Making Your WooCommerce Website GDPR Compliant12 min read

If you are a WooCommerce store owner, making your WooCommerce website GDPR compliant is very crucial if you still want to stay in business. GDPR stands for General Data Protection Regulation, which is a new standard adopted by EU.

Due to lots of controversies and scandals, the global community is concerned of data safety and security more than ever before. GDPR is a step forward to ensure user privacy and security, that has been far too long remained exposed.

So, like it or not, GDPR is here to stay, and you need to play by its rules unless you want to get rid of your European visitors.

The new guidelines will be in work from 25th of May, and it is better to make your website GDPR compliant before the deadline. EU has given the website owners enough time to adapt themselves to the new regulations.

Also, the team behind WooCommerce has updated some new features in WooCommerce 3.4 to make the platform GDPR compliant.

You need to understand what GDPR standards are, and how your WooCommerce website can comply with that. Many website owners are living in perpetual fear of losing the charm and flexibility of their site due to the implementation of the new regulations, but it is highly unlikely that GDPR will mess with your website.

In this article, I would like to clear some confusion up, so that you can understand what WooCommerce GDPR compliance really looks like, and how you can adapt to the new regulations.

Why You Need GDPR

Why Do You Need This

As I have already said, like it or not, you have to make yourWooCommerce website GDPR compliant to continue being able to do business with EU clients.

No one is going to put a gun on your head and tell you to comply. But the primary objective of GDPR is to provide data protection to the users. As a result, you might not even know how you can get sued, if a visitor complains.

Everyone has understood the importance and making their website to comply. If you are not doing that as well, then you are falling behind.

On top of that, I believe that it is just a single step towards more regulations.

Data protection and data security have become a severe issue over the last few years and even tech giants like Google, Apple and Facebook were heavily criticized for their fragile policies about data protection of their users.

It is high time you get ready for further hard and fast regulations, and make your site prepared.

How is GDPR Relevant to Business?

You might find it ridiculous that your website needs to care about user data protection, despite not being a social media website. But the thing is, every single site that requires information from the users’ side has data to protect.

For example, you might need people to open independent accounts on your website to make purchases. While opening those accounts, people will be asked their names, email addresses, home addresses, credit card numbers and some other information as well. There is nothing wrong with it; we all do that for verification. But the key here is the protection of that information.

There are many other ways through which a WordPress website can collect user data. Many plugins exist that require user information; also forms, comments, feedback, contact forms security solutions and many other aspects might need user data to function correctly.

And due to the recent scandals, users no longer feel secured enough while sharing data with any website, let alone WooCommerce. This means, if your site is not GDPR compliant, your business might suffer due to reputational loss as well.

What is needed to be done?

To make sure that your website complies with GDPR benchmarks, you might need to do quite a few modifications. Probably you are already maintaining those, but a re-check won’t hurt.

Define Terms and Conditions Properly

Many people make the mistake of confusing terms and conditions with the privacy policy. These are anything but the same things. Privacy policy is the way of informing the users how their data will be used, and terms of conditions refer to the legal regulations the users need to know while using your services.

With GDPR standards, privacy policy will be updated for sure, but terms and conditions can’t be forgotten either.

You can do two things for this purpose.

First, you might have an independent page, defining the terms and conditions of use. Many website owners are already doing it.

And secondly, you can provide links to terms and conditions when the user is opening his/her account. In general, this is done through checkboxes, to know if the user agrees to the terms and condition. With that checkbox, link to your paragraph about ToS can be added.

For doing it in WooCommerce, just go to WooCommerce > Settings > Checkout > Terms and Conditions > Select a Page.

WooCommerce-Settings-Checkout-Terms-and-Conditions-Select-a-Page.

Up to Date Privacy Policy

It’s no secret that websites do business based on the information the users give. For example, if you show someone advertisements, you might do it based upon their interests you have guessed from their data, if you show them featured products, you do that based upon the product pages they have already visited.

This might look harmless, but some people might not like it if you do it without letting them know. You need to define the reasons behind collecting the information from the users and let them know about it. Also, inform them about the duration you hold that information for.

This helps the users to make an informed choice. All these can be ensured through the privacy policy.

If you are still maintaining your website with an ages-old privacy policy, then you need to change that immediately. GDPR has specific guidelines regarding privacy policies, what information you can ask for, how you need to ask for consent and many other new things are to be present in the privacy policy. Go through those regulations and update your privacy policy accordingly.

Let your user know your data processing methods and notify them about the bodies that have access to their information.

When the user is opening an account, let them know about the privacy policy, and take their consent. In every single aspect at which the user needs to input information, ask for permission first. Create checkboxes or fields that would ask if the user is okay with the way their data is going to be used after collection.

User Registration

Only Collect Necessary Information on User Registration

WooCommerce “My account” page has a registration form with username and password. You can enable this from the WooCommerce settings (See the Screenshot). This is the basic framework of the registration page your users will get when they visit your website.

WordPress Dashboard > WooCommerce > Settings > Accounts > Enable customer registration on the “My account” page.

WooCommerce My Account Page

Here, make sure you put the Privacy Policy check box in the frontend. Designing this registration form is pretty significant as well. You should only ask for information that is relevant to your business.

If you collect unnecessary information and due to data breaches that information is stolen, you will suffer from massive backlash from the users.

I don’t think there is any need to collect information right now that you think would be useful in the future. Only collect information when you need them, not for the future.

