1: From your WordPress dashboard, go to WooCommerce > Settings.
Step 2: Switch to the Accounts & Privacy tab.
Step 3: Enable the following options in Account erasure requests (these options are disabled by default).

  • Remove personal data from orders on request — to remove the personal data within orders.
  • Remove access to downloads on request — to revoke access to downloadable files and clear the download logs.

Step 4: Scroll down and click Save changes.

How to Make Your WooCommerce Website GDPR Compliant?

To remove personal data in bulk:

Step 1: From your WordPress dashboard, navigate to WooCommerce > Settings.
Step 2: Switch to the Accounts & Privacy tab.
Step 3: Enable the Allow personal data to be removed in bulk from orders option in Personal data removal.
Step 4: Scroll down and click Save changes.

How to Make Your WooCommerce Website GDPR Compliant?

Step 5: Now, go to Orders under WooCommerce in the left panel > Select the required orders > Click Bulk Actions to expand the dropdown menu > Select the Remove personal data option.

How to Make Your WooCommerce Website GDPR Compliant?

Note: WordPress’ new GDPR compliance tools “Export Personal Data” and “Erase Personal Data” will export or delete the personal data collected by the participating plugins only. The old versions of the plugins that you use might not have been hooked into the ‘export’ and ‘erasure’ features. So before using these tools, ensure you update your plugins to their most recent versions.

9. Configure data retention settings

To make your data retention policies compliant with the GDPR standards, WooCommerce has introduced a personal data retention settings feature. These settings will allow you to specify how long you’d want to retain personal data of individuals, that is no longer needed for order processing.

To configure personal data retention settings in WooCommerce:

Step 1: Log in to your WordPress dashboard > Go to WooCommerce in the left panel > Click Settings.
Step 2: Select the Accounts & Privacy tab > Scroll down to Personal data retention.
Step 3: Set the data retention period according to your preferences > Finally, click Save changes.

How to Make Your WooCommerce Website GDPR Compliant?

10. Customize your checkout page to make it GDPR compliant

WooCommerce has updated its checkout features to help make your checkout page comply with the GDPR standards.

Within the WooCommerce Customizer, you will find features to:

  • make the Company name field, Address line 2 field, and the Phone field in the checkout form ‘hidden’ or ‘optional’ — this will possibly help you prevent unnecessary data collection from the users during the checkout stage; and
  • add a link to your Privacy Policy on your checkout page — if you have not yet added it from within the WooCommerce “Accounts & Privacy” settings.

To customize the appearance of the WooCommerce checkout:

Step 1: Log in to your WordPress dashboard > Navigate to Appearance in the left panel > Click Customize > Select WooCommerce > Checkout.
Step 2: Make any or all of the Company name field, Address line 2 field, and the Phone field either Hidden or Optional, according to your requirement.
Step 3: Click on the dropdown bar next to Privacy policy page > Select your Privacy Policy document from the dropdown list.
Step 4: In the text field under the Privacy policy, optionally add some text about your organization’s privacy policy to show during the checkout phase — you could add a clear, understandable text; instead of sticking with the default text.
Step 5: After making the configurations, click on the Publish button.

How to Make Your WooCommerce Website GDPR Compliant?

11. Get product reviews only from registered users

As you know, enabling customer reviews is a great way to boost sales in your store. But the customer reviews usually contain the personal data of users. And you might store and use these data for various business activities.

Therefore, you need to get user consent before enabling the users to rate or review your products. You could receive reviews from the users who have registered with your store — make sure you obtain users’ consent prior to letting them register/sign up for your store.

WooCommerce offers a feature that enables only “verified owners” to leave reviews — the registered users of your store can be seen as the verified customers. This will help you ensure that your store does not contain reviews from people who have not yet consented to your organization’s data collection and processing.

To enable reviews only for verified users:

Step 1: Log in to your WordPress dashboard > Go to WooCommerce in the left panel > Click Settings.
Step 2: Select the Products tab > Under Reviews, check the Reviews can only be left by “verified owners” option > Click Save changes to save the settings.

How to Make Your WooCommerce Website GDPR Compliant?

12. Make all your forms GDPR compliant

The online retailers use various types of forms such as contact forms, customer feedback forms, newsletter sign-up forms, and many more. And usually, these forms obtain the personal information of users such as their name, email address, contact data, etc.

So if you’d want to create custom contact forms, ensure you make them compliant with the GDPR standards.

To make your forms GDPR compliant:

  • Inform users why their personal data is being collected.
  • Add Privacy Policy checkboxes to your forms to receive user consent before allowing them to opt-in.
  • Ensure the opt-in checkboxes on your forms are not checked by default.
  • Let the users request to access, change, modify, or delete their data.
  • Help the users understand how they can withdraw their consent, thereby opting out of receiving communications from you.
  • Send a copy of the completed form to the user (to whom the data belongs).

To take the hassle out of creating custom forms and making it compliant with the terms of the GDPR, you could go for the use of plugins. Mailchimp is a good plugin that enables you to implement GDPR-compliant forms on your WooCommerce store.

Note: If you have users opted in to any of your forms before the GDPR implementation, you are now required to obtain explicit consent from them before continuing to use their personal data.

13. Use only the plugins that adhere to the GDPR

Plugins play a major role in enhancing the features and functionalities of your WooCommerce website. Being known about its usage and benefits, you would never want to run your store without using plugins.

However, you shouldn’t disregard the fact that the excessive use of plugins can harm your store in different ways.

There exist tens of thousands of WordPress and WooCommerce plugins that serve a wide variety of purposes. And some plugins collect the personal data of users.

So you need to be careful when choosing one — you could do a plugin audit to find out whether the plugins that you use currently or the ones that you’d want to use have taken steps to comply with the GDPR.

If they have not, stop using the plugin and uninstall it — because otherwise, it can pose serious breach threats over the personal data of individuals.

To check whether a plugin operates in line with the GDPR:

  • Update the plugin and check whether its latest version lets you use it in compliance with the GDPR.
  • You could refer to the changelog of the plugin to find any relevant information about making its services GDPR compliant.
  • Examine the plugin’s website resources to determine whether the plugin is GDPR-ready.

When using the plugins that have taken steps to comply with the terms of the GDPR:

  • Analyse the GDPR guidelines specified by the plugin and make sure you use it in adherence to the GDPR.
  • Find out all of your plugins that handle the personal data of users and list them out in your Privacy Policy.

MailChimp, MonsterInsights, GDPR Cookie Consent, OptinMonster, WP GDPR Compliance, etc. are some WordPress/WooCommerce plugins that have prepared their services for GDPR compliance.

14. Implement a data breach response plan for your WooCommerce store

As a responsible store owner, you need to address the growing concerns about the data breaches and take necessary precautions against them.

The GDPR requires you to inform your website users about what processes or procedures you employ in order to deal with the potential data breaches.

You could create a robust data breach response plan for your organization — this will make users more confident while sharing their data with you.

Final remarks

While preparing your WooCommerce store for GDPR compliance, you need to pay attention to a lot of key factors, like those described above. If your store handles EU-based customer data, then you are obliged to comply with the GDPR. By adhering to the terms of GDPR, you could ensure the security and privacy of your consumers’ online data. This will make them feel valued, and as a general rule of thumb, they would keep coming back to your store for more. Therefore, seeing GDPR compliance as a part of your business will markedly increase your chances of success.

Disclaimer: This article is intended to be used for informational purposes only and does not constitute any form of legal advice. We recommend you seek a subject matter expert or your own attorney for any legal advice on making your WooCommerce store fully compliant with the GDPR.