GDPR Compliance for WooCommerce

On 25th May, 2018, Europe’s General Data Protection Regulation (GDPR) becomes law across all EU countries (and yes, despite Brexit that does include the UK for the foreseeable future!)

If you’re running a WordPress ecommerce website using Woocommerce, you might be wondering what you’ll need to do to make yourself compliant; after all, ecommerce involves a lot of personal data (name, address, phone number being just the tip of the iceburg for most WordPress Ecommerce sites).

Disclaimer: None of the below should be taken as legal advice or acted on with the expectation that it will gaurantee compliance. It has not been written by a solictor or legal professional

Remove any pre-checked tick boxes or default opt-ins

GDPR calls for specific, verifiable and dated opt-ins to any data processing or collection beyond what’s necessary to complete a contract. So, if you’re using the customer’s name, address and phone number just to send them goods, chances are you’re OK. The problem comes in if you do any of the following:

  • Add the customer’s email address to your mailing list (e.g. into your MailChimp or Campaign Monitor account)
  • Send out automated cart abandoment emails (emails that go out to customers who don’t complete a transaction in a given timeframe, usually with an offer or just to remind them that their cart is still active)
  • Send text message updates or marketing messages to the customer using their phone number

To be clear, all of the above can be done after GDPR but only with the customer’s opt in consent. That means a tick box, unticked by default with a clear and specific message about how you’ll be using that data.

Data access requests and data portability

In a post-GDPR world, any of your ecommerce customer can make a data access request and you should be able to supply their data in a format they can take with them. That means that any data you hold on that person must be “provided without delay and at the latest within one month of receipt.” A tough ask, you might say, given that the persons data may well be in all sorts of screens in the back end of your WordPress Woocommerce shop.

The good news is that WordPress is working on making access requests straight forward. If the proposed changes go ahead, there will be a new area for access requests and at the click of a button a WordPress administrator (who should be your nominated data controller, by the way!) can make all that customer’s data you hold available to them.

However, whilst that process will almost certainly apply to WordPress and WooCommerce (the WooCommerce team are heavily involved in the next release of WordPress, building this bit into the core) it’s unclear at the moment whether it’ll apply to data collected in other plugins (like when, for example, it comes to your GDPR Compliance with Gravity Forms). You might need a helping technical hand here.

Making your existing data GDPR-Compliant

So, what if you’ve been running your ecommerce store for a while? Well, you’ve got some options:

  1. You initially collected the data to perform a contract (like processing a payment and delivering goods to a customer); purge any information that’s not necessary for that purpose and then leave it (so strip phone numbers out of your orders). If you just process orders from the backend of WooCommerce in WordPress and do no further marketing, this is probably for you. A WordPress support company can probably do this for you relatively quickly and less manually
  2. You initially collected the data from an order, then populated a MailChimp list with customer emails. You’ll need to re-permission your MailChimp list and delete any records of customers who haven’t confirmed they’re happy for you to keep emailing them past 25th May.
  3. You don’t need the customer data anymore. Delete it all after putting your new GDPR-compliant changes in place and start afresh. This sounds drastic, but it does mean that you can immediately demonstrate compliance.

So, what do I need to do?

  • Put a Privacy Policy in place, linked in your site’s footer (it just needs to tell people what data you’ll collect and how you’ll use it; it should be clear and easy to understand so no legalease!)
  • Anywhere your site collects data (contact forms, checkout, “give us your email for 10% OFF!” pop ups) needs to be accompanied with a statement or, even better, checkbox that tells the user what you’re going to do with their data
  • In addition to the above, if the data isn’t explicitly required for the completion of the transaction, you’ll need to gain their explicit consent to have it (again, checkboxes!)
  • Update WordPress and keep it updated. This will allow you to comply more easily with data requirements under GDPR and might also be required to demonstrate. You can do this yourself, but getting a WordPress support agency might make it easier to comply and save you a lot of time and money in the long run.
  • Finally, audit all the data you do hold and decide what to do with it. The easiest route to compliance is to not have any! If you do need to keep it, ask yourself whether it’s truly necessary and if so, which bits you could get rid of.