You can go to Data retention settings to define how long you want to retain data that is no longer needed for order processing.

Give User Flexibility

You can’t tie the hands of your users, and tell them to agree with all of the regulations and policies of your website, and put them in an all or nothing situation.

A user might agree with most of the privacy policies your website has, but not with all of them. Make sure you are okay with it.

Create different fields for different policies, and give the user options. If the user doesn’t want to give consent to a particular part of the policy, let it be. If you’re going to tie your users’ hands up, you are going against GDPR compliance.

In WooCommerce 3.4 users can generate an export file, exporting the following data:

  • Customer address/account information
  • Orders associated with the given email address
  • Download permissions and logs related to the provided email address

And they can also request you to delete their data stored by you. So you have to keep in mind about this.

WooCommerce Cart Abandonment

Beware of Cart Abandonment

If you are using these plugins, then you might find yourself in trouble. These particular plugins gather the email addresses of the clients without their consent. As per the discussions above, this is against GDPR standards.

Moreover, it doesn’t give enough breathing space to the users for reading Terms of Conditions or Privacy Policy.

It is being heard that the most of the developers of such plugins are already working on the issue and trying to make their plugins GDPR compliant. But you can do something meanwhile to mitigate this.

Merely adding a checkbox and a privacy policy link below the billing email field can just let you go through.

If you don’t find this useful, then adding multiple step checkout patterns can be an option. But in that case, you might have to compromise the number of sales you would have made without a complicated procedure.

Take Reviews From Registered User

For avoiding complex and problematic issues regarding consent regarding user reviews, only allow the registered and verified users to add reviews to your site.

I do understand that this might lead to fewer numbers of reviews on your site. But for playing by GDPR rules, you can’t but avoid that.

Allowing just the registered users for reviews, you won’t need additional steps as they have already consented to your Terms and Conditions and Privacy Policy. Just make sure to mention user reviews in these things.

Audit Contact Form

Audit Contact Forms

Adding contact forms in all kinds of business websites is really necessary. The customers might have different questions about your services or products.

However, contact forms also require some information from the users as well. Make it flexible. If the users are not okay with revealing their identity while contacting you, respect that and keep an option that allows the user to send you messages anonymously.

Moreover, including the Privacy Policy and Terms and Conditions checkboxes in these forms.

Give User Option for Withdrawing Consent

Give User Option for Withdrawing Consent

For decades, the traditional practice among website owners was, asking the user for permission while they are opening an account on their website, and then entirely forgetting about it. It led to a belief that, if you agree to a website’s policies and structure at the beginning, you have consented to those standards for your entire life.

Which is not true, apparently.

It is okay for a user to roam a website, disliking it and deciding to withdraw consent. You need to create options on your site for the users, so that they can withdraw consent from the security and privacy policy, in summary, the way you are going to use their information.

Using opt-in and opt-out forms can bring that flexibility.

Notify The User About Data Breaches

This is very crucial. Even the most secured of websites might suffer from data breaches. In the vast majority of instances, when this happens, the website owners are too afraid to let the users know about it.

They fear that the website will suffer a reputational loss and the users will stop using it. But according to GDPR guidelines, the users have every right to be informed about a data breach, as their personal information can be stolen from your site due to the violations.

The rules say, “you are bound to inform the users within 72 hours of a data breach.” There are many plugins available that can help you to do that quickly. But you should have a process and procedure regarding the users about the breaches as well.

You need to previously state how the users will be catered to in times of data breaches, and you should make it clear to the users beforehand. Thus, the users will know what steps the website will be taking regarding data breaches.

Get Tricky with Opt-in Forms

The forms that are used to take the names along with email addresses from the users for marketing purpose are known as opt-in forms. Many marketers used to force the users to go through this to make their marketing campaign more effective.

However, new GDPR standards will not allow that. To market your products this way, you have to take the users consent.

All types of automatic opt-in forms should be removed.

Moreover, in those opt-in forms, you should state how the users’ email and name will be used for marketing purposes.

Use GDPR-compliant Analytics Software

Use GDPR Compliant Analytics Software

At times, using analytics software or plugin can be problematic concerning user privacy. Google Analytics might capture the data from the users of your site and use cookies against their wishes.

To avoid complexities regarding this, you can check the providers’ GDPR policy, as they are the party who is collecting the information. Google analytics has already done some modifications.

Now you can determine how long the data can be stored on their servers, and when the deadline ends the information will automatically be deleted.

Moreover, you can explicitly delete individual data as per your wishes if that is assessed through Google Analytics. Data processor policies are also being updated. I would like to suggest you use reliable analytic tools.

Become Aware of Application Programming Interface

API refers to the code which allows one to use external software from the website. Basically, what API does is data connection.

There are different types of APIs for different purposes. But as it is related to data transfer and connection, GDPR comes to play as well. Find out the kinds of APIs that are GDPR complaint and developed by renowned developers.

Moreover, don’t forget to mention the list of APIs in your site’s Privacy Policy.

If you come this far, I think you are ready to follow all of the steps mentioned above and procedure to make GDOR compliant WooCommerce Website so that you avoid legal complexities that will hurt your WooCoonnerce website both in the long term and short term.

We are offering a free checklist so you can work on the compliance efficiently. Click Here to download the list.

Let’s start

A new project together

  • Share this post:


Leave a Comment