Achieve GDPR Compliance for WooCommerce in 5 Steps

If you own an eCommerce store, you’ve probably heard of GDPR. However, you may not be fully conversant with GDPR law and have a lot of questions in your mind. Our goal with this article is to address all your GDPR concerns for your WooCommerce website and help you ensure GDPR compliance for your business.

GDPR in a nutshell

The General Data Protection Regulation ¹ is said to be the toughest privacy and security law, which is passed by the European Union to protect the privacy of users. The regulation came into effect on May 25, 2018. GDPR imposes heavy fines for those who violate its privacy and security requirements.

There are seven principles to be followed under GDPR:

1. Lawfulness, Fairness, and Transparency
2. Purpose limitations
3. Data Minimization
4. Data Accuracy
5. Data Storage Limits
6. Integrity and Confidentiality
7. Accountability

The GDPR defines a person about whom a controller holds personal data and can be identified, directly or indirectly, by reference to that personal data is known as a data subject.

The GDPR outlines eight rights for data subjects.

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision-making and profiling.

To whom does GDPR matter?

GDPR applies to users from the EU region. Even if you are not from the EU, if you are selling your products internationally, especially in the EU region, your website should comply with GDPR. It is recommended that you follow the GDPR guidelines, such as keeping an activity log  on your WordPress website to meet compliance requirements, so that your website appears trustworthy and credible.

5 Steps to Achieve GDPR compliance for WooCommerce.

You can achieve GDPR compliance for your WooCommerce store in just 5 steps.

1. Obtain explicit consent from the users
2. Allow users to export or erase personal data.
3. Create a Privacy Policy.
4. Create a cookie consent banner.
5. Inform when there’s a data breach occurred.

Step 1: Obtain explicit consent from the users

You should obtain explicit consent from the users for collecting or storing their personal data.
In a WooCommerce store, there are different ways in which personal data can be collected from a user.

Personal data includes:

1. Account registration data (name, email, mobile number, etc.)
2. User profile data (comments, reviews, and preferences)
3. Contact forms and opt-in marketing emails.
4. Checkout data ( payment details, billing address, card details, etc)

You can use checkboxes to obtain consent from the users. This consent shouldn’t be obtained by force. Also, allow them to give partial consent.

To enable the checkbox for obtaining consent for comments.
Navigate to Settings > Discussion in your WordPress dashboard.

In the ‘Other comment settings’ enable the ‘Show comments cookies opt-in checkbox, allowing comment author cookies to be set’ checkbox.

Click Save Changes.

Step 2: Give the option to export or erase personal data.

It is clearly mentioned in the eight rights of GDPR that a data subject has the right to access and the right to erasure. Allow users to download the personal data stored, also give them the option to be removed from the database. The best thing you can do here is not to store the user data. If you don’t need them, don’t store ‘em.

To send the personal data to the users on request:
Go to Tools > Export Personal Data.
Enter the user name or email id and wait for them to confirm the request.

After they confirm the request, click on Email Data.

To delete the user data automatically.

Go to WooCommerce > Settings > Accounts and Privacy.
Navigate to the ‘Account erasure requests’.
Enable ‘Remove personal data from orders on request’ and ‘Remove access to downloads on request’ checkboxes.

Scroll down to ‘Personal data retention’ settings.
You can set the retention period for personal data stored on the website. If left blank, the data will be retained forever.

Click Save Changes.

Step 3: Create a Privacy Policy Page

You must have a well-detailed privacy policy on your website. Your Privacy Policy page is more than just a legal disclosure of your practices for protecting personal information – it also helps to demonstrate to your visitors that you can be trusted.

You can use the default privacy policy template available in WordPress and edit/modify it accordingly or you can create a new page for Privacy Policy.

To create a new privacy policy page:
Go to Settings > Privacy from your WordPress dashboard.

Create a new privacy policy or add an existing page as your privacy policy page.

While creating a privacy policy, you should include the following details:

• Who are you?
• What data do you collect?
• Why do you collect the data?
• How long do you retain the data?
• Who else has access to the data?

Also, it is recommended that you add the cookie policy on your privacy policy page.

Click Publish or Update to save the page.

Step 4: Create a Cookie Consent Banner

Simply adding a cookie policy to your privacy policy page won’t give you cookie compliance for GDPR. You should have a proper cookie disclosure banner on your website. There are many plugins for creating a cookie consent banner for your WordPress site, but we find CookieYes GDPR Cookie Consent to be the most useful.

You can download the free version from the WordPress plugin directory.

Open your WordPress dashboard
Go to Plugins > Add New.
Search for GDPR Cookie compliance.

Install and Activate the plugin.

Now go to GDPR Cookie Consent > Settings.
Enable the cookie banner and select the type of law you want to comply with.

Click on Update Settings to save the settings.
This will add a cookie banner to your website.

You can try and explore various customization options available with the plugin. The plugin also lets you create a privacy policy using the privacy policy generator.

Step 5: Inform when there’s a data breach occurred

Under GDPR, users have the right to know when there’s a data breach occurred on your website. They had given their personal information on trust. To keep that trust you must inform them when there’s a data breach occurred, what data have been breached, and what steps have you taken to prevent it. Also, let them know if there’s any update regarding your privacy policy.

You can use this plugin to notify users when a data breach has occurred or when your privacy policy has been updated.

Summing Up:

The smallest negligence can cost you millions of euros in fines. As such, be aware of GDPR and ensure you have taken the appropriate steps to comply with GDPR guidelines.

We hope this article had helped you learn more about GDPR and ways to achieve GDPR compliance for your WooCommerce store.

Disclaimer
This article is not legal advice. Website owners should take this article for informational purposes and take professional legal advice if needed.

Footnotes

1. https://gdpr.eu/what-is-gdpr/[↩]